Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

totally infected and baffeled w/what to do


  • This topic is locked This topic is locked
6 replies to this topic

#1 CCSunflower

CCSunflower

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:16 PM

Posted 20 January 2015 - 11:34 PM

windows 8

 

 ran Fabar (DDS wouldn't run)

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by andre_000 (administrator) on POLICESCAN on 20-01-2015 21:24:09
Running from C:\Users\andre_000\Downloads
Loaded Profiles: andre_000 (Available profiles: A & andre_000)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Launch Manager\LMSvc.exe
(Soluto) C:\Program Files\Soluto\SolutoLauncherService.exe
(Soluto) C:\Program Files\Soluto\SolutoService.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(AMD) C:\Windows\System32\atieclxx.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Soluto) C:\Program Files\Soluto\Soluto.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Quick Access\QASvc.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Quick Access\RMSvc.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Quick Access\QAEvent.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Quick Access\QAMsg.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Quick Access\QuickAccess.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Launch Manager\LMEvent.exe
(Acer Incorporate) C:\Program Files\Gateway\Gateway Launch Manager\LMTray.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\csisyncclient.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_257.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_257.exe
(AVAST Software) C:\Users\andre_000\Downloads\aswMBR.exe
(ESET) C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes Corporation                                    ) C:\Users\andre_000\Downloads\mbam-setup-techspot-2.0.4.1028.exe
() C:\Users\andre_000\AppData\Local\Temp\is-OCNOR.tmp\mbam-setup-techspot-2.0.4.1028.tmp
(Malwarebytes Corporation                                    ) C:\Users\andre_000\Downloads\mbam-setup-techspot-2.0.4.1028.exe
() C:\Users\andre_000\AppData\Local\Temp\is-743DT.tmp\mbam-setup-techspot-2.0.4.1028.tmp
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17477_none_fa2b7d3b9b36c7b4\TiWorker.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
(Microsoft Corporation) C:\Windows\System32\OptionalFeatures.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Farbar) C:\Users\andre_000\Downloads\FRST64 (1).exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2890056 2013-09-05] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13647576 2013-08-27] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Winlogon: [Userinit] c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132736 2013-09-07] ( (Qualcomm®Atheros®))
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\...\Run: [AcerCloud] => "C:\Program Files (x86)\Acer\Acer Portal\acpanel_win.exe" startup
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22869088 2014-10-21] (Google)
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4272840 2014-03-31] (Microsoft Corporation)
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\...\Run: [Amazon Music] => C:\Users\andre_000\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-11-18] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-695059093-3351157946-1085184340-1004\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search.ask.com/?tpid=ORJ-SPE&o=APN11405&pf=V7&trgb=IE&p2=%5EBBD%5EOSJ000%5EYY%5EUS&gct=hp&apn_ptnrs=BBD&apn_dtid=%5EOSJ000%5EYY%5EUS&apn_dbr=ie_11.0.9600.17416&apn_uid=0EB59576-FDAF-4460-AD24-67DD3F41693B&itbv=12.21.0.114&doi=2014-12-27&psv=&pt=tb
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com/?pc=AGJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-695059093-3351157946-1085184340-1004 -> DefaultScope {89687BC4-CE0C-485C-A2D9-403629D59297} URL =
SearchScopes: HKU\S-1-5-21-695059093-3351157946-1085184340-1004 -> {89687BC4-CE0C-485C-A2D9-403629D59297} URL =
SearchScopes: HKU\S-1-5-21-695059093-3351157946-1085184340-1004 -> {B23AAE83-67AD-4344-B49E-AC4FC1B22025} URL = http://www.search.ask.com/web?tpid=ORJ-SPE&o=APN11405&pf=V7&p2=^BBD^OSJ000^YY^US&gct=&itbv=12.21.0.114&apn_uid=0EB59576-FDAF-4460-AD24-67DD3F41693B&apn_ptnrs=BBD&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17416&doi=2014-12-27&trgb=IE&q={searchTerms}&psv=&pt=tb
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\andre_000\AppData\Roaming\Mozilla\Firefox\Profiles\ksiihfcm.default-1414276503640
FF DefaultSearchEngine: Google
FF Homepage: www.candacecameronbure.net
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF Extension: Firebug - C:\Users\andre_000\AppData\Roaming\Mozilla\Firefox\Profiles\ksiihfcm.default-1414276503640\Extensions\firebug@software.joehewitt.com.xpi [2014-12-20]
FF Extension: Idderall - C:\Users\andre_000\AppData\Roaming\Mozilla\Firefox\Profiles\ksiihfcm.default-1414276503640\Extensions\jid1-u6nQDbYs4ZJDAy@jetpack.xpi [2014-12-07]
FF Extension: Pinterest Pin Button - C:\Users\andre_000\AppData\Roaming\Mozilla\Firefox\Profiles\ksiihfcm.default-1414276503640\Extensions\{677a8f98-fd64-40b0-a883-b8c95d0cbf17}.xpi [2014-12-20]
FF HKU\S-1-5-21-695059093-3351157946-1085184340-1004\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]

