Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Loads of .exe *32 in Windows Processes please help


  • This topic is locked This topic is locked
8 replies to this topic

#1 kateausten

kateausten

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 22 January 2015 - 08:01 AM

 As above, and I have attached the screen print.

 

I have run Roguekiller, Malwarebytes and various others but nothing seems to have helped.

 

TIAAttached File  Malware Screen Print.jpg   99.02KB   1 downloads



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 22 January 2015 - 09:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

What issues are you having with this computer?

Wait for further instructions.

#3 kateausten

kateausten
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 22 January 2015 - 10:56 AM

Hi Nasdaq,

 

Thank you for your response.

 

This is the first one...

 

# AdwCleaner v4.108 - Report created 22/01/2015 at 15:52:18
# Updated 17/01/2015 by Xplode
# Database : 2015-01-22.3 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Katy - KATY-PC
# Running from : C:\Users\Katy\Downloads\adwcleaner_4.108 (2).exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17207
 
 
-\\ Google Chrome v39.0.2171.99
 
[C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [7017 octets] - [22/01/2015 12:18:13]
AdwCleaner[R1].txt - [1011 octets] - [22/01/2015 15:50:14]
AdwCleaner[S0].txt - [7076 octets] - [22/01/2015 12:19:59]
AdwCleaner[S1].txt - [936 octets] - [22/01/2015 15:52:18]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [995 octets] ##########


#4 kateausten

kateausten
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 22 January 2015 - 11:07 AM

Frst.txt log
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by Katy (administrator) on KATY-PC on 22-01-2015 15:56:16
Running from C:\Users\Katy\Downloads
Loaded Profiles: Katy (Available profiles: Katy)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Diskeeper Corporation) C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Windows\SysWOW64\irstrtsv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(WDC) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Memeo) C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
(Samsung Electronics) C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\McChHost.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Samsung Electronics CO., LTD.) C:\Program Files\Samsung\Easy Support Center\SamoyedAgent.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(Farbar) C:\Users\Katy\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [177936 2012-02-17] (Intel Corporation)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2816336 2012-03-14] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-04] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-281177865-3636818736-3023637802-1000\...\MountPoints2: {d970a3b1-4f6c-11e2-82f5-c485082ff3e5} - "D:\WD SmartWare.exe" autoplay=true
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-281177865-3636818736-3023637802-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKU\S-1-5-21-281177865-3636818736-3023637802-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://samsung.msn.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Media Watch -> {5ffd1f0b-4f52-4175-86d6-cb0942a0e8fd} -> C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ie\MediaWatchV1home1096.dll No File
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Media Buzz -> {93011306-c8a8-4c13-a92f-e50c94e3234f} -> C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ie\MediaBuzzV1mode2671.dll No File
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Media Player -> {c4f8edd8-15c6-4d7f-a9d7-5b741bc841ef} -> C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ie\MediaPlayerV1alpha736.dll No File
BHO-x32: Video Player -> {f7c95d98-20ad-40a6-b123-7c9bb133bbe8} -> C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ie\VideoPlayerV3beta3447.dll No File
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
DPF: HKLM-x32 {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} http://homebase.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} http://www.tescophoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{6432A6D9-5E0B-4E0F-9867-6733314BA112}: [NameServer] 192.168.3.5,8.8.4.4
 
FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2013-02-10]
FF HKLM-x32\...\Firefox\Extensions: [12x3q@3244516.com] - C:\Program Files (x86)\Better-Surf\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@VideoPlayerV3beta3447.net] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaPlayerV1alpha736.net] - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaWatchV1home1096.net] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaBuzzV1mode2671.net] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ff
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2013-02-10]
FF Extension: No Name - C:\Program Files (x86)\BetterSurf\BetterSurfPlus\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ff [Not Found]
 
