Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots of Ads and Pop Ups - IE Add On?


  • This topic is locked This topic is locked
13 replies to this topic

#1 mariobros117

mariobros117

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, Ak
  • Local time:03:43 PM

Posted 03 February 2015 - 04:35 AM

I have lots of ads and pop ups all of the sudden that I think are linked to some kind of add on for IE that I can not remove. "doWWnloaditkeep" and "DEal4me". The option to enable or disable is grayed out. I also tried to remove programs with a similar name from my add/remove programs list but I got some kind of error telling me that I didn't have permission to do so. I have MacAfee antivirus and as soon as I clicked OK on the dialogue box for the error MacAfee popped up and asked if I would like to remove the program. When I said yes, nothing happened. Another attempt to removed the programs brought up another error saying that they were not found and asked to remove them from the list, I said yes, hoping that MacAfee had actually removed the programs. I performed a "quick scan"  with MacAfee and it came up with nothing, but I watched as the files being scanned flashed across the screen and I saw the word "rootkit" many times. Anyways, here is the log, I have also attached it.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by Abi and Daniel (administrator) on ABIANDDANIEL-PC on 02-02-2015 23:59:19
Running from C:\Users\Abi and Daniel\Downloads
Loaded Profiles: Abi and Daniel (Available profiles: Abi and Daniel)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Validity Sensors, Inc.) C:\Windows\System32\valWBFPolicyService.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Windows ® Win 7 DDK provider) C:\Program Files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan\mcods.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_235_ActiveX.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [FLxHCIm64] => C:\Program Files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe [48128 2012-04-12] (Windows ® Win 7 DDK provider)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe [642040 2014-08-05] (McAfee, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-3902584003-3642212217-1098631534-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil64_16_0_0_235_ActiveX.exe [650928 2014-12-12] (Adobe Systems Incorporated)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3902584003-3642212217-1098631534-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3902584003-3642212217-1098631534-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO: doWWnloaditkeep -> {61da2fd4-79ab-483b-b114-eccdc63c9d87} -> C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.x64.dll ()
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: DEal4me -> {9939bddb-ac17-4096-b9ce-d365a4ae1e5b} -> C:\Program Files (x86)\DEal4me\exyg01egS3st4j.x64.dll ()
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: doWWnloaditkeep -> {61da2fd4-79ab-483b-b114-eccdc63c9d87} -> C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll ()
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: DEal4me -> {9939bddb-ac17-4096-b9ce-d365a4ae1e5b} -> C:\Program Files (x86)\DEal4me\exyg01egS3st4j.dll ()
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 209.165.131.12 209.165.131.13

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Abi and Daniel\AppData\Local\Google\Chrome\User Data\Default

