Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Keeper, Trovi, Various AdWare, Possibly More?


  • This topic is locked This topic is locked
23 replies to this topic

#1 bpt

bpt

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 07:13 PM

  First, the problem is not on my PC, I am helping a friend (yeah, that's what they all say, right?). I am posting from my own, going back and forth.  It had tons of viruses, spyware, etc.  I have used Avira, Malwarebytes, Superantispyware, and AdAware.  It has cleared some things for good.  Some it says it is clearing but they keep coming back and others have not been touched.  PC Keeper and Trovi are on there for sure, I am not positive what else is.  For example, Superantispyware says that it just found and cleared 133 things (mostly AdWare, I believe).  But those were supposedly cleared already on a previous scan.  I am able to get online with the machine but have tried to limit that since I am not sure exactly what is going on inside.  Here is the FRST.txt, I'll try to attach the Addition below.  I hope I have the format correct, I was not able to follow the instructions exactly since I am going between the machines with a flash drive.  Thanks for your help.

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by Jackie (administrator) on JACKIE-PC on 28-01-2015 13:46:26
Running from F:\
Loaded Profiles: Jackie &  (Available profiles: Jackie)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Dell, Inc.) C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Intel Corporation) C:\WINDOWS\System32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
() C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
() C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2055016 2011-04-29] ()
HKLM-x32\...\Run: [Dell Registration] => C:\Program Files (x86)\System Registration\prodreg.exe [4165440 2011-08-04] (Dell, Inc.)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2014-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [885760 2011-04-29] ()
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2015-01-12] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-01-25] (SUPERAntiSpyware)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\Run: [GoogleChromeAutoLaunch_938968D9E8950B74533AE65B10B25023] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\Run: [PCKeeper2] => "C:\Program Files\Kromtech\PCKeeper\PCKeeper.exe" /autorun
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\RunOnce: [Application Restart #0] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-01-25] (SUPERAntiSpyware)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [GoogleChromeAutoLaunch_938968D9E8950B74533AE65B10B25023] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [PCKeeper2] => "C:\Program Files\Kromtech\PCKeeper\PCKeeper.exe" /autorun
HKU\S-1-5-21-2537109809-1876612646-327227902-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\RunOnce: [Application Restart #0] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKU\S-1-5-21-2537109809-1876612646-327227902-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Handler-x32: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR DefaultSearchKeyword: Default -> E6556F531E157B3675D26460E9E5D13D73CA8E29A178C3689B959EB25B6E64E4
CHR DefaultSearchURL: Default -> 3F8E258D62FBE1C0A32226537D7BDC24E55E51DF8E727F0539EF28CEC7E7354C
CHR Profile: C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Tetris Flash) - C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhhalmjbofkjcgefcaejjdicdddpkkk [2014-12-02]
CHR Extension: (cifFix) - C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jclfgmgojdnckljehaliiiolimmhmoad [2014-11-30]
CHR Extension: (IP to Location) - C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgjnhglhidbpdjbabpaglmpfofcidnm [2014-11-08]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2015-01-12] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2015-01-12] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
S2 DellDigitalDelivery; c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [162816 2011-10-26] (Dell Products, LP.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S3 globalUpdatem; C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /medsvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-09-24] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-09-24] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-09-24] (Avira Operations GmbH & Co. KG)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 13:45 - 2015-01-28 13:46 - 00000000 ____D () C:\FRST
2015-01-28 13:45 - 2015-01-28 13:45 - 00000600 _____ () C:\Users\Jackie\Desktop\FRST64.exe - Shortcut.lnk
2015-01-25 02:22 - 2015-01-25 02:22 - 00000000 __SHD () C:\Users\Jackie\AppData\Local\EmieBrowserModeList
2015-01-25 01:57 - 2015-01-25 01:58 - 00894184 _____ () C:\Users\Jackie\Downloads\install flashplayer15x32 15 0 1.exe