Chrome:
=======
CHR HomePage: Default -> hxxp://google.com/
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3279418&SearchSource=48&CUI=UN27957667411415352&UM=2"
CHR Profile: C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-28]
CHR Extension: (Google Docs) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-28]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (Add to Amazon Wish List) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced [2014-12-28]
CHR Extension: (Google Webspam Report (by Google)) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\efinmbicabejjhjafeidhfbojhnfiepj [2014-12-28]
CHR Extension: (Google Calendar) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2015-01-07]
CHR Extension: (Google Sheets) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-28]
CHR Extension: (AdBlock) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-12-28]
CHR Extension: (Save to Google Drive) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmbmikajjgmnabiglmofipeabaddhgne [2014-12-28]
CHR Extension: (PageSpeed Insights (by Google)) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\gplegfbjlmmehdoakndmohflojccocli [2014-12-28]
CHR Extension: (Spell checker and Grammar checker by Ginger) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdfieneakcjfaiglcfcgkidlkmlijjnh [2014-12-28]
CHR Extension: (Shareaholic for Pinterest) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfjkehmceppcpjoaoegdmffmkdhiegmc [2014-12-28]
CHR Extension: (Google Wallet) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-07]
CHR Extension: (MonitorTab) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ognampngfcbddbfemdapefohjiobgbdl [2014-12-28]
CHR Extension: (RSS Feed Reader) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnjaodmkngahhkoihejjehlcdlnohgmp [2014-12-28]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [312448 2013-09-07] (Windows ® Win 7 DDK provider)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [178160 2014-08-28] (Coupons.com Inc.)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [101192 2013-09-05] (ELAN Microelectronics Corp.)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-01-17] (WildTangent)
R2 LMSvc; C:\Program Files\Gateway\Gateway Launch Manager\LMSvc.exe [457768 2013-08-02] (Acer Incorporate)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R3 QASvc; C:\Program Files\Gateway\Gateway Quick Access\QASvc.exe [457768 2013-08-02] (Acer Incorporate)
R3 RMSvc; C:\Program Files\Gateway\Gateway Quick Access\RMSvc.exe [448040 2013-08-02] (Acer Incorporate)
R2 SolutoLauncherService; C:\Program Files\Soluto\SolutoLauncherService.exe [222168 2013-01-29] (Soluto)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 APXACC; C:\Windows\system32\DRIVERS\appexDrv.sys [219360 2013-04-18] (AppEx Networks Corporation)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-15] (Qualcomm Atheros Communications, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [138240 2013-06-23] (Advanced Micro Devices)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-09-07] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2014-12-05] ()
R3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-07-17] (Acer Incorporated)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-20] (Malwarebytes Corporation)
R3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [14680 2013-07-17] (Acer Incorporated)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
