Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vosteran (possibly more).


  • This topic is locked This topic is locked
12 replies to this topic

#1 herodian

herodian

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 17 January 2015 - 11:23 AM

It sounds more like an STD, but I need help removing this malware. I ran malware bytes and restarted my pc but had no luck. I have attached the requested logs.

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 17 January 2015 - 11:42 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I have given you the ìAll clear.î  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 herodian

herodian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 17 January 2015 - 12:25 PM

Thanks Murphy!

 

Here are the logs:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-01-2015 01
Ran by Hero (administrator) on TOOL on 17-01-2015 10:18:03
Running from C:\Users\Hero\Downloads
Loaded Profiles: Hero & UpdatusUser (Available profiles: Hero & UpdatusUser)
Platform: Windows 7 Enterprise Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Flux Software LLC) C:\Users\Hero\AppData\Local\FluxSoftware\Flux\flux.exe
() C:\Program Files\Rainmeter\Rainmeter.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [336992 2012-12-09] (Power Software Ltd)
HKLM-x32\...\Run: [DivXMediaServer] => C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [448856 2014-11-17] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1861968 2014-01-09] ()
HKU\S-1-5-21-2720818818-648013889-2292625018-1000\...\Run: [f.lux] => C:\Users\Hero\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-2720818818-648013889-2292625018-1000\...\Run: [BitTorrent] => C:\Users\Hero\AppData\Roaming\BitTorrent\BitTorrent.exe [1381208 2014-12-15] (BitTorrent Inc.)
HKU\S-1-5-21-2720818818-648013889-2292625018-1000\...\RunOnce: [Application Restart #3] => C:\Users\Hero\AppData\Local\Pokki\Engine\pokki.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-p (the data entry has 538 more characters).
HKU\S-1-5-21-2720818818-648013889-2292625018-1000\...\MountPoints2: D - D:\Autorun.exe
AppInit_DLLs-x32: C:/PROGRA~3/{7EF79~1/171~1.0/dofe.dll => C:/PROGRA~3/{7EF79~1/171~1.0/dofe.dll [649216 2015-01-16] ()
Startup: C:\Users\Hero\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe ()
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = http://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_dnldstr_14_29_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0SzytBzytN1L2XzutBtFtBtCtFtCyEtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAyEtDyEtB0Bzy0CtG0D0E0FtBtG0FtDyD0BtGyByEtDyCtGtAtCtBzytAyCzy0AzzyDzy0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByDtCtDyC0A0E0FtGtD0F0E0BtGyEzztDzztGtByEyCzztGtAzz0DyCyEtDtA0DtD0EyB0E2Q&cr=1901440421&ir=
SearchScopes: HKU\S-1-5-21-2720818818-648013889-2292625018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
SearchScopes: HKU\S-1-5-21-2720818818-648013889-2292625018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
SearchScopes: HKU\S-1-5-21-2720818818-648013889-2292625018-1000 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = http://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_dnldstr_14_29_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0SzytBzytN1L2XzutBtFtBtCtFtCyEtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAyEtDyEtB0Bzy0CtG0D0E0FtBtG0FtDyD0BtGyByEtDyCtGtAtCtBzytAyCzy0AzzyDzy0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByDtCtDyC0A0E0FtGtD0F0E0BtGyEzztDzztGtByEyCzztGtAzz0DyCyEtDtA0DtD0EyB0E2Q&cr=1901440421&ir=
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Winsock: Catalog9 01 C:\Windows\SysWOW64\plsapp.dll [354592] (Sendori)
Winsock: Catalog9 02 C:\Windows\SysWOW64\plsapp.dll [354592] (Sendori)
Winsock: Catalog9 03 C:\Windows\SysWOW64\plsapp.dll [354592] (Sendori)
Winsock: Catalog9 04 C:\Windows\SysWOW64\plsapp.dll [354592] (Sendori)
Winsock: Catalog9 15 C:\Windows\SysWOW64\plsapp.dll [354592] (Sendori)
Winsock: Catalog9-x64 01 C:\Windows\system32\plsapp64.dll [439296] (Sendori)
Winsock: Catalog9-x64 02 C:\Windows\system32\plsapp64.dll [439296] (Sendori)
Winsock: Catalog9-x64 03 C:\Windows\system32\plsapp64.dll [439296] (Sendori)
Winsock: Catalog9-x64 04 C:\Windows\system32\plsapp64.dll [439296] (Sendori)
Winsock: Catalog9-x64 15 C:\Windows\system32\plsapp64.dll [439296] (Sendori)
Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50