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 0238701422749206mcinstcleanup; C:\Windows\TEMP\023870~1.EXE [851136 2014-08-08] (McAfee, Inc.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-07-30] (McAfee, Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89352 2014-09-15] (Hewlett-Packard Company)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2413056 2011-06-28] (Realsil Microelectronics Inc.) [File not signed]
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [562200 2014-09-04] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-07-30] (McAfee, Inc.)
R3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [601864 2014-08-01] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [335064 2014-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-07-24] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-07-18] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189920 2014-10-01] (McAfee, Inc.)
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [35328 2013-10-30] (Validity Sensors, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-07-18] (McAfee, Inc.)
R3 FLxHCIh; C:\Windows\System32\DRIVERS\FLxHCIh.sys [73472 2012-04-12] (Fresco Logic)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181584 2014-10-01] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313800 2014-07-18] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [526352 2014-07-18] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786304 2014-10-01] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [444720 2014-07-24] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-07-24] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-07-18] (McAfee, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-02 23:59 - 2015-02-02 23:59 - 00010729 _____ () C:\Users\Abi and Daniel\Downloads\FRST.txt
2015-02-02 23:06 - 2015-02-02 23:07 - 02131456 _____ (Farbar) C:\Users\Abi and Daniel\Downloads\FRST64.exe
2015-02-02 23:04 - 2015-02-02 23:59 - 00000000 ____D () C:\FRST
2015-02-02 22:36 - 2015-02-02 22:36 - 00000000 ____D () C:\ProgramData\110c9bfa000030e7
2015-02-02 20:42 - 2015-02-02 20:45 - 00000000 ____D () C:\Program Files (x86)\doWnloAdoitkEeep
2015-02-02 20:41 - 2015-02-02 20:46 - 00000000 ____D () C:\Program Files (x86)\toopideale
2015-02-02 20:41 - 2015-02-02 20:46 - 00000000 ____D () C:\Program Files (x86)\SoundCloud
2015-02-02 20:41 - 2015-02-02 20:45 - 00000000 ____D () C:\Program Files (x86)\DEal4me
2015-02-02 20:41 - 2015-02-02 20:44 - 00000000 ____D () C:\Program Files (x86)\AppotoU
2015-02-02 20:41 - 2015-02-02 20:42 - 00000000 ____D () C:\ProgramData\5960804387360961682
2015-02-02 20:41 - 2015-02-02 20:41 - 00000000 ____D () C:\Program Files (x86)\doWWnloaditkeep
2015-01-20 22:42 - 2015-01-20 22:42 - 00000000 ____D () C:\Users\Abi and Daniel\AppData\Local\QuickenWindow
2015-01-19 10:22 - 2015-02-02 20:16 - 00000000 ____D () C:\ProgramData\2137be80000775b
2015-01-19 10:22 - 2015-01-19 10:22 - 00000000 ____D () C:\Program Files (x86)\sshhoppNdrOp
2015-01-19 10:21 - 2015-01-19 10:21 - 00000000 ____D () C:\Program Files (x86)\dieal44reAl
2015-01-15 19:13 - 2015-01-21 17:29 - 00000000 ____D () C:\ProgramData\sshhoppNdrOp
2015-01-15 19:13 - 2015-01-21 17:29 - 00000000 ____D () C:\ProgramData\dieal44reAl
2015-01-15 19:13 - 2015-01-19 10:22 - 00000000 ____D () C:\ProgramData\52b90802343d7492
2015-01-15 19:06 - 2014-12-18 18:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-15 19:06 - 2014-12-18 16:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-15 19:06 - 2014-12-11 20:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-15 19:06 - 2014-12-11 20:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-15 19:06 - 2014-12-11 20:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-15 19:06 - 2014-12-11 20:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-15 19:06 - 2014-12-11 20:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-15 19:06 - 2014-12-11 20:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-15 19:06 - 2014-12-11 20:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-15 19:06 - 2014-12-11 08:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-15 19:06 - 2014-12-05 19:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-15 19:06 - 2014-12-05 18:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-15 19:06 - 2014-12-05 18:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-02 23:41 - 2014-12-12 21:36 - 00000914 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-02 23:14 - 2014-11-11 21:54 - 01575214 _____ () C:\Windows\WindowsUpdate.log
2015-02-02 21:41 - 2014-12-12 21:36 - 00000910 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-02 20:16 - 2014-12-12 21:30 - 00000000 ____D () C:\ProgramData\1837308050
2015-01-31 15:06 - 2014-11-13 20:22 - 00000000 ____D () C:\Program Files (x86)\McAfee
2015-01-26 17:52 - 2014-11-15 11:08 - 00000000 ____D () C:\Users\Abi and Daniel\AppData\Roaming\Apple Computer
2015-01-22 19:11 - 2009-07-13 19:45 - 00029600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-22 19:11 - 2009-07-13 19:45 - 00029600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-22 19:07 - 2009-07-13 20:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-21 17:30 - 2009-07-13 20:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-21 17:30 - 2009-07-13 19:51 - 00031235 _____ () C:\Windows\setupact.log
2015-01-21 17:29 - 2010-11-20 18:47 - 00047738 _____ () C:\Windows\PFRO.log
2015-01-21 17:27 - 2014-11-13 00:23 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-21 17:24 - 2014-11-13 00:23 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-20 22:22 - 2014-12-07 20:23 - 00000000 ____D () C:\Program Files (x86)\Quicken
2015-01-12 18:45 - 2014-12-12 21:22 - 00000000 ____D () C:\Program Files (x86)\Search Extensions