2015-01-25 01:44 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-01-25 01:44 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2015-01-25 01:44 - 2014-12-11 23:35 - 05553592 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-01-25 01:44 - 2014-12-11 23:31 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\system32\srcore.dll
2015-01-25 01:44 - 2014-12-11 23:31 - 00296960 _____ (Microsoft Corporation) C:\WINDOWS\system32\rstrui.exe
2015-01-25 01:44 - 2014-12-11 23:31 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\system32\srclient.dll
2015-01-25 01:44 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntkrnlpa.exe
2015-01-25 01:44 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntoskrnl.exe
2015-01-25 01:44 - 2014-12-11 23:07 - 00043008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\srclient.dll
2015-01-25 01:44 - 2014-12-11 11:47 - 00052736 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSWbPrxy.exe
2015-01-25 01:44 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlasvc.dll
2015-01-25 01:44 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncsi.dll
2015-01-25 01:44 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nlaapi.dll
2015-01-25 01:25 - 2015-01-25 01:29 - 00000000 ____D () C:\AdwCleaner
2015-01-25 01:11 - 2015-01-25 00:47 - 02194432 _____ () C:\Users\Jackie\Desktop\AdwCleaner.exe
2015-01-25 01:06 - 2015-01-25 01:06 - 00003528 ____N () C:\bootsqm.dat
2015-01-24 22:43 - 2015-01-24 23:22 - 00000000 ____D () C:\Users\Jackie\Desktop\mbam-chameleon-3.1.7.0
2015-01-24 16:07 - 2015-01-24 16:46 - 00000000 ____D () C:\SUPERDelete
2015-01-12 09:36 - 2014-12-12 23:09 - 00144384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieUnatt.exe
2015-01-12 09:36 - 2014-12-12 21:33 - 00115712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieUnatt.exe
2015-01-12 09:16 - 2015-01-12 09:16 - 00001135 _____ () C:\Users\Public\Desktop\Avira.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 13:43 - 2014-10-12 10:38 - 00000898 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 13:27 - 2014-10-02 17:07 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-28 13:07 - 2014-10-02 22:48 - 00000422 _____ () C:\WINDOWS\Tasks\SystemToolsDailyTest.job
2015-01-28 13:06 - 2014-10-14 20:51 - 00003488 _____ () C:\WINDOWS\System32\Tasks\PCDEventLauncher
2015-01-28 13:06 - 2014-10-02 22:48 - 00003452 _____ () C:\WINDOWS\System32\Tasks\SystemToolsDailyTest
2015-01-28 12:57 - 2014-12-11 21:09 - 00001686 _____ () C:\WINDOWS\Tasks\TYTLPZ.job
2015-01-28 12:57 - 2014-12-11 21:09 - 00001342 _____ () C:\WINDOWS\Tasks\WQRHCI.job
2015-01-28 12:57 - 2014-10-12 10:38 - 00000894 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 12:57 - 2012-01-19 18:37 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2015-01-28 12:57 - 2012-01-19 18:08 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2015-01-28 12:53 - 2009-07-13 22:45 - 00021296 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 12:53 - 2009-07-13 22:45 - 00021296 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 12:52 - 2012-01-19 19:46 - 01061147 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-28 12:47 - 2010-11-20 21:47 - 00511716 _____ () C:\WINDOWS\PFRO.log
2015-01-28 12:47 - 2009-07-13 23:08 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-28 12:47 - 2009-07-13 22:51 - 00035879 _____ () C:\WINDOWS\setupact.log
2015-01-25 02:41 - 2014-10-27 02:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-01-25 02:41 - 2014-10-27 02:04 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-01-25 02:41 - 2014-10-27 02:04 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-01-25 02:40 - 2014-10-02 15:08 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-25 02:39 - 2014-10-02 15:08 - 113365784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-25 02:04 - 2014-12-11 21:10 - 00000000 ____D () C:\Users\Jackie\AppData\Local\com
2015-01-25 01:49 - 2014-10-02 17:27 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-01-25 01:48 - 2012-01-19 18:04 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-01-25 01:46 - 2014-10-26 10:22 - 00002021 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk
2015-01-25 01:46 - 2012-01-19 18:22 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-01-24 23:04 - 2009-07-13 21:20 - 00000000 ____D () C:\WINDOWS\tracing
2015-01-24 22:44 - 2014-10-02 17:05 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-24 22:39 - 2009-07-13 23:13 - 00783424 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-24 17:21 - 2014-12-11 21:09 - 00000000 ____D () C:\Program Files (x86)\7ae0d2cf-36cb-49b9-84c9-aff437b4affc
2015-01-24 16:54 - 2014-11-30 17:46 - 00000000 ____D () C:\Program Files (x86)\BargainExpert
2015-01-24 16:51 - 2014-12-11 21:22 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2015-01-24 15:58 - 2012-01-19 18:26 - 00000000 ____D () C:\ProgramData\Sonic
2015-01-12 09:59 - 2009-07-13 21:20 - 00000000 ____D () C:\WINDOWS\rescache
2015-01-12 09:16 - 2014-10-02 16:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-01-12 09:16 - 2014-10-02 16:39 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-12 09:15 - 2014-10-02 16:40 - 00000000 ____D () C:\Program Files (x86)\Avira