Chrome: 
=======
CHR Profile: C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-14]
CHR Extension: (Google Drive) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-14]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-09]
CHR Extension: (YouTube) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-14]
CHR Extension: (Google Search) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-14]
CHR Extension: (SiteAdvisor) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2014-08-14]
CHR Extension: (Google Wallet) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-14]
CHR Extension: (Gmail) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-14]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-01-13]
CHR HKLM-x32\...\Chrome\Extension: [dmeeegdkmolbdfnhhlpoemipngldgbkc] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ch\MediaWatchV1home1096.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hmlfpoilpabhfknlfojgfmhijpnjnbnl] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ch\MediaBuzzV1mode2671.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [kpbgeeklffkbbjeoeldnemcghkhliofm] - C:\ProgramData\SaveAs\kpbgeeklffkbbjeoeldnemcghkhliofm.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [lemniljaicohmbignpfjlklijengpjmi] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ch\VideoPlayerV3beta3447.crx [Not Found]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 ExpressCache; C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [79664 2012-02-11] (Diskeeper Corporation)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-08] ()
R2 irstrtsv; C:\windows\SysWOW64\irstrtsv.exe [193536 2012-02-06] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-08] (Intel Corporation)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [154320 2014-12-03] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-03-18] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-04-03] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [189912 2014-04-03] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2011-12-08] ()
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 SamsungDeviceConfigurationWinService; C:\Program Files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe [31624 2012-02-13] () [File not signed]
R2 WDDMService; C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [116224 2009-10-14] (WDC) [File not signed]
R2 WDSmartWareBackgroundService; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [20480 2009-06-16] (Memeo) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [594704 2011-12-08] (Intel® Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [260888 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [203544 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [50976 2014-11-07] (AVG Technologies)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70592 2014-04-03] (McAfee, Inc.)
R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [23344 2012-02-11] (Diskeeper Corporation)
R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [92976 2012-02-11] (Diskeeper Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 irstrtdv; C:\Windows\System32\DRIVERS\irstrtdv.sys [26504 2012-02-07] (Intel Corporation)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [177544 2014-04-03] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311856 2014-04-03] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [522360 2014-04-03] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [784760 2014-04-03] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [441264 2014-03-18] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-03-18] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [346760 2014-04-03] (McAfee, Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-01-22] ()
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-22 15:55 - 2015-01-22 15:55 - 02126848 _____ (Farbar) C:\Users\Katy\Downloads\FRST64 (1).exe
2015-01-22 15:49 - 2015-01-22 15:50 - 02186752 _____ () C:\Users\Katy\Downloads\adwcleaner_4.108 (3).exe
2015-01-22 15:48 - 2015-01-22 15:48 - 02186752 _____ () C:\Users\Katy\Downloads\adwcleaner_4.108 (2).exe
2015-01-22 12:28 - 2015-01-22 12:28 - 00468480 _____ () C:\Users\Katy\Downloads\CKScanner.exe
2015-01-22 12:27 - 2015-01-22 12:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2015-01-22 12:26 - 2015-01-22 12:27 - 00038920 _____ () C:\Users\Katy\Downloads\Addition.txt
2015-01-22 12:25 - 2015-01-22 15:56 - 00023014 _____ () C:\Users\Katy\Downloads\FRST.txt
2015-01-22 12:25 - 2015-01-22 15:56 - 00000000 ____D () C:\FRST
2015-01-22 12:24 - 2015-01-22 12:24 - 02126848 _____ (Farbar) C:\Users\Katy\Downloads\FRST64.exe
2015-01-22 12:24 - 2015-01-22 12:24 - 01118208 _____ (Farbar) C:\Users\Katy\Downloads\FRST.exe
2015-01-22 12:23 - 2015-01-22 12:23 - 02186752 _____ () C:\Users\Katy\Downloads\adwcleaner_4.108 (1).exe
2015-01-22 12:17 - 2015-01-22 15:52 - 00000000 ____D () C:\AdwCleaner
2015-01-22 12:16 - 2015-01-22 12:16 - 02186752 _____ () C:\Users\Katy\Downloads\adwcleaner_4.108.exe