==================== Files in the root of some directories =======

2014-12-03 20:20 - 2014-12-03 20:22 - 0000358 _____ () C:\ProgramData\hpzinstall.log

Some content of TEMP:
====================
C:\Users\Abi and Daniel\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-26 19:49

==================== End Of Log ============================

Attached Files

  • Attached File  FRST.txt   16.66KB   2 downloads


BC AdBot (Login to Remove)

 


#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 03 February 2015 - 08:04 AM

Hi. I'm checking your log now and will reply with instructions soon.



#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 03 February 2015 - 08:10 AM

You still need to post the Addition.txt log.



#4 mariobros117

mariobros117
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, Ak
  • Local time:03:43 PM

Posted 03 February 2015 - 04:29 PM

sorry about that. here it is.

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-02-2015
Ran by Abi and Daniel at 2015-02-03 00:00:16
Running from C:\Users\Abi and Daniel\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{3BF3599D-7F28-C60B-1C5D-82BFD4E5EF33}) (Version: 3.0.838.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 2.0.3115 - CyberLink Corp.)
Fresco Logic USB3.0 Host Controller (HKLM\...\{36D8E05D-1287-4F40-BEEF-A64F88E5EE47}) (Version: 3.5.46.0 - Fresco Logic Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HP Support Solutions Framework (HKLM-x32\...\{44157EB3-D8D0-4BB1-B0F5-AD2C38814ED1}) (Version: 11.51.0027 - Hewlett-Packard Company)
Intel® Display Audio Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.00.3074 - Intel Corporation)
iSEEK AnswerWorks English Runtime (HKLM-x32\...\{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}) (Version: 010.000.0101 - Vantage Linguistics)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
McAfee AntiVirus Plus (HKLM-x32\...\MSC) (Version: 13.6.1248 - McAfee, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-0081-0409-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Quicken 2014 (HKLM-x32\...\{0877F595-254F-45F4-991D-3F72E86B17CE}) (Version: 23.1.7.6 - Intuit)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.41.216.2011 - Realtek)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.83 - Realtek Semiconductor Corp.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.29.0 - Synaptics Incorporated)
ThinkPad Wireless LAN Adapter Software (HKLM-x32\...\{9D3D2C60-A55F-4fed-B2B9-17311226DF01}) (Version: 1.00.0031.2 - REALTEK Semiconductor Corp.)
WebM Media Foundation Components (HKLM-x32\...\webmmf) (Version: 1.0.1.1 - WebM Project)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