==================== Files in the root of some directories =======

2014-09-03 15:36 - 2014-09-03 15:36 - 0001248 _____ () C:\Users\Jackie\AppData\Roaming\TYTLPZ
2014-10-26 12:01 - 2014-10-26 23:01 - 0000072 _____ () C:\Users\Jackie\AppData\Roaming\WB.CFG
2014-09-03 15:36 - 2014-09-03 15:36 - 0002086 _____ () C:\Users\Jackie\AppData\Roaming\WQRHCI

Some content of TEMP:
====================
C:\Users\Jackie\AppData\Local\Temp\avgnt.exe
C:\Users\Jackie\AppData\Local\Temp\ConsumerInputSetup.exe
C:\Users\Jackie\AppData\Local\Temp\DRHelper_installStart.exe
C:\Users\Jackie\AppData\Local\Temp\F97BE3D2-EB56-9BAC-A160-536E60C5081F.dll
C:\Users\Jackie\AppData\Local\Temp\installer0.exe
C:\Users\Jackie\AppData\Local\Temp\MSN6411.exe
C:\Users\Jackie\AppData\Local\Temp\Quarantine.exe
C:\Users\Jackie\AppData\Local\Temp\sqlite3.dll
C:\Users\Jackie\AppData\Local\Temp\vcredist_x64.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-30 09:44

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:21 PM

Posted 28 January 2015 - 08:00 PM

Hello bpt,

  •  

     

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

 

1.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   7.52KB   4 downloads

 

 

2.

