Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black screen with pointer after login


  • This topic is locked This topic is locked
10 replies to this topic

#1 POKEGAMERZ

POKEGAMERZ

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 02 February 2015 - 03:35 PM

When I log into my Windows 7 desktop I get a black screen with pointer while safe mode works well. Also I used Norton and detected SAPE.Browsefox and SAPE.Yontoo viruses and I got rid of them but still does its nonsense. Also this is a continuation of a previous topic I posted which is right here-http://www.bleepingcomputer.com/forums/t/565340/black-screen-after-login/

BC AdBot (Login to Remove)

 


m

#2 POKEGAMERZ

POKEGAMERZ
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 02 February 2015 - 06:08 PM

These are the notepad files.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by POKEGAMERZ (administrator) on POKEGAMERZ-PC on 02-02-2015 16:21:20
Running from C:\Users\POKEGAMERZ\Downloads
Loaded Profiles: POKEGAMERZ (Available profiles: POKEGAMERZ & UpdatusUser & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Vosteran)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)



==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7575256 2014-05-12] (Realtek Semiconductor)
HKLM\...\Run: [MBCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\MBCfg64.dll,RunDLLEntry MBCfg64
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-03-05] (Intel Corporation)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [Super Charger] => C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe [1047536 2014-04-08] (MSI)
HKLM-x32\...\Run: [Sound Blaster Cinema] => C:\Program Files (x86)\Creative\Sound Blaster Cinema\Sound Blaster Cinema\SBCinema.exe [711680 2013-08-16] (Creative Technology Ltd)
HKLM-x32\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-11-29] (Google Inc.)
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Run: [GoogleChromeAutoLaunch_5529CBA07810AAB77CC979E44714CD6D] => C:\Users\POKEGAMERZ\AppData\Local\Vosteran\Application\vosteran.exe [1014272 2015-01-24] ()
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
AppInit_DLLs-x32: C:/PROGRA~3/{F3011~1/191~1.1/sale.dll => C:/PROGRA~3/{F3011~1/191~1.1/sale.dll [964608 2015-02-01] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://vosteran.com/?f=1&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO-x32: Solution Real 1.0.0.7 -> {1bb456da-878f-44a5-b013-4bfe0ae02fce} -> C:\Program Files (x86)\Solution Real\SolutionRealbho.dll (Solution Real)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\IPSFF [2014-11-30]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn [2015-02-02]