FireFox:
========
FF ProfilePath: C:\Users\Hero\AppData\Roaming\Mozilla\Firefox\Profiles\mtauohz4.default
FF SelectedSearchEngine: Vosteran
FF Homepage: hxxp://vosteran.com/?f=1&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
FF NewTab: about:newtab
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Hero\AppData\Roaming\Mozilla\Firefox\Profiles\mtauohz4.default\searchplugins\Vosteran.xml
FF StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR Profile: C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-23]
CHR Extension: (Google Drive) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-23]
CHR Extension: (Cirque du Soleil) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\bambdhnebihakocbdlomklpnieneajmo [2014-03-26]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-22]
CHR Extension: (YouTube) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-23]
CHR Extension: (Adblock Plus) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-03-25]
CHR Extension: (Google Search) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-23]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2014-03-25]
CHR Extension: (Google Wallet) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-23]
CHR Extension: (Gmail) - C:\Users\Hero\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-23]
CHR StartMenuInternet: Google Chrome - chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2015-01-13] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 671c50b0; "C:\Windows\system32\rundll32.exe" "c:\progra~3\browse~1\BrowserSystemEnahncerSvc.dll",service

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-17] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 RTCore64; C:\Program Files (x86)\EVGA Precision X\RTCore64.sys [15176 2013-04-05] ()
S3 WinRing0_1_2_0; C:\Users\Hero\Desktop\RealTemp\WinRing0x64.sys [14544 2014-05-15] (OpenLibSys.org)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-17 10:18 - 2015-01-17 10:21 - 00015238 _____ () C:\Users\Hero\Downloads\FRST.txt
2015-01-17 10:17 - 2015-01-17 10:18 - 00000000 ____D () C:\FRST
2015-01-17 10:17 - 2015-01-17 10:16 - 02125824 _____ (Farbar) C:\Users\Hero\Desktop\FRST64.exe
2015-01-17 10:16 - 2015-01-17 10:16 - 02125824 _____ (Farbar) C:\Users\Hero\Downloads\FRST64.exe
2015-01-17 09:21 - 2015-01-17 09:22 - 00016583 _____ () C:\Users\Hero\Desktop\dds.txt
2015-01-17 09:21 - 2015-01-17 09:21 - 00688992 ____R (Swearware) C:\Users\Hero\Downloads\dds.com
2015-01-17 09:21 - 2015-01-17 09:21 - 00009531 _____ () C:\Users\Hero\Desktop\attach.txt
2015-01-17 09:11 - 2015-01-17 09:11 - 02186752 _____ () C:\Users\Hero\Downloads\adwcleaner_4.108.exe
2015-01-17 09:10 - 2015-01-16 23:10 - 00002183 _____ () C:\Users\Hero\Desktop\Google Chrome.lnk
2015-01-16 23:13 - 2015-01-16 23:13 - 00064008 _____ () C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2015-01-16 23:10 - 2015-01-16 23:10 - 00003450 _____ () C:\Windows\System32\Tasks\ProPCCleaner_Popup
2015-01-16 23:10 - 2015-01-16 23:10 - 00003186 _____ () C:\Windows\System32\Tasks\ProPCCleaner_Start
2015-01-16 23:10 - 2015-01-16 23:10 - 00000000 ____D () C:\Users\Hero\Documents\ProPCCleaner
2015-01-16 23:10 - 2015-01-16 23:10 - 00000000 ____D () C:\Users\Hero\AppData\Local\Rainmaker_Software_Group_
2015-01-16 23:10 - 2015-01-16 23:10 - 00000000 ____D () C:\ProgramData\{7EF79634-2E75-47B2-9FF3-37304F71E4BE}
2015-01-16 23:09 - 2015-01-16 23:11 - 00000000 ____D () C:\ProgramData\Unchecky
2015-01-16 23:09 - 2015-01-16 23:09 - 00769552 _____ ( ) C:\Users\Hero\Downloads\directshow_setup(1).exe
2015-01-16 23:09 - 2015-01-16 23:09 - 00261632 _____ () C:\Users\Hero\Downloads\directshow_setup.msi
2015-01-16 23:09 - 2015-01-16 23:09 - 00000000 ____D () C:\Users\Hero\AppData\Roaming\Rainmaker Software Group LLC.​