R3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
U3 aswMBR; \??\C:\Users\ANDRE_~1\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\ANDRE_~1\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 21:23 - 2015-01-20 21:23 - 02126848 _____ (Farbar) C:\Users\andre_000\Downloads\FRST64 (1).exe
2015-01-20 20:38 - 2015-01-20 20:39 - 00688992 _____ (Swearware) C:\Users\andre_000\Downloads\dds.com
2015-01-20 15:18 - 2015-01-20 15:18 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-20 15:17 - 2015-01-20 15:17 - 00001121 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-20 15:17 - 2015-01-20 15:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-20 15:17 - 2015-01-20 15:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-20 15:17 - 2014-11-21 06:57 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-20 15:17 - 2014-11-21 06:57 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-20 15:17 - 2014-11-21 06:57 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-20 15:15 - 2015-01-20 15:16 - 20446448 _____ (Malwarebytes Corporation ) C:\Users\andre_000\Downloads\mbam-setup-techspot-2.0.4.1028.exe
2015-01-19 23:47 - 2015-01-19 23:47 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-19 23:46 - 2015-01-19 23:46 - 02347384 _____ (ESET) C:\Users\andre_000\Downloads\esetsmartinstaller_enu.exe
2015-01-19 23:31 - 2015-01-19 23:32 - 05198336 _____ (AVAST Software) C:\Users\andre_000\Downloads\aswMBR.exe
2015-01-19 23:29 - 2015-01-19 23:29 - 04187592 _____ (Kaspersky Lab ZAO) C:\Users\andre_000\Downloads\tdsskiller(2).exe
2015-01-19 23:27 - 2015-01-19 23:27 - 01416088 _____ (Kaspersky Lab ZAO) C:\Users\andre_000\Downloads\rakhnidecryptor.exe
2015-01-19 23:23 - 2015-01-19 23:23 - 00291960 _____ () C:\Users\andre_000\Downloads\tdsskiller exe bleeping computer_10924_i18228076_il345.exe
2015-01-19 21:29 - 2015-01-19 21:29 - 00602112 _____ (OldTimer Tools) C:\Users\andre_000\Downloads\OTL(2).exe
2015-01-15 16:28 - 2015-01-15 16:28 - 00000661 _____ () C:\Users\andre_000\Desktop\renew icons.lnk
2015-01-14 19:51 - 2015-01-14 19:52 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-14 19:19 - 2015-01-14 19:27 - 00000000 ____D () C:\Users\andre_000\Desktop\New folder (2)
2015-01-13 23:07 - 2014-04-15 17:34 - 00029888 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll
2015-01-13 23:06 - 2014-04-15 17:35 - 00028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
2015-01-13 22:34 - 2014-12-19 00:26 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 22:34 - 2014-12-11 20:04 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 22:34 - 2014-12-11 18:51 - 00075776 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ahcache.sys
2015-01-13 22:34 - 2014-12-08 19:50 - 00225280 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 22:34 - 2014-12-08 13:42 - 00535640 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2015-01-13 22:34 - 2014-12-08 13:42 - 00531616 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2015-01-13 22:34 - 2014-12-08 13:42 - 00448792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2015-01-13 22:34 - 2014-12-08 13:42 - 00413248 _____ (Microsoft Corporation) C:\Windows\system32\Faultrep.dll
2015-01-13 22:34 - 2014-12-08 13:42 - 00372408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Faultrep.dll
2015-01-13 22:34 - 2014-12-08 13:42 - 00108944 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-01-13 22:34 - 2014-12-08 13:42 - 00038264 _____ (Microsoft Corporation) C:\Windows\system32\WerFaultSecure.exe