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 10:05 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-01-2015
Ran by Jackie at 2015-01-28 19:28:06 Run:1
Running from F:\
Loaded Profiles: Jackie &  (Available profiles: Jackie)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\Run: [PCKeeper2] => "C:\Program Files\Kromtech\PCKeeper\PCKeeper.exe" /autorun
HKU\S-1-5-21-2537109809-1876612646-327227902-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [PCKeeper2] => "C:\Program Files\Kromtech\PCKeeper\PCKeeper.exe" /autorun
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR DefaultSearchKeyword: Default -> E6556F531E157B3675D26460E9E5D13D73CA8E29A178C3689B959EB25B6E64E4
CHR DefaultSearchURL: Default -> 3F8E258D62FBE1C0A32226537D7BDC24E55E51DF8E727F0539EF28CEC7E7354C
CHR Extension: (cifFix) - C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jclfgmgojdnckljehaliiiolimmhmoad [2014-11-30]
CHR Extension: (IP to Location) - C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgjnhglhidbpdjbabpaglmpfofcidnm [2014-11-08]
S3 globalUpdatem; C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /medsvc [X]
C:\Program Files (x86)\globalUpdate
2015-01-28 12:57 - 2014-12-11 21:09 - 00001686 _____ () C:\WINDOWS\Tasks\TYTLPZ.job
2015-01-28 12:57 - 2014-12-11 21:09 - 00001342 _____ () C:\WINDOWS\Tasks\WQRHCI.job
2014-09-03 15:36 - 2014-09-03 15:36 - 0001248 _____ () C:\Users\Jackie\AppData\Roaming\TYTLPZ
2014-10-26 12:01 - 2014-10-26 23:01 - 0000072 _____ () C:\Users\Jackie\AppData\Roaming\WB.CFG
2014-09-03 15:36 - 2014-09-03 15:36 - 0002086 _____ () C:\Users\Jackie\AppData\Roaming\WQRHCI
C:\Users\Jackie\AppData\Local\Temp\avgnt.exe
C:\Users\Jackie\AppData\Local\Temp\ConsumerInputSetup.exe
C:\Users\Jackie\AppData\Local\Temp\DRHelper_installStart.exe
C:\Users\Jackie\AppData\Local\Temp\F97BE3D2-EB56-9BAC-A160-536E60C5081F.dll
C:\Users\Jackie\AppData\Local\Temp\installer0.exe
C:\Users\Jackie\AppData\Local\Temp\MSN6411.exe
C:\Users\Jackie\AppData\Local\Temp\Quarantine.exe
C:\Users\Jackie\AppData\Local\Temp\sqlite3.dll
C:\Users\Jackie\AppData\Local\Temp\vcredist_x64.exe
Task: {C319EC30-B7A8-49D1-85FB-8847F453C6CE} - System32\Tasks\TYTLPZ => C:\Users\Jackie\AppData\Roaming\TYTLPZ.exe <==== ATTENTION
Task: {D6EEA391-E1B2-41AC-BE45-06BFB7E24EC6} - System32\Tasks\WQRHCI => C:\Users\Jackie\AppData\Roaming\WQRHCI.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\TYTLPZ.job => C:\Users\Jackie\AppData\Roaming\TYTLPZ.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\WQRHCI.job => C:\Users\Jackie\AppData\Roaming\WQRHCI.exe <==== ATTENTION
2015-01-24 16:54 - 2014-11-30 17:46 - 00000000 ____D () C:\Program Files (x86)\BargainExpert
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
*****************

HKU\S-1-5-21-2537109809-1876612646-327227902-1000\Software\Microsoft\Windows\CurrentVersion\Run\\PCKeeper2 => value deleted successfully.
HKU\S-1-5-21-2537109809-1876612646-327227902-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run\\PCKeeper2 => value deleted successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => Moved successfully.
C:\WINDOWS\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
Chrome DefaultSearchKeyword not detected.
Chrome DefaultSearchURL not detected.
C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jclfgmgojdnckljehaliiiolimmhmoad => Moved successfully.
C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgjnhglhidbpdjbabpaglmpfofcidnm => Moved successfully.
globalUpdatem => Service deleted successfully.
"C:\Program Files (x86)\globalUpdate" => File/Directory not found.
C:\WINDOWS\Tasks\TYTLPZ.job => Moved successfully.
C:\WINDOWS\Tasks\WQRHCI.job => Moved successfully.
C:\Users\Jackie\AppData\Roaming\TYTLPZ => Moved successfully.
C:\Users\Jackie\AppData\Roaming\WB.CFG => Moved successfully.
C:\Users\Jackie\AppData\Roaming\WQRHCI => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\avgnt.exe => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\ConsumerInputSetup.exe => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\DRHelper_installStart.exe => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\F97BE3D2-EB56-9BAC-A160-536E60C5081F.dll => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\installer0.exe => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\MSN6411.exe => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Jackie\AppData\Local\Temp\vcredist_x64.exe => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C319EC30-B7A8-49D1-85FB-8847F453C6CE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C319EC30-B7A8-49D1-85FB-8847F453C6CE}" => Key deleted successfully.
C:\Windows\System32\Tasks\TYTLPZ => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TYTLPZ" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D6EEA391-E1B2-41AC-BE45-06BFB7E24EC6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6EEA391-E1B2-41AC-BE45-06BFB7E24EC6}" => Key deleted successfully.
C:\Windows\System32\Tasks\WQRHCI => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WQRHCI" => Key deleted successfully.
C:\WINDOWS\Tasks\TYTLPZ.job not found.
C:\WINDOWS\Tasks\WQRHCI.job not found.
C:\Program Files (x86)\BargainExpert => Moved successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value deleted successfully.