2015-01-22 12:00 - 2015-01-22 12:00 - 00000000 ____D () C:\Users\Katy\AppData\Roaming\AVG2015
2015-01-22 11:58 - 2015-01-22 11:58 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-01-22 11:56 - 2015-01-22 11:59 - 00000000 ____D () C:\ProgramData\AVG2015
2015-01-22 11:54 - 2015-01-22 13:22 - 00000000 ____D () C:\Users\Katy\AppData\Local\Avg2015
2015-01-22 11:07 - 2015-01-22 13:51 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-22 11:07 - 2015-01-22 12:45 - 00136408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-22 11:07 - 2015-01-22 11:07 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-22 11:06 - 2015-01-22 13:51 - 00000000 ____D () C:\Users\Katy\Desktop\mbar
2015-01-22 11:06 - 2015-01-22 12:44 - 00097496 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-01-22 11:06 - 2015-01-22 11:06 - 16466552 _____ (Malwarebytes Corp.) C:\Users\Katy\Downloads\mbar-1.08.3.1004.exe
2015-01-22 10:18 - 2015-01-22 12:30 - 00035064 _____ () C:\windows\system32\Drivers\TrueSight.sys
2015-01-22 10:18 - 2015-01-22 10:39 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-01-22 10:17 - 2015-01-22 10:18 - 15431256 _____ () C:\Users\Katy\Downloads\RogueKiller.exe
2015-01-22 10:15 - 2015-01-22 10:15 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Katy\Downloads\tdsskiller.exe
2015-01-13 09:40 - 2015-01-13 09:40 - 00000520 _____ () C:\Users\Katy\Desktop\Howman VPN.lnk
2015-01-09 20:43 - 2015-01-09 20:45 - 00000000 ____D () C:\Users\Katy\Documents\Barclays statements
2015-01-01 20:16 - 2015-01-13 09:41 - 00002208 _____ () C:\Users\Katy\Desktop\TS.RDP
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-22 15:53 - 2013-07-02 09:54 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-22 15:53 - 2012-05-24 05:21 - 00000828 _____ () C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-01-22 15:53 - 2010-11-21 03:47 - 00853286 _____ () C:\windows\PFRO.log
2015-01-22 15:53 - 2009-07-14 05:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-01-22 15:53 - 2009-07-14 04:51 - 00066282 _____ () C:\windows\setupact.log
2015-01-22 15:52 - 2012-05-24 21:16 - 01932445 _____ () C:\windows\WindowsUpdate.log
2015-01-22 15:15 - 2012-05-24 05:43 - 00000328 _____ () C:\windows\Tasks\Xerox PhotoCafe Communicator.job
2015-01-22 15:02 - 2014-04-03 10:07 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA1cf4f24746219b5.job
2015-01-22 14:58 - 2014-08-14 19:53 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-01-22 13:17 - 2013-06-17 21:30 - 00000000 ____D () C:\Users\Katy\AppData\Local\2D6793C9-A99E-4CD4-8C1B-4A85CE22CFF4.aplzod
2015-01-22 12:28 - 2009-07-14 04:45 - 00031808 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-22 12:28 - 2009-07-14 04:45 - 00031808 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-22 12:27 - 2013-02-10 18:22 - 00001844 _____ () C:\Users\Public\Desktop\McAfee Internet Security.lnk
2015-01-22 12:27 - 2009-07-14 05:13 - 00783464 _____ () C:\windows\system32\PerfStringBackup.INI
2015-01-22 12:21 - 2014-07-11 19:42 - 00000000 ____D () C:\ProgramData\AVG2014
2015-01-22 12:21 - 2012-12-26 14:55 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-22 12:01 - 2014-07-11 19:41 - 00000000 ____D () C:\Program Files (x86)\AVG
2015-01-22 12:00 - 2014-07-11 19:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-01-22 12:00 - 2014-07-11 19:42 - 00000000 ___HD () C:\$AVG
2015-01-22 10:39 - 2014-08-14 20:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-01-22 10:39 - 2012-05-24 05:29 - 00000000 ____D () C:\ProgramData\WinClon
2015-01-22 10:39 - 2009-07-14 05:32 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2015-01-22 10:39 - 2009-07-14 05:32 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2015-01-22 10:38 - 2012-12-26 14:41 - 00000000 ____D () C:\Users\Katy
2015-01-22 10:38 - 2009-07-14 03:20 - 00000000 ____D () C:\windows\system32\NDF
2015-01-22 10:38 - 2009-07-14 03:20 - 00000000 ____D () C:\windows\registration
2015-01-22 09:16 - 2012-05-24 05:21 - 00000830 _____ () C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2015-01-20 14:46 - 2012-12-26 15:22 - 00000000 ____D () C:\Users\Katy\Documents\Howman & Co
2015-01-17 13:54 - 2014-08-14 20:18 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-16 10:12 - 2013-02-10 18:19 - 00000000 ____D () C:\Program Files (x86)\McAfee
2015-01-15 20:41 - 2013-05-28 10:33 - 00013737 _____ () C:\Users\Katy\Documents\Income.Expenditure - Kate Austen.xlsx
2015-01-14 12:10 - 2014-08-14 19:53 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2015-01-14 12:09 - 2014-02-23 18:01 - 00701616 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 12:09 - 2014-02-23 18:01 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-13 12:33 - 2009-07-14 05:32 - 00000000 ____D () C:\windows\system32\FxsTmp
2015-01-13 09:29 - 2014-06-12 12:49 - 00000000 ____D () C:\Users\Katy\AppData\Roaming\TeamViewer
2015-01-08 13:17 - 2009-07-14 03:20 - 00000000 ____D () C:\windows\rescache
 