2015-01-13 22:34 - 2014-12-08 13:42 - 00033584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFaultSecure.exe
2015-01-13 22:34 - 2014-12-05 21:17 - 00360448 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-13 22:34 - 2014-12-05 19:41 - 00391680 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 22:34 - 2014-12-05 19:35 - 00229888 _____ (Microsoft Corporation) C:\Windows\system32\AudioEndpointBuilder.dll
2015-01-13 22:21 - 2015-01-13 22:21 - 01276148 _____ () C:\Users\andre_000\Desktop\What Would It take.pptx
2015-01-13 22:20 - 2015-01-13 22:20 - 00003182 _____ () C:\Windows\System32\Tasks\{9CC10B5A-FEEF-4997-B772-6B39FCD6AEF2}
2015-01-11 09:07 - 2015-01-16 13:15 - 00000000 ____D () C:\Users\andre_000\Desktop\New folder
2015-01-06 16:40 - 2015-01-06 16:40 - 00000000 ____D () C:\Windows\softwaredistribution.bak15
2015-01-05 20:43 - 2015-01-05 20:43 - 00000246 _____ () C:\Users\andre_000\Downloads\Client_Listing.vcf
2015-01-04 12:08 - 2015-01-04 12:38 - 00000000 ____D () C:\Users\andre_000\Desktop\resolution
2015-01-02 15:56 - 2015-01-03 18:10 - 00000000 ____D () C:\Users\andre_000\Documents\New folder (2)
2014-12-27 20:02 - 2014-12-27 20:02 - 00088086 _____ () C:\Users\andre_000\Documents\Any year expense calendar1.xlsx
2014-12-27 19:47 - 2014-12-27 19:47 - 00000000 ___SD () C:\Users\andre_000\Documents\My Data Sources
2014-12-27 19:03 - 2014-12-27 19:04 - 00602112 _____ (OldTimer Tools) C:\Users\andre_000\Downloads\OTL(1).exe
2014-12-27 18:58 - 2014-12-27 18:58 - 00000000 ____D () C:\Program Files\Google
2014-12-27 18:57 - 2014-12-27 18:58 - 00000000 ____D () C:\ProgramData\Google
2014-12-27 18:48 - 2014-12-27 18:48 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-27 18:45 - 2014-12-28 23:37 - 00003494 _____ () C:\Windows\PFRO.log
2014-12-27 18:43 - 2015-01-20 20:57 - 00007596 _____ () C:\Users\andre_000\AppData\Local\Resmon.ResmonCfg
2014-12-27 18:06 - 2014-12-27 18:06 - 00675874 ____T () C:\Users\andre_000\Desktop\capitaldec27.oxps
2014-12-27 17:45 - 2014-12-27 17:45 - 00011521 _____ () C:\Users\andre_000\Downloads\export.ofx
2014-12-27 16:20 - 2014-12-27 16:20 - 00003374 _____ () C:\Windows\System32\Tasks\{67EF455E-A6E0-441C-A237-4539FB2C9DC0}
2014-12-27 16:13 - 2014-12-27 16:13 - 00000000 ____D () C:\ProgramData\APN
2014-12-27 16:11 - 2014-12-27 16:11 - 00000000 ____D () C:\ProgramData\Sun
2014-12-27 16:07 - 2014-12-27 16:12 - 00000000 ____D () C:\ProgramData\Oracle
2014-12-27 16:07 - 2014-12-27 16:07 - 00000000 ____D () C:\Program Files (x86)\Java
2014-12-27 15:43 - 2014-12-27 15:43 - 00638888 _____ (Oracle Corporation) C:\Users\andre_000\Downloads\jxpiinstall.exe
2014-12-25 12:01 - 2014-12-25 12:01 - 00000000 ____D () C:\Users\andre_000\AppData\Local\Autodesk
2014-12-25 11:58 - 2014-12-25 11:58 - 00001890 _____ () C:\Users\Public\Desktop\Pixlr .lnk
2014-12-25 11:58 - 2014-12-25 11:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk Pixlr
2014-12-25 11:57 - 2014-12-25 11:57 - 00000000 ____D () C:\Program Files (x86)\Autodesk
2014-12-25 11:56 - 2014-12-25 11:56 - 00000000 ____D () C:\Users\andre_000\AppData\Roaming\Autodesk
2014-12-25 11:56 - 2014-12-25 11:56 - 00000000 ____D () C:\ProgramData\Autodesk
2014-12-25 11:53 - 2014-12-25 11:53 - 00000000 ____D () C:\Autodesk
2014-12-25 11:52 - 2014-12-25 11:53 - 35841688 _____ () C:\Users\andre_000\Downloads\Autodesk_Pixlr_v1.0.3.0_Win32.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 21:26 - 2014-10-19 14:40 - 00020590 _____ () C:\Users\andre_000\Downloads\FRST.txt