The system needed a reboot.

==== End of Fixlog 19:28:07 ====



#4 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 10:08 PM

Emsisoft Emergency Kit - Version 9.0
Last update: 1/28/2015 7:56:45 PM
User account: Jackie-PC\Jackie

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, Q:\, Y:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 1/28/2015 7:57:50 PM
C:\FRST\Quarantine\C\Users\Jackie\AppData\Roaming\TYTLPZ.xBAD -> background.js  detected: Trojan.Script.Agent.FA ( B)
C:\FRST\Quarantine\C\Users\Jackie\AppData\Roaming\WQRHCI.xBAD -> content/overlay.js  detected: Adware.JS.Mplug.A ( B)
C:\Program Files (x86)\7ae0d2cf-36cb-49b9-84c9-aff437b4affc\7073ba1c-b972-4adf-a71e-478901a9e4d2.dll  detected: Trojan.Generic.12442889 ( B)
C:\Program Files (x86)\Avira\7ae0d2cf-36cb-49b9-84c9-aff437b4affc.dll  detected: Trojan.Generic.12442889 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0a07825a.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0b6189dd.qua -> (Quarantine-8)  detected: Gen:Application.Heur.xz1@mmwk5jci ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0c328c91.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1261e555.qua -> (Quarantine-8)  detected: Gen:Application.Heur.gqX@lm8joahi ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1433d1c2.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Crossrider.2 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\14f28ae4.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1a829187.qua -> (Quarantine-8)  detected: Gen:Variant.Application.Symmi.49897 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1b71f6f6.qua -> (Quarantine-8)  detected: Gen:Application.Heur.6v1@m8u0sskO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1c3bf04f.qua -> (Quarantine-8)  detected: Gen:Application.Heur.Ky9@mGOUKKai ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\20f09ef8.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Jatif.78 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\2b69b5b2.qua -> (Quarantine-8)  detected: Adware.Generic.1089445 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\2ef5f14d.qua -> (Quarantine-8)  detected: Gen:Application.Heur.tv1@m8!v9OhO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\2fbbfac7.qua -> (Quarantine-8)  detected: Gen:Variant.Strictor.75749 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\32f5a835.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Crossrider.2 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\348da540.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Graftor.163183 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\38c297f4.qua -> (Quarantine-8)  detected: Gen:Application.Heur.tv1@m8!v9OhO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\3f6dd92f.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Crossrider.2 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\42a7dd74.qua -> (Quarantine-8)  detected: Gen:Application.Heur.6v1@m8u0sskO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\441eefb8.qua -> (Quarantine-8)  detected: Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\45ee6945.qua -> (Quarantine-8)  detected: Gen:Application.Heur.uu1@m4fknldO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\47d9a594.qua -> (Quarantine-8)  detected: Gen:Application.Heur.gv1@mGzl2WhO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4841a478.qua -> (Quarantine-8)  detected: Gen:Variant.Application.Bundler.25 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\48cda130.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Graftor.163183 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\48e4cb7f.qua -> (Quarantine-8)  detected: Gen:Variant.Zusy.120872 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\492eac1d.qua -> (Quarantine-8)  detected: Adware.Generic.1102668 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4a6ca972.qua -> (Quarantine-8)  detected: Adware.Crossrider.CP ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4e7baaa3.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50658077.qua -> (Quarantine-8)  detected: Gen:Application.Heur.9u1@myEAAaaO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5077e4e4.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Graftor.169592 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50828247.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50988b20.qua -> (Quarantine-8)  detected: Adware.Generic.1084622 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\51138bd6.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Mplug.26 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\512f8b68.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\515ab7be.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Graftor.163183 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\51fcf3a9.qua -> (Quarantine-8)  detected: Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\52f686db.qua -> (Quarantine-8)  detected: Gen:Variant.Adware.Jatif.78 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\531a0961.qua -> (Quarantine-8) -> (NSIS o) -> zlib_nsis0006 -> (NSIS o) -> zlib_nsis0003  detected: Trojan.Generic.12378749 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\531c0d92.qua -> (Quarantine-8)  detected: Gen:Variant.Zusy.120679 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\56680c1a.qua -> (Quarantine-8)  detected: Gen:Variant.Application.Bundler.35 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\56ec853c.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\57a18ec4.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5be4e6fc.qua -> (Quarantine-8)  detected: Application.Generic.977971 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5d76e401.qua -> (Quarantine-8)  detected: Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5fc1c361.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\6bd3dde7.qua -> (Quarantine-8)  detected: Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\702ccccc.qua -> (Quarantine-8)  detected: Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\7779c98c.qua -> (Quarantine-8)  detected: Gen:Application.Heur.9u1@myEAAaaO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\7cb5d5c5.qua -> (Quarantine-8)  detected: Gen:Variant.Application.Symmi.49897 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\7d46b935.qua -> (Quarantine-8)  detected: Gen:Application.Heur.6v1@m8u0sskO ( B)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FF0JLEA\FastPlayerSetup[1].exe  detected: Adware.Win32.Agent (A)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FF0JLEA\spstub[1].exe  detected: Application.BrowserExt (A)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V06DR7D\BlockAndSurf_2222-5510[1].exe  detected: Dropped:Application.Generic.1099588 ( B)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V06DR7D\PCTechHotlineSetup[1].exe -> (Instyler o) -> (Instyler Module 0) -> (Embedded EXE 2o)  detected: Application.Generic.1062746 ( B)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V06DR7D\PCTechHotlineSetup[1].exe -> (Instyler o) -> (Instyler Module 0) -> (Embedded EXE 6o)  detected: Application.Generic.1062281 ( B)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V06DR7D\SPSetup[1].exe  detected: Application.Win32.SProtect (A)
C:\Users\Jackie\AppData\Local\Temp\is765589038\1E306536_stp\aff_setup.exe  detected: Application.Win32.PCBackOpt (A)
C:\Users\Jackie\AppData\Local\Temp\is765589038\542330E9_stp\termtutor-setup-1.9.0.8.exe  detected: Adware.Vitruvian.B ( B)
C:\Users\Jackie\Downloads\install flashplayer15x32 15 0 1.exe  detected: Gen:Variant.Adware.Graftor.173083 ( B)