==================== Files in the root of some directories =======
2013-01-02 10:03 - 2013-01-02 10:03 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some content of TEMP:
====================
C:\Users\Katy\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Katy\AppData\Local\Temp\Quarantine.exe
C:\Users\Katy\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-08 13:09
 
==================== End Of Log ============================

 

 

The problems I am having is that its generally slower and a bit stop start, lots of programs saying not responding before being able to start.  Plus the very odd .exe *32 files open in the windows processer.

 

Kate

Attached File  Addition.txt   38.01KB   1 downloads



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 22 January 2015 - 02:19 PM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Media Watch -> {5ffd1f0b-4f52-4175-86d6-cb0942a0e8fd} -> C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ie\MediaWatchV1home1096.dll No File
BHO-x32: Media Buzz -> {93011306-c8a8-4c13-a92f-e50c94e3234f} -> C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ie\MediaBuzzV1mode2671.dll No File
BHO-x32: Media Player -> {c4f8edd8-15c6-4d7f-a9d7-5b741bc841ef} -> C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ie\MediaPlayerV1alpha736.dll No File
BHO-x32: Video Player -> {f7c95d98-20ad-40a6-b123-7c9bb133bbe8} -> C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ie\VideoPlayerV3beta3447.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF HKLM-x32\...\Firefox\Extensions: [12x3q@3244516.com] - C:\Program Files (x86)\Better-Surf\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@VideoPlayerV3beta3447.net] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaPlayerV1alpha736.net] - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaWatchV1home1096.net] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaBuzzV1mode2671.net] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ff
FF Extension: No Name - C:\Program Files (x86)\BetterSurf\BetterSurfPlus\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ff [Not Found]
CHR Extension: (Google Wallet) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-14]
CHR HKLM-x32\...\Chrome\Extension: [dmeeegdkmolbdfnhhlpoemipngldgbkc] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ch\MediaWatchV1home1096.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hmlfpoilpabhfknlfojgfmhijpnjnbnl] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ch\MediaBuzzV1mode2671.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [kpbgeeklffkbbjeoeldnemcghkhliofm] - C:\ProgramData\SaveAs\kpbgeeklffkbbjeoeldnemcghkhliofm.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [lemniljaicohmbignpfjlklijengpjmi] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ch\VideoPlayerV3beta3447.crx [Not Found]
C:\Program Files (x86)\Better-Surf
C:\Program Files (x86)\VideoPlayerV3
C:\Program Files (x86)\MediaWatchV1
C:\Program Files (x86)\MediaBuzzV1

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#6 kateausten

kateausten
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 22 January 2015 - 03:26 PM