2015-01-20 21:24 - 2014-10-19 14:40 - 00000000 ____D () C:\FRST
2015-01-20 21:18 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-20 21:09 - 2013-10-22 01:06 - 01987878 _____ () C:\Windows\WindowsUpdate.log
2015-01-20 21:08 - 2014-12-07 12:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-20 21:04 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\sru
2015-01-20 20:31 - 2014-01-06 22:55 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-20 17:04 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-01-20 15:23 - 2014-01-07 19:06 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-695059093-3351157946-1085184340-1004
2015-01-20 03:30 - 2014-12-07 13:02 - 00004998 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for POLICESCAN-andre_000 PoliceScan
2015-01-19 23:11 - 2013-09-05 09:46 - 00863592 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-19 22:57 - 2014-01-07 19:02 - 00000000 ___DO () C:\Users\andre_000\SkyDrive
2015-01-19 22:05 - 2013-10-22 01:19 - 00065536 _____ () C:\Windows\system32\spu_storage.bin
2015-01-19 21:50 - 2014-12-15 18:49 - 00004050 _____ () C:\Windows\setupact.log
2015-01-19 21:50 - 2013-08-22 08:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-19 21:49 - 2013-08-22 07:25 - 00524288 ___SH () C:\Windows\system32\config\BBI
2015-01-19 21:41 - 2014-01-07 23:13 - 00000000 ____D () C:\Users\andre_000\AppData\Local\clear.fi
2015-01-19 21:41 - 2013-10-22 01:47 - 00000000 ____D () C:\Program Files (x86)\Acer
2015-01-19 21:37 - 2013-10-22 01:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acer
2015-01-19 20:59 - 2014-12-06 18:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-19 20:54 - 2014-01-07 18:53 - 00000000 ____D () C:\Users\andre_000
2015-01-16 13:16 - 2014-02-10 08:11 - 00000000 ____D () C:\Users\andre_000\AppData\Local\Deployment
2015-01-15 13:35 - 2014-06-06 21:44 - 00000000 ____D () C:\Users\andre_000\AppData\Local\Adobe
2015-01-13 23:19 - 2013-08-22 09:20 - 00000000 ____D () C:\Windows\CbsTemp
2015-01-13 23:05 - 2014-01-09 05:16 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-13 22:43 - 2014-01-09 05:16 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-13 15:09 - 2014-12-07 12:58 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-09 14:51 - 2014-12-12 09:04 - 00011647 _____ () C:\Users\andre_000\Desktop\bal 121214.xlsx
2015-01-09 13:25 - 2014-04-13 12:16 - 00000000 ____D () C:\Users\andre_000\Desktop\ReNEW CS 2014
2015-01-05 18:08 - 2014-11-14 08:08 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-05 18:08 - 2014-07-12 13:42 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-31 05:14 - 2014-01-08 17:08 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-29 14:12 - 2014-01-07 18:57 - 00000000 ____D () C:\Users\andre_000\AppData\Local\Packages
2014-12-29 12:47 - 2014-09-30 22:09 - 00000165 ____H () C:\Users\andre_000\Documents\~$balance Sept302th014.xlsx
2014-12-27 19:33 - 2014-12-06 14:09 - 00149988 _____ () C:\Users\andre_000\Downloads\OTL.Txt
2014-12-27 19:00 - 2014-01-06 22:55 - 00000000 ____D () C:\Program Files (x86)\Google
2014-12-27 18:45 - 2014-02-15 22:09 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-12-27 18:45 - 2014-02-15 22:09 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-12-23 16:56 - 2014-02-05 20:58 - 00000000 ____D () C:\Program Files\Microsoft Office 15