Chrome:
=======
CHR Profile: C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-29]
CHR Extension: (Google Drive) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-29]
CHR Extension: (YouTube) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-29]
CHR Extension: (Google Search) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-29]
CHR Extension: (Norton Security Toolbar) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2014-11-29]
CHR Extension: (Google Wallet) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-29]
CHR Extension: (Gmail) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-29]
CHR Extension: (Solution Real) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpbdjpnfoddiffejmciilgkphacgoeb [2015-02-02]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-11-30]
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-11-30]
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
StartMenuInternet: Google Chrome - chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-04-03] (Intel Corporation)
S2 MSI_SuperCharger; C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe [162800 2014-03-17] (MSI)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)
S2 Update Solution Real; C:\Program Files (x86)\Solution Real\updateSolutionReal.exe [681712 2015-02-02] ()
S2 Util Solution Real; C:\Program Files (x86)\Solution Real\bin\utilSolutionReal.exe [681712 2015-02-02] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BHDrvx64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20150106.001\BHDrvx64.sys [1622744 2015-01-06] (Symantec Corporation)
S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1506000.020\ccSetx64.sys [162392 2013-09-25] (Symantec Corporation)
S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-12-11] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-12-11] (Symantec Corporation)
S3 IDSVia64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20150123.001\IDSvia64.sys [668888 2015-01-13] (Symantec Corporation)
R3 Linksys_adapter_H; C:\Windows\System32\DRIVERS\AE2500w764.sys [1254464 2011-03-28] (Broadcom Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [118272 2014-04-03] (Intel Corporation)
S3 NAVENG; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150125.032\ENG64.SYS [129752 2015-01-20] (Symantec Corporation)
S3 NAVEX15; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150125.032\EX64.SYS [2137304 2015-01-20] (Symantec Corporation)
S3 NTIOLib_1_0_3; C:\Program Files (x86)\MSI\Super Charger\NTIOLib_X64.sys [13368 2012-10-25] (MSI)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
S3 SRTSPX; C:\Windows\system32\drivers\NISx64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
S3 SymDS; C:\Windows\system32\drivers\NISx64\1506000.020\SYMDS64.SYS [493656 2013-09-09] (Symantec Corporation)
S3 SymEFA; C:\Windows\system32\drivers\NISx64\1506000.020\SYMEFA64.SYS [1148120 2014-08-25] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-11-29] (Symantec Corporation)
S3 SymIRON; C:\Windows\system32\drivers\NISx64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
S3 SymNetS; C:\Windows\System32\Drivers\NISx64\1506000.020\SYMNETS.SYS [593112 2014-08-25] (Symantec Corporation)
R1 {df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64; C:\Windows\System32\drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64.sys [48784 2015-02-01] (StdLib)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-02 16:21 - 2015-02-02 16:21 - 00015305 _____ () C:\Users\POKEGAMERZ\Downloads\FRST.txt
2015-02-02 16:20 - 2015-02-02 16:21 - 00000000 ____D () C:\FRST
2015-02-02 16:18 - 2015-02-02 16:18 - 02131456 _____ (Farbar) C:\Users\POKEGAMERZ\Downloads\FRST64.exe
2015-02-02 15:58 - 2012-03-01 01:46 - 00023408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fs_rec.sys
2015-02-02 15:58 - 2012-03-01 01:38 - 00220672 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-02-02 15:58 - 2012-03-01 01:33 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2015-02-02 15:58 - 2012-03-01 01:28 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\wmi.dll
2015-02-02 15:58 - 2012-03-01 00:37 - 00172544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-02-02 15:58 - 2012-03-01 00:33 - 00159232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2015-02-02 15:58 - 2012-03-01 00:29 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2015-02-02 15:57 - 2014-06-30 17:24 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2015-02-02 15:57 - 2014-06-30 17:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardres.dll
2015-02-02 15:57 - 2014-06-06 01:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2015-02-02 15:57 - 2014-06-06 01:12 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2015-02-02 15:57 - 2014-03-09 16:48 - 01389208 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2015-02-02 15:57 - 2014-03-09 16:48 - 00171160 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2015-02-02 15:57 - 2014-03-09 16:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardagt.exe
2015-02-02 15:57 - 2014-03-09 16:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\infocardapi.dll
2015-02-02 14:10 - 2015-02-02 14:10 - 00000000 ____D () C:\Users\POKEGAMERZ\AppData\Local\NPE
2015-02-02 13:45 - 2015-02-02 13:45 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\POKEGAMERZ\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-02 13:45 - 2015-02-02 13:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-02 13:26 - 2015-02-02 15:21 - 00006501 _____ () C:\Users\POKEGAMERZ\Downloads\Result.txt
2015-02-02 13:25 - 2015-02-02 13:25 - 00401920 _____ (Farbar) C:\Users\POKEGAMERZ\Downloads\MiniToolBox.exe
2015-02-02 12:59 - 2012-02-17 01:38 - 01031680 _____ (Microsoft Corporation) C:\Windows\system32\rdpcore.dll
2015-02-02 12:59 - 2012-02-17 00:34 - 00826880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2015-02-02 12:59 - 2012-02-16 23:58 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2015-02-02 12:59 - 2012-02-16 23:57 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdtcp.sys
2015-02-02 12:54 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-02-02 12:54 - 2014-05-14 11:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-02-02 12:54 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-02-02 12:54 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-02-02 12:54 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-02-02 12:54 - 2014-05-14 11:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-02-02 12:54 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-02-02 12:54 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-02-02 12:54 - 2014-05-14 11:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-02-02 12:54 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-02-02 12:54 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-02-02 12:54 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-02-02 12:54 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-02-02 12:54 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-02-02 11:59 - 2015-02-02 12:00 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google
2015-02-02 11:59 - 2015-02-02 11:59 - 00057560 _____ () C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2015-02-02 11:59 - 2015-02-02 11:59 - 00001443 _____ () C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-02-02 11:59 - 2015-02-02 11:59 - 00001409 _____ () C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-02-02 11:59 - 2015-02-02 11:59 - 00000020 ___SH () C:\Users\Guest\ntuser.ini
2015-02-02 11:59 - 2015-02-02 11:59 - 00000000 ____D () C:\Users\Guest\AppData\Local\VirtualStore
2015-02-02 11:59 - 2015-02-02 11:59 - 00000000 ____D () C:\Users\Guest
2015-02-02 11:59 - 2009-07-13 23:54 - 00000000 ___RD () C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-02 11:59 - 2009-07-13 23:49 - 00000000 ___RD () C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-02-02 11:12 - 2015-02-02 11:59 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2015-02-01 17:37 - 2015-02-01 17:37 - 00000000 ____D () C:\Users\POKEGAMERZ\VirtualBox VMs
2015-02-01 17:34 - 2015-02-02 11:11 - 00000000 ____D () C:\Users\POKEGAMERZ\.VirtualBox
2015-02-01 17:34 - 2015-02-01 08:29 - 00048784 _____ (StdLib) C:\Windows\system32\Drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64.sys
2015-02-01 17:34 - 2014-09-09 17:29 - 00910920 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxDrv.sys
2015-02-01 17:30 - 2015-02-01 17:34 - 1162936320 _____ () C:\Users\POKEGAMERZ\Downloads\ubuntu-14.10-desktop-amd64.iso
2015-02-01 17:30 - 2015-02-01 17:30 - 00002256 _____ () C:\Users\POKEGAMERZ\Desktop\Vosteran.lnk
2015-02-01 17:30 - 2015-02-01 17:30 - 00000000 ____D () C:\Users\POKEGAMERZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Vosteran
2015-02-01 17:30 - 2015-02-01 17:30 - 00000000 ____D () C:\Users\POKEGAMERZ\AppData\Local\Vosteran
2015-02-01 17:28 - 2015-02-01 17:28 - 110671648 _____ (Oracle Corporation) C:\Users\POKEGAMERZ\Downloads\virtualbox-4.3.16 [1].exe
2015-02-01 17:27 - 2015-02-02 16:07 - 00000000 ____D () C:\Program Files (x86)\Solution Real
2015-02-01 17:27 - 2015-02-01 22:27 - 00000308 _____ () C:\Windows\Tasks\WSE_Vosteran.job
2015-02-01 17:27 - 2015-02-01 17:30 - 00000000 ____D () C:\Users\POKEGAMERZ\AppData\Local\935257
2015-02-01 17:27 - 2015-02-01 17:27 - 00004118 _____ () C:\Windows\System32\Tasks\Vosteran sale
2015-02-01 17:27 - 2015-02-01 17:27 - 00003268 _____ () C:\Windows\System32\Tasks\WSE_Vosteran
2015-02-01 17:27 - 2015-02-01 17:27 - 00000000 ____D () C:\Users\POKEGAMERZ\AppData\Roaming\WSE_Vosteran
2015-02-01 17:27 - 2015-02-01 17:27 - 00000000 ____D () C:\ProgramData\{F3011BC2-A383-CA44-1205-BAC6C2876948}
2015-02-01 17:27 - 2015-02-01 17:27 - 00000000 ____D () C:\Program Files (x86)\WSE_Vosteran
2015-02-01 17:25 - 2015-02-01 17:25 - 00767952 _____ (Program ) C:\Users\POKEGAMERZ\Downloads\virtualbox-4.3.16.exe
2015-02-01 16:31 - 2015-02-01 16:31 - 00000000 ____D () C:\Users\POKEGAMERZ\AppData\Local\Creative
2015-01-23 15:44 - 2015-01-23 15:44 - 00324232 _____ () C:\Users\POKEGAMERZ\Downloads\msigaming11080p_zpsed814c34.jpg~original