FRST
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by Katy at 2015-01-22 20:18:00 Run:1
Running from C:\Users\Katy\Downloads
Loaded Profiles: Katy (Available profiles: Katy)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Media Watch -> {5ffd1f0b-4f52-4175-86d6-cb0942a0e8fd} -> C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ie\MediaWatchV1home1096.dll No File
BHO-x32: Media Buzz -> {93011306-c8a8-4c13-a92f-e50c94e3234f} -> C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ie\MediaBuzzV1mode2671.dll No File
BHO-x32: Media Player -> {c4f8edd8-15c6-4d7f-a9d7-5b741bc841ef} -> C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ie\MediaPlayerV1alpha736.dll No File
BHO-x32: Video Player -> {f7c95d98-20ad-40a6-b123-7c9bb133bbe8} -> C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ie\VideoPlayerV3beta3447.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF HKLM-x32\...\Firefox\Extensions: [12x3q@3244516.com] - C:\Program Files (x86)\Better-Surf\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@VideoPlayerV3beta3447.net] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaPlayerV1alpha736.net] - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaWatchV1home1096.net] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ff
FF HKLM-x32\...\Firefox\Extensions: [ext@MediaBuzzV1mode2671.net] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ff
FF Extension: No Name - C:\Program Files (x86)\BetterSurf\BetterSurfPlus\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ff [Not Found]
FF Extension: No Name - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ff [Not Found]
CHR Extension: (Google Wallet) - C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-14]
CHR HKLM-x32\...\Chrome\Extension: [dmeeegdkmolbdfnhhlpoemipngldgbkc] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ch\MediaWatchV1home1096.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hmlfpoilpabhfknlfojgfmhijpnjnbnl] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ch\MediaBuzzV1mode2671.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [kpbgeeklffkbbjeoeldnemcghkhliofm] - C:\ProgramData\SaveAs\kpbgeeklffkbbjeoeldnemcghkhliofm.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [lemniljaicohmbignpfjlklijengpjmi] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ch\VideoPlayerV3beta3447.crx [Not Found]
C:\Program Files (x86)\Better-Surf
C:\Program Files (x86)\VideoPlayerV3
C:\Program Files (x86)\MediaWatchV1
C:\Program Files (x86)\MediaBuzzV1
 
End
*****************
 
Processes closed successfully.
C:\windows\system32\GroupPolicy\Machine => Moved successfully.
C:\windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ffd1f0b-4f52-4175-86d6-cb0942a0e8fd}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{5ffd1f0b-4f52-4175-86d6-cb0942a0e8fd}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93011306-c8a8-4c13-a92f-e50c94e3234f}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{93011306-c8a8-4c13-a92f-e50c94e3234f}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4f8edd8-15c6-4d7f-a9d7-5b741bc841ef}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{c4f8edd8-15c6-4d7f-a9d7-5b741bc841ef}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7c95d98-20ad-40a6-b123-7c9bb133bbe8}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{f7c95d98-20ad-40a6-b123-7c9bb133bbe8}" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\12x3q@3244516.com => value deleted successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\ext@VideoPlayerV3beta3447.net => value deleted successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\ext@MediaPlayerV1alpha736.net => value deleted successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\ext@MediaWatchV1home1096.net => value deleted successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\ext@MediaBuzzV1mode2671.net => value deleted successfully.
C:\Program Files (x86)\BetterSurf\BetterSurfPlus\ff not found.
C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta3447\ff not found.
C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha736\ff not found.
C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1096\ff not found.
C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode2671\ff not found.
C:\Users\Katy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dmeeegdkmolbdfnhhlpoemipngldgbkc" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hmlfpoilpabhfknlfojgfmhijpnjnbnl" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kpbgeeklffkbbjeoeldnemcghkhliofm" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lemniljaicohmbignpfjlklijengpjmi" => Key deleted successfully.
"C:\Program Files (x86)\Better-Surf" => File/Directory not found.
"C:\Program Files (x86)\VideoPlayerV3" => File/Directory not found.
"C:\Program Files (x86)\MediaWatchV1" => File/Directory not found.
"C:\Program Files (x86)\MediaBuzzV1" => File/Directory not found.
 
 
The system needed a reboot. 
 
==== End of Fixlog 20:18:04 ====
 
Checkup

 Results of screen317's Security Check version 0.99.95  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
McAfee Anti-Virus and Anti-Spyware   
AVG AntiVirus Free Edition 2015      
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 McAfee SiteAdvisor    
 AVG Web TuneUp   
  Java 64-bit 8 Update 31
 Adobe Reader XI  
 Google Chrome (39.0.2171.95) 
 Google Chrome (39.0.2171.99) 
````````Process Check: objlist.exe by Laurent````````
 AVG avgwdsvc.exe 
 Symantec Norton Online Backup NOBuAgent.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log``````````````````````
 
 

The Window Processes is still showing loads of   .exe *32 - what are they?Attached File  Malware Screen Print no 2.png   519.94KB   0 downloads



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 23 January 2015 - 09:22 AM

Your security check log is clean.
 

The Window Processes is still showing loads of .exe *32 - what are they

Nothing to worry about.

Chrome will start one of the .exe *32 for each extension running.
The operating system will create the others as as when required.

Do you have other issues with this computer.

Edited by nasdaq, 29 January 2015 - 10:48 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 29 January 2015 - 10:48 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 03 February 2015 - 10:58 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users