Scanned 179729
Found 62

Scan end: 1/28/2015 8:28:43 PM
Scan time: 0:30:53

C:\Users\Jackie\Downloads\install flashplayer15x32 15 0 1.exe Quarantined Gen:Variant.Adware.Graftor.173083 ( B)
C:\Users\Jackie\AppData\Local\Temp\is765589038\542330E9_stp\termtutor-setup-1.9.0.8.exe Quarantined Adware.Vitruvian.B ( B)
C:\Users\Jackie\AppData\Local\Temp\is765589038\1E306536_stp\aff_setup.exe Quarantined Application.Win32.PCBackOpt (A)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V06DR7D\SPSetup[1].exe Quarantined Application.Win32.SProtect (A)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V06DR7D\PCTechHotlineSetup[1].exe Quarantined Application.Generic.1062281 ( B)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8V06DR7D\BlockAndSurf_2222-5510[1].exe Quarantined Dropped:Application.Generic.1099588 ( B)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FF0JLEA\spstub[1].exe Quarantined Application.BrowserExt (A)
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FF0JLEA\FastPlayerSetup[1].exe Quarantined Adware.Win32.Agent (A)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\7d46b935.qua Quarantined Gen:Application.Heur.6v1@m8u0sskO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\7cb5d5c5.qua Quarantined Gen:Variant.Application.Symmi.49897 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\7779c98c.qua Quarantined Gen:Application.Heur.9u1@myEAAaaO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\702ccccc.qua Quarantined Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\6bd3dde7.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5fc1c361.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5d76e401.qua Quarantined Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5be4e6fc.qua Quarantined Application.Generic.977971 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\57a18ec4.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\56ec853c.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\56680c1a.qua Quarantined Gen:Variant.Application.Bundler.35 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\531c0d92.qua Quarantined Gen:Variant.Zusy.120679 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\531a0961.qua Quarantined Trojan.Generic.12378749 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\52f686db.qua Quarantined Gen:Variant.Adware.Jatif.78 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\51fcf3a9.qua Quarantined Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\515ab7be.qua Quarantined Gen:Variant.Adware.Graftor.163183 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\512f8b68.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\51138bd6.qua Quarantined Gen:Variant.Adware.Mplug.26 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50988b20.qua Quarantined Adware.Generic.1084622 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50828247.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5077e4e4.qua Quarantined Gen:Variant.Adware.Graftor.169592 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50658077.qua Quarantined Gen:Application.Heur.9u1@myEAAaaO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4e7baaa3.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4a6ca972.qua Quarantined Adware.Crossrider.CP ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\492eac1d.qua Quarantined Adware.Generic.1102668 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\48e4cb7f.qua Quarantined Gen:Variant.Zusy.120872 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\48cda130.qua Quarantined Gen:Variant.Adware.Graftor.163183 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4841a478.qua Quarantined Gen:Variant.Application.Bundler.25 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\47d9a594.qua Quarantined Gen:Application.Heur.gv1@mGzl2WhO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\45ee6945.qua Quarantined Gen:Application.Heur.uu1@m4fknldO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\441eefb8.qua Quarantined Trojan.Generic.12383498 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\42a7dd74.qua Quarantined Gen:Application.Heur.6v1@m8u0sskO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\3f6dd92f.qua Quarantined Gen:Variant.Adware.Crossrider.2 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\38c297f4.qua Quarantined Gen:Application.Heur.tv1@m8!v9OhO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\348da540.qua Quarantined Gen:Variant.Adware.Graftor.163183 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\32f5a835.qua Quarantined Gen:Variant.Adware.Crossrider.2 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\2fbbfac7.qua Quarantined Gen:Variant.Strictor.75749 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\2ef5f14d.qua Quarantined Gen:Application.Heur.tv1@m8!v9OhO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\2b69b5b2.qua Quarantined Adware.Generic.1089445 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\20f09ef8.qua Quarantined Gen:Variant.Adware.Jatif.78 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1c3bf04f.qua Quarantined Gen:Application.Heur.Ky9@mGOUKKai ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1b71f6f6.qua Quarantined Gen:Application.Heur.6v1@m8u0sskO ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1a829187.qua Quarantined Gen:Variant.Application.Symmi.49897 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\14f28ae4.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1433d1c2.qua Quarantined Gen:Variant.Adware.Crossrider.2 ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\1261e555.qua Quarantined Gen:Application.Heur.gqX@lm8joahi ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0c328c91.qua Quarantined Adware.Eorezo.BZ ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0b6189dd.qua Quarantined Gen:Application.Heur.xz1@mmwk5jci ( B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0a07825a.qua Quarantined Adware.Eorezo.BZ ( B)
C:\Program Files (x86)\Avira\7ae0d2cf-36cb-49b9-84c9-aff437b4affc.dll Quarantined Trojan.Generic.12442889 ( B)
C:\Program Files (x86)\7ae0d2cf-36cb-49b9-84c9-aff437b4affc\7073ba1c-b972-4adf-a71e-478901a9e4d2.dll Quarantined Trojan.Generic.12442889 ( B)
C:\FRST\Quarantine\C\Users\Jackie\AppData\Roaming\WQRHCI.xBAD Quarantined Adware.JS.Mplug.A ( B)
C:\FRST\Quarantine\C\Users\Jackie\AppData\Roaming\TYTLPZ.xBAD Quarantined Trojan.Script.Agent.FA ( B)