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-02 16:17 - 2009-07-14 00:13 - 00778150 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-02 16:12 - 2014-11-30 11:11 - 00009622 _____ () C:\Windows\SysWOW64\Gms.log
2015-02-02 16:12 - 2014-11-29 17:56 - 01251658 _____ () C:\Windows\WindowsUpdate.log
2015-02-02 16:12 - 2009-07-13 23:45 - 00021856 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-02 16:12 - 2009-07-13 23:45 - 00021856 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-02 16:07 - 2014-11-29 18:20 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-02 16:07 - 2009-07-13 21:34 - 00000505 _____ () C:\Windows\win.ini
2015-02-02 16:06 - 2014-11-29 18:07 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-02 16:06 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-02 16:06 - 2009-07-13 23:51 - 00032386 _____ () C:\Windows\setupact.log
2015-02-02 16:02 - 2014-11-29 18:14 - 00771962 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-02-02 14:45 - 2010-11-20 22:47 - 00016986 _____ () C:\Windows\PFRO.log
2015-02-02 11:06 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\GroupPolicy
2015-02-01 17:37 - 2014-11-29 17:55 - 00000000 ____D () C:\Users\POKEGAMERZ
2015-02-01 17:27 - 2014-11-29 18:20 - 00002259 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-01 16:33 - 2014-11-29 17:29 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-02-01 16:07 - 2014-11-29 18:20 - 00002042 _____ () C:\Users\Public\Desktop\Google Slides.lnk
2015-02-01 16:07 - 2014-11-29 18:20 - 00002040 _____ () C:\Users\Public\Desktop\Google Sheets.lnk
2015-02-01 16:07 - 2014-11-29 18:20 - 00002030 _____ () C:\Users\Public\Desktop\Google Docs.lnk
2015-02-01 16:07 - 2014-11-29 18:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive

==================== Files in the root of some directories =======

2014-12-20 13:27 - 2014-12-20 13:27 - 0000017 _____ () C:\Users\POKEGAMERZ\AppData\Local\resmon.resmoncfg

Some content of TEMP:
====================
C:\Users\POKEGAMERZ\AppData\Local\Temp\AutoWifi.exe
C:\Users\POKEGAMERZ\AppData\Local\Temp\devcon64.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-27 12:01

==================== End Of Log ============================

Attached Files


Edited by nasdaq, 04 February 2015 - 09:52 AM.
FRST log posted.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:18 AM

Posted 04 February 2015 - 10:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Using the Add/Remove programs applet delte these programs in bold.

Solution Real (HKLM\...\Solution Real) (Version: 2015.02.01.182357 - Solution Real) <==== ATTENTION!
Vosteran (HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Vosteran) (Version: 31.0.1650.23 - Vosteran) <==== ATTENTION!
WSE_Vosteran (HKLM-x32\...\WSE_Vosteran) (Version: - WSE_Vosteran) <==== ATTENTION!

====

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

HKLM-x32\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Run: [GoogleChromeAutoLaunch_5529CBA07810AAB77CC979E44714CD6D] => C:\Users\POKEGAMERZ\AppData\Local\Vosteran\Application\vosteran.exe [1014272 2015-01-24] ()
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
AppInit_DLLs-x32: C:/PROGRA~3/{F3011~1/191~1.1/sale.dll => C:/PROGRA~3/{F3011~1/191~1.1/sale.dll [964608 2015-02-01] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://vosteran.com/?f=1&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
BHO-x32: Solution Real 1.0.0.7 -> {1bb456da-878f-44a5-b013-4bfe0ae02fce} -> C:\Program Files (x86)\Solution Real\SolutionRealbho.dll (Solution Real)
CHR Extension: (Google Wallet) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-29]
CHR Extension: (Solution Real) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpbdjpnfoddiffejmciilgkphacgoeb [2015-02-02]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
S2 Update Solution Real; C:\Program Files (x86)\Solution Real\updateSolutionReal.exe [681712 2015-02-02] ()
S2 Util Solution Real; C:\Program Files (x86)\Solution Real\bin\utilSolutionReal.exe [681712 2015-02-02] ()
R1 {df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64; C:\Windows\System32\drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64.sys [48784 2015-02-01] (StdLib)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
Task: {50BEAB3D-F5C4-44F5-8E02-F3ACB14C3D04} - System32\Tasks\Vosteran sale => C:\ProgramData\{F3011BC2-A383-CA44-1205-BAC6C2876948}\1.9.1.1\f <==== ATTENTION
Task: {9748F19C-2516-42BD-A73D-47D5397538D3} - System32\Tasks\WSE_Vosteran => C:\Users\POKEGAMERZ\AppData\Roaming\WSE_Vosteran\UpdateProc\UpdateTask.exe [2015-02-01] () <==== ATTENTION
Task: C:\Windows\Tasks\WSE_Vosteran.job => C:\Users\POKEGA~1\AppData\Roaming\WSE_VO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
 C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpbdjpnfoddiffejmciilgkphacgoeb