ATTENTION: System Restore is disabled.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 17:34 - 2009-06-10 12:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {330092AC-EA39-4712-A9C6-1C172EAF0B3B} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {444C1C5C-B547-456C-9EEF-74B1E3429F41} - System32\Tasks\RocketTab => cmd.exe /C start "" "C:\Program Files (x86)\Search Extensions\Client.exe" /Preferred=true <==== ATTENTION
Task: {6630BD33-E8C7-4DC3-8E9F-02EF4BEAC1D2} - System32\Tasks\{491D9E3D-E93B-4A07-83D1-C0D3BA347A67} => pcalua.exe -a E:\sp54841.exe -d E:\
Task: {7E9F6641-E5DE-404A-867A-69DB9FB8CA09} - System32\Tasks\{C745524F-6EBD-4712-A36E-7BE628EF3E64} => pcalua.exe -a "C:\Users\Abi and Daniel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCTIDY96\sp55105.exe" -d "C:\Users\Abi and Daniel\Desktop"
Task: {8C80CCB8-EFDE-49F0-A517-98D044350E65} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {8FB5A948-5DC5-46FA-8546-9BF7C072869C} - System32\Tasks\RocketTab Update Task => C:\Program Files (x86)\Search Extensions\uninstall.exe <==== ATTENTION
Task: {903EC0DE-2C69-41B1-B523-5A4A5CB3224C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-12] (Google Inc.)
Task: {AAF2CC6B-214D-42EF-BC22-567098956C0C} - System32\Tasks\{8B59E112-DAED-4D0A-B059-A795F3E50B8B} => pcalua.exe -a "C:\Program Files (x86)\Search Extensions\uninstall.exe" -c /u=true /UserID=bc6531e7-4999-4e3c-aa8f-78b5dc80c85e /SourceID=radix|radix_webm /ImplementationID=browsersafeguard-rockettab-ptn /UC=20141213
Task: {ABFC0E90-4C1E-4BAC-B17E-E2FD89861796} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-12] (Google Inc.)
Task: {D5248A3D-6BCF-44B5-A3D3-D75D342495B7} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {E9A8733D-8CDA-4125-B903-27634CF181B9} - System32\Tasks\{14938EA4-EE38-48FF-A468-727AACA985B7} => pcalua.exe -a E:\sp56036.exe -d E:\
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2011-04-15 17:16 - 2011-04-15 17:16 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-10-11 13:06 - 2014-10-11 13:06 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2013-02-14 15:46 - 2013-02-14 15:46 - 01044048 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2015-02-02 20:41 - 2015-02-02 20:41 - 00564736 _____ () C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll
2015-02-02 20:41 - 2015-02-02 20:41 - 00564736 _____ () C:\Program Files (x86)\DEal4me\exyg01egS3st4j.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Abi and Daniel (S-1-5-21-3902584003-3642212217-1098631534-1000 - Administrator - Enabled) => C:\Users\Abi and Daniel
Administrator (S-1-5-21-3902584003-3642212217-1098631534-500 - Administrator - Disabled)
Guest (S-1-5-21-3902584003-3642212217-1098631534-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3902584003-3642212217-1098631534-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/31/2015 01:18:13 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/29/2015 05:52:15 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/28/2015 08:36:15 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/26/2015 06:22:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: AppleMobileBackup.exe, version: 17.1333.0.34, time stamp: 0x543300bf
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000374
Fault offset: 0x000ce753
Faulting process id: 0x390
Faulting application start time: 0xAppleMobileBackup.exe0
Faulting application path: AppleMobileBackup.exe1
Faulting module path: AppleMobileBackup.exe2
Report Id: AppleMobileBackup.exe3

Error: (01/26/2015 05:33:34 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/25/2015 02:43:30 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/22/2015 07:23:58 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/21/2015 05:51:41 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/21/2015 05:31:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/20/2015 07:28:14 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

System errors:
=============
Error: (02/02/2015 08:20:10 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (02/02/2015 08:18:00 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (02/02/2015 08:18:00 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/21/2015 05:30:10 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126

Error: (01/21/2015 05:28:54 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Group Policy Client service did not shut down properly after receiving a preshutdown control.

Error: (01/19/2015 00:17:01 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/19/2015 00:17:01 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/01/2015 03:30:27 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (12/24/2014 02:30:55 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126

Error: (12/24/2014 02:30:43 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 2:28:53 PM on ‎12/‎24/‎2014 was unexpected.

Microsoft Office Sessions:
=========================
Error: (01/31/2015 01:18:13 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/29/2015 05:52:15 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/28/2015 08:36:15 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/26/2015 06:22:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: AppleMobileBackup.exe17.1333.0.34543300bfntdll.dll6.1.7601.18247521ea8e7c0000374000ce75339001d039e06eecbc1bC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileBackup.exeC:\Windows\SysWOW64\ntdll.dllb33e931f-a5d3-11e4-812c-082e5f8832e1

Error: (01/26/2015 05:33:34 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/25/2015 02:43:30 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/22/2015 07:23:58 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/21/2015 05:51:41 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/21/2015 05:31:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/20/2015 07:28:14 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