==================== Files in the root of some directories =======
2014-02-26 21:01 - 2014-02-26 21:01 - 0001864 _____ () C:\Program Files\QuickTime Player.lnk
2014-08-19 18:29 - 2014-09-08 18:50 - 0000093 _____ () C:\Users\andre_000\AppData\Roaming\WB.CFG
2014-12-27 18:43 - 2015-01-20 20:57 - 0007596 _____ () C:\Users\andre_000\AppData\Local\Resmon.ResmonCfg
2013-10-22 01:24 - 2013-10-22 01:24 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-01-06 23:00 - 2014-01-06 23:00 - 0000098 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc

Some content of TEMP:
====================
C:\Users\A\AppData\Local\Temp\AcerDocsSetup.exe
C:\Users\A\AppData\Local\Temp\AcerPortalSetup.exe
C:\Users\A\AppData\Local\Temp\AskSLib.dll
C:\Users\A\AppData\Local\Temp\HitmanPro.exe
C:\Users\A\AppData\Local\Temp\install_reader11_en_mssa_aaa_aih(1).exe
C:\Users\A\AppData\Local\Temp\oct6F82.tmp.exe
C:\Users\A\AppData\Local\Temp\OfficeSetup.exe
C:\Users\A\AppData\Local\Temp\Quarantine.exe
C:\Users\A\AppData\Local\Temp\Setup.X86.en-US_HomeStudentRetail_4365a56e-dbd1-4346-82e4-240ffaffa26c_TX_PR_.exe
C:\Users\A\AppData\Local\Temp\sqlite3.dll
C:\Users\andre_000\AppData\Local\Temp\AcDeltree.exe
C:\Users\andre_000\AppData\Local\Temp\AcerPortalSetup.exe
C:\Users\andre_000\AppData\Local\Temp\AOPSetup.exe
C:\Users\andre_000\AppData\Local\Temp\APNSetup.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-20 20:34