Quarantined 61



#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:21 PM

Posted 28 January 2015 - 10:08 PM

Please run FRST as you did when you first ran it and post the FRST.txt.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 10:10 PM

Just FYI - The Emsisoft report was filled with emoticons when printed out which the forum would not allow me to post.  I disabled emoticons and was then able to post what shows above.  Hopefully that doesn't change anything but wanted to let you know, just in case.  If something is wrong and you need the original, let me know.



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:21 PM

Posted 28 January 2015 - 10:11 PM

Please run FRST as you did when you first ran it and post the FRST.txt.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 10:17 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by Jackie (administrator) on JACKIE-PC on 28-01-2015 21:13:28
Running from F:\
Loaded Profiles: Jackie (Available profiles: Jackie)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Dell, Inc.) C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Intel Corporation) C:\WINDOWS\System32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
() C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Emsisoft GmbH) C:\EEK\bin\a2emergencykit.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\notepad.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2055016 2011-04-29] ()
HKLM-x32\...\Run: [Dell Registration] => C:\Program Files (x86)\System Registration\prodreg.exe [4165440 2011-08-04] (Dell, Inc.)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2014-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [885760 2011-04-29] ()
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2015-01-12] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-01-25] (SUPERAntiSpyware)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\Run: [GoogleChromeAutoLaunch_938968D9E8950B74533AE65B10B25023] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)
HKU\S-1-5-21-2537109809-1876612646-327227902-1000\...\RunOnce: [Application Restart #0] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2537109809-1876612646-327227902-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Handler-x32: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR DefaultSearchKeyword: Default -> E6556F531E157B3675D26460E9E5D13D73CA8E29A178C3689B959EB25B6E64E4
CHR DefaultSearchURL: Default -> 3F8E258D62FBE1C0A32226537D7BDC24E55E51DF8E727F0539EF28CEC7E7354C
CHR Profile: C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Tetris Flash) - C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhhalmjbofkjcgefcaejjdicdddpkkk [2014-12-02]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2015-01-12] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2015-01-12] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
S2 DellDigitalDelivery; c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [162816 2011-10-26] (Dell Products, LP.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 A2DDA; C:\EEK\BIN\a2ddax64.sys [26176 2015-01-29] (Emsisoft GmbH)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-09-24] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-09-24] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-09-24] (Avira Operations GmbH & Co. KG)
R3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2015-01-29] (Emsisoft GmbH)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 19:55 - 2015-01-28 19:56 - 00000000 ____D () C:\EEK
2015-01-28 19:55 - 2015-01-28 19:55 - 00000745 _____ () C:\Users\Jackie\Desktop\Start Emsisoft Emergency Kit.lnk
2015-01-28 19:54 - 2015-01-28 19:54 - 00000333 _____ () C:\Users\Jackie\Desktop\EmsisoftEmergencyKit.exe - Shortcut.lnk
2015-01-28 19:27 - 2015-01-28 19:25 - 00007698 _____ () C:\Users\Jackie\Desktop\fixlist.txt
2015-01-28 13:57 - 2015-01-28 14:01 - 00000000 ____D () C:\Users\Jackie\Desktop\FRSTScans
2015-01-28 13:45 - 2015-01-28 21:13 - 00000000 ____D () C:\FRST
2015-01-28 13:45 - 2015-01-28 13:45 - 00000600 _____ () C:\Users\Jackie\Desktop\FRST64.exe - Shortcut.lnk
2015-01-25 02:22 - 2015-01-25 02:22 - 00000000 __SHD () C:\Users\Jackie\AppData\Local\EmieBrowserModeList
2015-01-25 01:44 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-01-25 01:44 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2015-01-25 01:44 - 2014-12-11 23:35 - 05553592 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-01-25 01:44 - 2014-12-11 23:31 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\system32\srcore.dll
2015-01-25 01:44 - 2014-12-11 23:31 - 00296960 _____ (Microsoft Corporation) C:\WINDOWS\system32\rstrui.exe
2015-01-25 01:44 - 2014-12-11 23:31 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\system32\srclient.dll
2015-01-25 01:44 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntkrnlpa.exe
2015-01-25 01:44 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntoskrnl.exe
2015-01-25 01:44 - 2014-12-11 23:07 - 00043008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\srclient.dll
2015-01-25 01:44 - 2014-12-11 11:47 - 00052736 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSWbPrxy.exe
2015-01-25 01:44 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlasvc.dll
2015-01-25 01:44 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncsi.dll
2015-01-25 01:44 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nlaapi.dll
2015-01-25 01:25 - 2015-01-25 01:29 - 00000000 ____D () C:\AdwCleaner
2015-01-25 01:11 - 2015-01-25 00:47 - 02194432 _____ () C:\Users\Jackie\Desktop\AdwCleaner.exe
2015-01-24 22:43 - 2015-01-24 23:22 - 00000000 ____D () C:\Users\Jackie\Desktop\mbam-chameleon-3.1.7.0
2015-01-24 16:07 - 2015-01-24 16:46 - 00000000 ____D () C:\SUPERDelete
2015-01-12 09:36 - 2014-12-12 23:09 - 00144384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieUnatt.exe
2015-01-12 09:36 - 2014-12-12 21:33 - 00115712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieUnatt.exe
2015-01-12 09:16 - 2015-01-12 09:16 - 00001135 _____ () C:\Users\Public\Desktop\Avira.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 20:59 - 2014-12-11 21:09 - 00000000 ____D () C:\Program Files (x86)\7ae0d2cf-36cb-49b9-84c9-aff437b4affc
2015-01-28 20:59 - 2014-10-02 16:40 - 00000000 ____D () C:\Program Files (x86)\Avira
2015-01-28 20:44 - 2014-10-12 10:38 - 00000898 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 19:59 - 2012-01-19 19:46 - 01093698 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-28 19:36 - 2009-07-13 22:45 - 00021296 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 19:36 - 2009-07-13 22:45 - 00021296 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 19:32 - 2012-01-19 18:08 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2015-01-28 19:30 - 2014-10-12 10:38 - 00000894 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 19:30 - 2012-01-19 18:37 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2015-01-28 19:29 - 2014-12-11 21:22 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2015-01-28 19:29 - 2010-11-20 21:47 - 00512070 _____ () C:\WINDOWS\PFRO.log
2015-01-28 19:29 - 2009-07-13 23:08 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-28 19:29 - 2009-07-13 22:51 - 00035935 _____ () C:\WINDOWS\setupact.log
2015-01-28 19:28 - 2009-07-13 21:20 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2015-01-28 13:27 - 2014-10-02 17:07 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-28 13:07 - 2014-10-02 22:48 - 00000422 _____ () C:\WINDOWS\Tasks\SystemToolsDailyTest.job
2015-01-28 13:06 - 2014-10-14 20:51 - 00003488 _____ () C:\WINDOWS\System32\Tasks\PCDEventLauncher
2015-01-28 13:06 - 2014-10-02 22:48 - 00003452 _____ () C:\WINDOWS\System32\Tasks\SystemToolsDailyTest
2015-01-25 02:41 - 2014-10-27 02:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-01-25 02:41 - 2014-10-27 02:04 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-01-25 02:41 - 2014-10-27 02:04 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-01-25 02:40 - 2014-10-02 15:08 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-25 02:39 - 2014-10-02 15:08 - 113365784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-25 02:04 - 2014-12-11 21:10 - 00000000 ____D () C:\Users\Jackie\AppData\Local\com
2015-01-25 01:49 - 2014-10-02 17:27 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-01-25 01:48 - 2012-01-19 18:04 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-01-25 01:46 - 2014-10-26 10:22 - 00002021 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk
2015-01-25 01:46 - 2012-01-19 18:22 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-01-24 23:04 - 2009-07-13 21:20 - 00000000 ____D () C:\WINDOWS\tracing
2015-01-24 22:44 - 2014-10-02 17:05 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-24 22:39 - 2009-07-13 23:13 - 00783424 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-24 15:58 - 2012-01-19 18:26 - 00000000 ____D () C:\ProgramData\Sonic
2015-01-12 09:59 - 2009-07-13 21:20 - 00000000 ____D () C:\WINDOWS\rescache
2015-01-12 09:16 - 2014-10-02 16:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-01-12 09:16 - 2014-10-02 16:39 - 00000000 ____D () C:\ProgramData\Package Cache