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run this tool to clean the registry items set by the infection.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

If the problem persists continue.

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is the computer running now?

#4 POKEGAMERZ

POKEGAMERZ
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 05 February 2015 - 08:43 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Using the Add/Remove programs applet delte these programs in bold.

Solution Real (HKLM\...\Solution Real) (Version: 2015.02.01.182357 - Solution Real) <==== ATTENTION!
Vosteran (HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Vosteran) (Version: 31.0.1650.23 - Vosteran) <==== ATTENTION!
WSE_Vosteran (HKLM-x32\...\WSE_Vosteran) (Version: - WSE_Vosteran) <==== ATTENTION!

====

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 

start

CloseProcesses:

HKLM-x32\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Run: [GoogleChromeAutoLaunch_5529CBA07810AAB77CC979E44714CD6D] => C:\Users\POKEGAMERZ\AppData\Local\Vosteran\Application\vosteran.exe [1014272 2015-01-24] ()
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
AppInit_DLLs-x32: C:/PROGRA~3/{F3011~1/191~1.1/sale.dll => C:/PROGRA~3/{F3011~1/191~1.1/sale.dll [964608 2015-02-01] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://vosteran.com/?f=1&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
BHO-x32: Solution Real 1.0.0.7 -> {1bb456da-878f-44a5-b013-4bfe0ae02fce} -> C:\Program Files (x86)\Solution Real\SolutionRealbho.dll (Solution Real)
CHR Extension: (Google Wallet) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-29]
CHR Extension: (Solution Real) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpbdjpnfoddiffejmciilgkphacgoeb [2015-02-02]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
S2 Update Solution Real; C:\Program Files (x86)\Solution Real\updateSolutionReal.exe [681712 2015-02-02] ()
S2 Util Solution Real; C:\Program Files (x86)\Solution Real\bin\utilSolutionReal.exe [681712 2015-02-02] ()
R1 {df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64; C:\Windows\System32\drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64.sys [48784 2015-02-01] (StdLib)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
Task: {50BEAB3D-F5C4-44F5-8E02-F3ACB14C3D04} - System32\Tasks\Vosteran sale => C:\ProgramData\{F3011BC2-A383-CA44-1205-BAC6C2876948}\1.9.1.1\f <==== ATTENTION
Task: {9748F19C-2516-42BD-A73D-47D5397538D3} - System32\Tasks\WSE_Vosteran => C:\Users\POKEGAMERZ\AppData\Roaming\WSE_Vosteran\UpdateProc\UpdateTask.exe [2015-02-01] () <==== ATTENTION
Task: C:\Windows\Tasks\WSE_Vosteran.job => C:\Users\POKEGA~1\AppData\Roaming\WSE_VO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
 C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpbdjpnfoddiffejmciilgkphacgoeb

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run this tool to clean the registry items set by the infection.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

If the problem persists continue.

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is the computer running now?

 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:18 AM

Posted 06 February 2015 - 09:04 AM

How is the computer running now?

#6 POKEGAMERZ

POKEGAMERZ
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 09 February 2015 - 07:47 PM

This is taking me a long time to scan. Is there a faster way to do this or is there a way to pause the Adwcleaner?

#7 POKEGAMERZ

POKEGAMERZ
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 09 February 2015 - 07:56 PM


Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Using the Add/Remove programs applet delte these programs in bold.