2015-01-16 23:08 - 2015-01-16 23:08 - 00236344 _____ () C:\Users\Hero\Downloads\directshow_setup.exe
2015-01-14 03:35 - 2015-01-17 10:14 - 00263790 _____ () C:\Windows\PFRO.log
2015-01-14 03:35 - 2015-01-17 10:14 - 00001064 _____ () C:\Windows\setupact.log
2015-01-14 03:35 - 2015-01-14 03:35 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-13 12:26 - 2014-12-18 20:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 12:26 - 2014-12-18 18:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 12:26 - 2014-12-11 22:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 12:26 - 2014-12-11 22:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-13 12:26 - 2014-12-11 22:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-13 12:26 - 2014-12-11 22:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-13 12:26 - 2014-12-11 22:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-13 12:26 - 2014-12-11 22:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-13 12:26 - 2014-12-11 22:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 12:26 - 2014-12-11 10:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 12:26 - 2014-12-05 21:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 12:26 - 2014-12-05 20:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-13 12:26 - 2014-12-05 20:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-12 23:00 - 2015-01-16 11:17 - 00281032 _____ () C:\Windows\SysWOW64\PnkBstrB.xtr
2015-01-12 23:00 - 2015-01-12 23:00 - 00000000 ____D () C:\Users\Hero\AppData\Local\PunkBuster
2015-01-12 22:57 - 2015-01-12 22:57 - 00000000 ____D () C:\Users\Hero\AppData\Local\CrashRpt
2015-01-12 22:51 - 2015-01-12 22:51 - 00000362 _____ () C:\Windows\DirectX.log
2015-01-12 22:51 - 2015-01-12 22:51 - 00000000 ____D () C:\Program Files (x86)\Microsoft Chart Controls
2015-01-12 22:50 - 2015-01-16 11:17 - 00281032 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2015-01-12 22:50 - 2015-01-15 22:42 - 00281032 _____ () C:\Windows\SysWOW64\PnkBstrB.ex0
2015-01-12 22:50 - 2015-01-13 15:50 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2015-01-12 21:55 - 2015-01-12 21:55 - 00000221 _____ () C:\Users\Hero\Desktop\Rising StormRed Orchestra 2 Multiplayer.url
2015-01-11 19:45 - 2015-01-11 19:45 - 00000000 ____D () C:\Users\Hero\AppData\Local\DDMSettings
2015-01-11 19:32 - 2015-01-11 19:32 - 00000000 ____D () C:\Users\Hero\AppData\Roaming\DivX
2015-01-11 19:32 - 2015-01-11 19:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DivX
2015-01-11 19:32 - 2015-01-11 19:32 - 00000000 ____D () C:\Program Files\DivX
2015-01-11 19:30 - 2015-01-11 19:32 - 00000000 ____D () C:\Program Files (x86)\DivX
2015-01-11 19:29 - 2015-01-11 19:44 - 00000000 ____D () C:\ProgramData\DivX
2015-01-11 19:28 - 2015-01-11 19:28 - 01012544 _____ (DivX, LLC) C:\Users\Hero\Downloads\DivXInstaller.exe
2014-12-27 14:39 - 2014-12-27 14:39 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-27 14:35 - 2014-12-27 14:35 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\2A5F3B1E.sys
2014-12-24 18:11 - 2014-12-24 18:15 - 00000000 ____D () C:\Users\Hero\AppData\Roaming\My The Lord of the Rings, The Rise of the Witch-king Files
2014-12-24 14:16 - 2014-12-24 14:16 - 00002486 _____ () C:\Users\Public\Desktop\The Lord of the Rings, The Rise of the Witch-king.lnk
2014-12-24 13:53 - 2014-12-24 13:53 - 00002345 _____ () C:\Users\Public\Desktop\The Battle for Middle-earth ™ II.lnk
2014-12-24 13:52 - 2014-12-24 14:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts
2014-12-24 13:46 - 2014-12-24 14:11 - 00000000 ____D () C:\Program Files (x86)\Electronic Arts
2014-12-24 13:44 - 2014-12-24 13:44 - 00056534 _____ () C:\Users\Hero\Downloads\_-demonoid.pw-_Lord_of_the_Rings_Battle_for_Middle_Earth_2_RELOADED_crack.TORRENT