Some content of TEMP:
====================
C:\Users\Jackie\AppData\Local\Temp\avgnt.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-28 14:34

==================== End Of Log ============================



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:21 PM

Posted 28 January 2015 - 10:32 PM

How is the machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 10:35 PM

I have not tried to run it, was waiting on your reply.  Is it clear already?



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:21 PM

Posted 28 January 2015 - 10:37 PM

Please run it and see what it does?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 10:53 PM

I was able to access the net, get on Google, tried a few websites.  So far, no pop-ups.  Since it's not my computer I'm not sure about everything it was doing before.  But the lack of PC Keeper taking over the browser is an obvious one that is gone.

 

Any suggestions of anything else to look at or test to make sure it's clear?



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:21 PM

Posted 28 January 2015 - 11:09 PM

1.

Download and run Junkware Removal Tool. ***Your Anti Virus may see this download as malicious, don't worry continue on. 

Please download Junkware Removal Tool to your desktop.

 

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
    the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next Reply.

 

 

2.

ESET Online Scanner:

IMPORTANT: You MUST use Internet Explorer for this step!

  • Visit the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button:
    ESET1_zps23a5e840.png
  • Tick the box next to YES, I accept the Terms of Use and click Start
    ESET_EULA2_zps9451f1c3.png
  • When asked, allow the ActiveX control to install.
  • Select Enable detection of potentially unwanted applications and select Advanced Settings:
    ESET2_zpsc701c045.png
  • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked:
    ESET4_zps0afafd0d.png
  • Click Start. (This scan can take several hours, so please be patient):
    ESET3_zpsccd1657d.png
  • Once the scan is completed, select List of found threats:
    ESET5_zpsd27be299.png
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop:
    ESET6_zpsc17d154e.png
  • Click the Back button.
  • Click the Finish button:
    ESET9_zps51587217.png
  • Use Notepad to open the saved log file (on your Desktop- ESET.txt)[/b]
  • Copy and paste that log as a reply to this topic.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 11:27 PM

Here is the JRT.txt.  ESET Scanner is running now.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Home Premium x64
Ran by Jackie on Wed 01/28/2015 at 22:15:37.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\pcdr"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 01/28/2015 at 22:17:51.13
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#15 bpt

bpt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 11:58 PM

C:\AdwCleaner\Quarantine\C\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\inhmgggekmngjhimjkbeddlklpnhfoih\4.33\D4kt.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\inhmgggekmngjhimjkbeddlklpnhfoih\4.33\lsdb.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jclfgmgojdnckljehaliiiolimmhmoad\131\J.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jclfgmgojdnckljehaliiiolimmhmoad\131\lsdb.js JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgjnhglhidbpdjbabpaglmpfofcidnm\112\ik38bfJUAp.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgjnhglhidbpdjbabpaglmpfofcidnm\112\lsdb.js JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Jackie\AppData\Local\Temp\ConsumerInputSetup.exe.xBAD Win32/Compete.A potentially unwanted application deleted - quarantined
C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhhalmjbofkjcgefcaejjdicdddpkkk\236\content.js JS/Chromex.Agent.L trojan cleaned by deleting - quarantined
C:\Users\Jackie\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhhalmjbofkjcgefcaejjdicdddpkkk\236\zkp.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FF0JLEA\VOPackage[1].exe Win32/VOPackage.AZ potentially unwanted application deleted - quarantined
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AEH2P70W\ConsumerInputSetup[1].gpp Win32/Compete.A potentially unwanted application deleted - quarantined
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AEH2P70W\WinCheckSetup[1].exe a variant of Win32/Adware.ConvertAd.L application cleaned by deleting - quarantined
C:\Users\Jackie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PHTFVWBK\SPDetector[1].exe a variant of Win32/ClientConnect.A potentially unwanted application deleted - quarantined
C:\Users\Jackie\AppData\Local\Temp\nsb114B.tmp a variant of Win32/Adware.ConvertAd.L application cleaned by deleting - quarantined
C:\Users\Jackie\AppData\Local\Temp\6C6tmp\vopackage.exe Win32/VOPackage.AZ potentially unwanted application deleted - quarantined
C:\Users\Jackie\AppData\Local\Temp\is765589038\5C607226_stp\OptimizerPro.exe a variant of Win32/OptimizerEliteMax.C potentially unwanted application deleted - quarantined
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users