==================== End Of Log ============================

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-01-20 22:07:56
-----------------------------
22:07:56.975    OS Version: Windows x64 6.2.9200
22:07:56.976    Number of processors: 2 586 0x1
22:07:56.988    ComputerName: POLICESCAN  UserName: andre_000
22:08:02.279    Initialze error C000010E - driver not loaded
22:08:03.225    write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.
22:08:49.608    AVAST engine defs: 15011901
22:08:57.930    Scan error: The parameter is incorrect.
22:20:21.678    The log file has been saved successfully to "C:\Users\andre_000\Desktop\aswMBR.txt"

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:16 PM

Posted 21 January 2015 - 09:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search.ask.com/?tpid=ORJ-SPE&o=APN11405&pf=V7&trgb=IE&p2=^BBD^OSJ000^YY^US&gct=hp&apn_ptnrs=BBD&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17416&apn_uid=0EB59576-FDAF-4460-AD24-67DD3F41693B&itbv=12.21.0.114&doi=2014-12-27&psv=&pt=tb
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-695059093-3351157946-1085184340-1004 -> {B23AAE83-67AD-4344-B49E-AC4FC1B22025} URL = http://www.search.ask.com/web?tpid=ORJ-SPE&o=APN11405&pf=V7&p2=^BBD^OSJ000^YY^US&gct=&itbv=12.21.0.114&apn_uid=0EB59576-FDAF-4460-AD24-67DD3F41693B&apn_ptnrs=BBD&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17416&doi=2014-12-27&trgb=IE&q={searchTerms}&psv=&pt=tb
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3279418&SearchSource=48&CUI=UN27957667411415352&UM=2"
CHR Extension: (Google Wallet) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-07]
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [178160 2014-08-28] (Coupons.com Inc.)
R3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
U3 aswMBR; \??\C:\Users\ANDRE_~1\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\ANDRE_~1\AppData\Local\Temp\aswVmm.sys [X]
C:\Users\andre_000\AppData\Local\Temp\AcDeltree.exe
C:\Users\andre_000\AppData\Local\Temp\AcerPortalSetup.exe
C:\Users\andre_000\AppData\Local\Temp\AOPSetup.exe
C:\Users\andre_000\AppData\Local\Temp\APNSetup.exe
C:\Users\A\AppData\Local\Temp\AskSLib.dll
C:\Users\A\AppData\Local\Temp\install_reader11_en_mssa_aaa_aih(1).exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 CCSunflower

CCSunflower
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:16 PM

Posted 21 January 2015 - 10:25 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by andre_000 at 2015-01-21 18:54:22 Run:1
Running from C:\Users\andre_000\Downloads
Loaded Profiles: andre_000 (Available profiles: A & andre_000)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search.ask.com/?tpid=ORJ-SPE&o=APN11405&pf=V7&trgb=IE&p2=^BBD^OSJ000^YY^US&gct=hp&apn_ptnrs=BBD&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17416&apn_uid=0EB59576-FDAF-4460-AD24-67DD3F41693B&itbv=12.21.0.114&doi=2014-12-27&psv=&pt=tb
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-695059093-3351157946-1085184340-1004 -> {B23AAE83-67AD-4344-B49E-AC4FC1B22025} URL = http://www.search.ask.com/web?tpid=ORJ-SPE&o=APN11405&pf=V7&p2=^BBD^OSJ000^YY^US&gct=&itbv=12.21.0.114&apn_uid=0EB59576-FDAF-4460-AD24-67DD3F41693B&apn_ptnrs=BBD&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17416&doi=2014-12-27&trgb=IE&q={searchTerms}&psv=&pt=tb
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3279418&SearchSource=48&CUI=UN27957667411415352&UM=2"
CHR Extension: (Google Wallet) - C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-07]
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [178160 2014-08-28] (Coupons.com Inc.)
R3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
U3 aswMBR; \??\C:\Users\ANDRE_~1\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\ANDRE_~1\AppData\Local\Temp\aswVmm.sys [X]
C:\Users\andre_000\AppData\Local\Temp\AcDeltree.exe
C:\Users\andre_000\AppData\Local\Temp\AcerPortalSetup.exe
C:\Users\andre_000\AppData\Local\Temp\AOPSetup.exe
C:\Users\andre_000\AppData\Local\Temp\APNSetup.exe
C:\Users\A\AppData\Local\Temp\AskSLib.dll
C:\Users\A\AppData\Local\Temp\install_reader11_en_mssa_aaa_aih(1).exe

End
*****************

Processes closed successfully.
C:\Program Files (x86)\Coupons\CouponPrinterService.exe => No running process found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
HKU\S-1-5-21-695059093-3351157946-1085184340-1004\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKU\S-1-5-21-695059093-3351157946-1085184340-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B23AAE83-67AD-4344-B49E-AC4FC1B22025}" => Key deleted successfully.
HKCR\CLSID\{B23AAE83-67AD-4344-B49E-AC4FC1B22025} => Key not found.
C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => Moved successfully.
Chrome StartupUrls deleted successfully.
C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
CouponPrinterService => Service deleted successfully.
cpuz136 => Unable to stop service
cpuz136 => Service deleted successfully.
aswMBR => Service deleted successfully.
aswVmm => Service deleted successfully.
C:\Users\andre_000\AppData\Local\Temp\AcDeltree.exe => Moved successfully.
C:\Users\andre_000\AppData\Local\Temp\AcerPortalSetup.exe => Moved successfully.
C:\Users\andre_000\AppData\Local\Temp\AOPSetup.exe => Moved successfully.
C:\Users\andre_000\AppData\Local\Temp\APNSetup.exe => Moved successfully.
C:\Users\A\AppData\Local\Temp\AskSLib.dll => Moved successfully.
C:\Users\A\AppData\Local\Temp\install_reader11_en_mssa_aaa_aih(1).exe => Moved successfully.