Solution Real (HKLM\...\Solution Real) (Version: 2015.02.01.182357 - Solution Real) <==== ATTENTION!
Vosteran (HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Vosteran) (Version: 31.0.1650.23 - Vosteran) <==== ATTENTION!
WSE_Vosteran (HKLM-x32\...\WSE_Vosteran) (Version: - WSE_Vosteran) <==== ATTENTION!

====

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 

start

CloseProcesses:

HKLM-x32\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Run: [GoogleChromeAutoLaunch_5529CBA07810AAB77CC979E44714CD6D] => C:\Users\POKEGAMERZ\AppData\Local\Vosteran\Application\vosteran.exe [1014272 2015-01-24] ()
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\POKEGA~1\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
AppInit_DLLs-x32: C:/PROGRA~3/{F3011~1/191~1.1/sale.dll => C:/PROGRA~3/{F3011~1/191~1.1/sale.dll [964608 2015-02-01] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://vosteran.com/?f=1&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
SearchScopes: HKU\S-1-5-21-2345377856-4029987742-2774889007-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_15_05&cd=2XzuyEtN2Y1L1Qzu0ByEyByDtD0EyEyEyE0DzzzztAyByDyCtN0D0Tzu0StCtCtByBtN1L2XzutAtFyBtFyBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyCzyzztDtA0ByCtCtGtA0AyCyBtG0ByDyD0BtGtB0FtCzytGtDyE0AtC0A0F0CzzyBtDtC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0F0FtBtCzytDtCtG0E0ByDtBtGyE0FyC0EtG0B0ByBzytGtCtC0BtC0FtB0AzzyB0CyC0B2Q&cr=2132539075&ir=
BHO-x32: Solution Real 1.0.0.7 -> {1bb456da-878f-44a5-b013-4bfe0ae02fce} -> C:\Program Files (x86)\Solution Real\SolutionRealbho.dll (Solution Real)
CHR Extension: (Google Wallet) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-29]
CHR Extension: (Solution Real) - C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpbdjpnfoddiffejmciilgkphacgoeb [2015-02-02]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKU\S-1-5-21-2345377856-4029987742-2774889007-1000\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
S2 Update Solution Real; C:\Program Files (x86)\Solution Real\updateSolutionReal.exe [681712 2015-02-02] ()
S2 Util Solution Real; C:\Program Files (x86)\Solution Real\bin\utilSolutionReal.exe [681712 2015-02-02] ()
R1 {df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64; C:\Windows\System32\drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64.sys [48784 2015-02-01] (StdLib)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
Task: {50BEAB3D-F5C4-44F5-8E02-F3ACB14C3D04} - System32\Tasks\Vosteran sale => C:\ProgramData\{F3011BC2-A383-CA44-1205-BAC6C2876948}\1.9.1.1\f <==== ATTENTION
Task: {9748F19C-2516-42BD-A73D-47D5397538D3} - System32\Tasks\WSE_Vosteran => C:\Users\POKEGAMERZ\AppData\Roaming\WSE_Vosteran\UpdateProc\UpdateTask.exe [2015-02-01] () <==== ATTENTION
Task: C:\Windows\Tasks\WSE_Vosteran.job => C:\Users\POKEGA~1\AppData\Roaming\WSE_VO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
 C:\Users\POKEGAMERZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpbdjpnfoddiffejmciilgkphacgoeb

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run this tool to clean the registry items set by the infection.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

If the problem persists continue.

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is the computer running now?
 
Thanks for helping out man. The problem went away and my PC is back to normal. ONCE AGAIN THANK U FOR THE HELP!

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:18 AM

Posted 10 February 2015 - 09:26 AM

Good news.

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#9 POKEGAMERZ

POKEGAMERZ
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 10 February 2015 - 03:33 PM

Good news.

Download Security Check by screen317 from here

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======
I just said that I fixed the problem and my PC is working again and I feel none of this is necessary.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:18 AM

Posted 11 February 2015 - 08:27 AM

Glad we could hlep.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:18 AM

Posted 11 February 2015 - 08:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users