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-17 10:17 - 2014-03-23 19:30 - 01113629 _____ () C:\Windows\WindowsUpdate.log
2015-01-17 10:15 - 2014-05-20 12:05 - 00000000 ____D () C:\Users\Hero\AppData\Roaming\BitTorrent
2015-01-17 10:14 - 2014-08-10 00:34 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-17 10:14 - 2014-03-23 20:44 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-17 10:14 - 2014-03-23 20:26 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-17 10:14 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-17 09:24 - 2009-07-13 21:45 - 00021968 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-17 09:24 - 2009-07-13 21:45 - 00021968 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-17 09:05 - 2014-03-23 20:27 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-16 23:22 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\IME
2015-01-16 23:14 - 2014-11-13 11:51 - 00000000 __SHD () C:\AI_RecycleBin
2015-01-16 23:10 - 2014-12-15 16:57 - 00064008 _____ () C:\Windows\system32\GDIPFONTCACHEV1.DAT
2015-01-16 23:10 - 2014-11-21 09:20 - 00001147 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-16 23:10 - 2014-03-23 20:31 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-16 11:17 - 2014-04-01 08:13 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-14 03:15 - 2014-03-23 20:49 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 03:03 - 2014-03-23 20:49 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-12 22:53 - 2014-04-01 19:24 - 00000000 ____D () C:\Users\Hero\Documents\My Games
2015-01-12 22:53 - 2014-03-24 04:08 - 00000000 ____D () C:\Users\Hero\AppData\Roaming\NVIDIA
2015-01-12 21:55 - 2014-04-01 10:08 - 00000000 ____D () C:\Users\Hero\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-01-12 21:54 - 2014-11-15 22:58 - 00000000 ____D () C:\ProgramData\Origin
2015-01-11 19:32 - 2014-12-16 17:11 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-06 15:22 - 2014-07-10 13:52 - 00001131 _____ () C:\Users\Public\Desktop\BetOnline Poker 8.2.lnk
2014-12-31 04:14 - 2010-11-20 20:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-27 14:34 - 2014-11-21 09:20 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======
2014-07-17 09:23 - 2014-07-17 09:23 - 0000045 _____ () C:\Users\Hero\AppData\Roaming\WB.CFG
2008-02-05 13:28 - 2008-02-05 13:28 - 0000051 ____H () C:\Users\Hero\AppData\Local\setup.txt

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 01:11

==================== End Of Log ============================

Attached Files


Edited by RPMcMurphy, 17 January 2015 - 05:05 PM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 17 January 2015 - 05:13 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
SearchScopes: HKU\S-1-5-21-2720818818-648013889-2292625018-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
SearchScopes: HKU\S-1-5-21-2720818818-648013889-2292625018-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
FF SelectedSearchEngine: Vosteran
FF Homepage: hxxp://vosteran.com/?f=1&a=vst_ir_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CzztDyB0B0B0B0A0AtDtN0D0Tzu0StCtCtCtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtAyCyDyEtB0FyEtGzz0EyDtDtGyByEtD0DtG0C0F0DyDtGyCyBzztB0ByEyBtByE0CyCtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyB0EtByDyD0F0CtGtAzzzzzztGyEyC0EyDtG0A0DzztCtGtB0AyD0CtA0CyByEyDyDtA0A2Q&cr=147652103&ir=
FF SearchPlugin: C:\Users\Hero\AppData\Roaming\Mozilla\Firefox\Profiles\mtauohz4.default\searchplugins\Vosteran.xml
HKU\S-1-5-21-2720818818-648013889-2292625018-1000\...\RunOnce: [Application Restart #3] => C:\Users\Hero\AppData\Local\Pokki\Engine\pokki.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-p (the data entry has 538 more characters).
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S2 671c50b0; "C:\Windows\system32\rundll32.exe" "c:\progra~3\browse~1\BrowserSystemEnahncerSvc.dll",service
c:\progra~3\browse~1\BrowserSystemEnahncerSvc.dll
EmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 herodian

herodian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 17 January 2015 - 05:52 PM

Thanks, Here is the fixlog:

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 18 January 2015 - 10:17 AM

Please do this next:

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 herodian

herodian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 21 January 2015 - 01:37 PM

Combofix log:

Attached Files

  • Attached File  log.txt   19.75KB   3 downloads


#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 22 January 2015 - 07:07 PM

Please do this next:

icon11.gif  Open Malwarebytes AntiMalware (MBAM)

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Please include the following in your next post:
  • MBAM log
  • adwCleaner log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 herodian

herodian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 23 January 2015 - 12:27 AM

Malware bytes and adwcleaner:

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 23 January 2015 - 10:20 AM

How is your computer running now?  Please do this next:

icon11.gif  Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • adwCleaner log
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 herodian

herodian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 24 January 2015 - 04:25 PM

It has been running well! Thank you so much for getting me here. Here are the requested logs:

Attached Files



#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 24 January 2015 - 07:51 PM

All of those ESET detections are related to various freeware apps that you have installed.  They get flagged as potentially unwanted or dangerous because they are ad driven, or come bundled with toolbars or other undesirable software. I’ll leave it up to you whether or not you wish to remove them.  All I have left for you is some important housekeeping:

icon11.gif  Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif  Download OTC to your desktop and run it
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
  • Manually delete any remaining logs or tools from our fixes

icon11.gif  Double click on AdwCleaner.exe to run the tool again.
  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 04 February 2015 - 05:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users