The system needed a reboot.

==== End of Fixlog 18:54:39 ====

 

# AdwCleaner v4.108 - Report created 21/01/2015 at 19:16:10
# Updated 17/01/2015 by Xplode
# Database : 2015-01-18.1 [Live]
# Operating System : Windows 8.1  (64 bits)
# Username : andre_000 - POLICESCAN
# Running from : C:\Users\andre_000\Downloads\adwcleaner_4.108.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Deleted : C:\Program Files (x86)\Coupons
Folder Deleted : C:\Users\ANDRE_~1\AppData\Local\Temp\apn
Folder Deleted : C:\Users\andre_000\AppData\Roaming\DigitalSites

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.search.ask.com

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v35.0 (x86 en-US)


-\\ Google Chrome v

[C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
[C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN27957667411415352&ctid=CT3279418&UM=2
[C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN27957667411415352&ctid=CT3279418&UM=2
[C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\andre_000\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}

*************************

AdwCleaner[R0].txt - [1432 octets] - [22/03/2014 11:47:06]
AdwCleaner[R1].txt - [4664 octets] - [22/10/2014 12:22:36]
AdwCleaner[R2].txt - [3349 octets] - [23/10/2014 21:20:32]
AdwCleaner[S0].txt - [1480 octets] - [22/03/2014 11:59:48]
AdwCleaner[S1].txt - [4656 octets] - [22/10/2014 12:31:30]
AdwCleaner[S2].txt - [2861 octets] - [21/01/2015 19:16:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [2921 octets] ##########
 

 

My computer seems to be runnng so-so at this very second but I have concerns.  I prior to running your suggestions I cam upon (control panel),, user accounts and family safety, creditionals ...anyway, there were a bunch of web and windows credentials I didnt recognize.  I did go ahead and do a prnt screen, but then forgot to paste the prtscrn sooo... oops!  Anyway, the user accts and family safety look okay right now. 

I am concerned that BtvStack.exe is still  running (in CPU, Processes , the Resource Monitor), and under TCP connections... although not causing a big disturbance at this time.  What do you think.

 

By the way, THANK YOU SO MUCH FOR RESPONDING!!  I LOVE YOU.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:16 PM

Posted 22 January 2015 - 09:03 AM


I am concerned that BtvStack.exe is still running (in CPU, Processes , the Resource Monitor), and under TCP connections... although not causing a big disturbance at this time. What do you think.



BtvStack.exe if for Qualcomm Atheros Bluetooth Suite
It's not required at startup.
You can disable the process in your TaskManager if not used regularly.

===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

Edited by nasdaq, 22 January 2015 - 09:03 AM.


#5 CCSunflower

CCSunflower
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:16 PM

Posted 22 January 2015 - 08:13 PM

 Results of screen317's Security Check version 0.99.95  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
  Java 64-bit 8 Update 31  
 Adobe Flash Player     16.0.0.257  
 Adobe Reader XI  
 Mozilla Firefox (35.0)
 Google Chrome 35.0.1916.114 Google Chrome out of date!  
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

 

computer seems to be running good



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:16 PM

Posted 23 January 2015 - 10:25 AM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:16 PM

Posted 29 January 2015 - 10:49 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users