==================== Memory info ===========================

Processor: Intel® Core™ i5-2450M CPU @ 2.50GHz
Percentage of memory in use: 37%
Total physical RAM: 6091.6 MB
Available physical RAM: 3776.96 MB
Total Pagefile: 12181.39 MB
Available Pagefile: 9652.63 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:193.77 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 6E186E18)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#5 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 03 February 2015 - 08:49 PM

Please follow these steps:

1.- Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it to your Desktop as fixlist.txt

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO: doWWnloaditkeep -> {61da2fd4-79ab-483b-b114-eccdc63c9d87} -> C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.x64.dll ()
C:\Program Files (x86)\doWWnloaditkeep
BHO: DEal4me -> {9939bddb-ac17-4096-b9ce-d365a4ae1e5b} -> C:\Program Files (x86)\DEal4me\exyg01egS3st4j.x64.dll ()
C:\Program Files (x86)\DEal4me
BHO-x32: doWWnloaditkeep -> {61da2fd4-79ab-483b-b114-eccdc63c9d87} -> C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll ()
BHO-x32: DEal4me -> {9939bddb-ac17-4096-b9ce-d365a4ae1e5b} -> C:\Program Files (x86)\DEal4me\exyg01egS3st4j.dll ()
2015-02-02 22:36 - 2015-02-02 22:36 - 00000000 ____D () C:\ProgramData\110c9bfa000030e7
2015-02-02 20:42 - 2015-02-02 20:45 - 00000000 ____D () C:\Program Files (x86)\doWnloAdoitkEeep
2015-02-02 20:41 - 2015-02-02 20:46 - 00000000 ____D () C:\Program Files (x86)\toopideale
2015-02-02 20:41 - 2015-02-02 20:46 - 00000000 ____D () C:\Program Files (x86)\SoundCloud
2015-02-02 20:41 - 2015-02-02 20:45 - 00000000 ____D () C:\Program Files (x86)\DEal4me
2015-02-02 20:41 - 2015-02-02 20:44 - 00000000 ____D () C:\Program Files (x86)\AppotoU
2015-02-02 20:41 - 2015-02-02 20:42 - 00000000 ____D () C:\ProgramData\5960804387360961682
2015-02-02 20:41 - 2015-02-02 20:41 - 00000000 ____D () C:\Program Files (x86)\doWWnloaditkeep
2015-01-19 10:22 - 2015-02-02 20:16 - 00000000 ____D () C:\ProgramData\2137be80000775b
2015-01-19 10:22 - 2015-01-19 10:22 - 00000000 ____D () C:\Program Files (x86)\sshhoppNdrOp
2015-01-19 10:21 - 2015-01-19 10:21 - 00000000 ____D () C:\Program Files (x86)\dieal44reAl
2015-01-15 19:13 - 2015-01-21 17:29 - 00000000 ____D () C:\ProgramData\sshhoppNdrOp
2015-01-15 19:13 - 2015-01-21 17:29 - 00000000 ____D () C:\ProgramData\dieal44reAl
2015-01-15 19:13 - 2015-01-19 10:22 - 00000000 ____D () C:\ProgramData\52b90802343d7492
2015-02-02 20:16 - 2014-12-12 21:30 - 00000000 ____D () C:\ProgramData\1837308050
2015-01-12 18:45 - 2014-12-12 21:22 - 00000000 ____D () C:\Program Files (x86)\Search Extensions
Task: {444C1C5C-B547-456C-9EEF-74B1E3429F41} - System32\Tasks\RocketTab => cmd.exe /C start "" "C:\Program Files (x86)\Search Extensions\Client.exe" /Preferred=true <==== ATTENTION
Task: {8FB5A948-5DC5-46FA-8546-9BF7C072869C} - System32\Tasks\RocketTab Update Task => C:\Program Files (x86)\Search Extensions\uninstall.exe <==== ATTENTION
Task: {AAF2CC6B-214D-42EF-BC22-567098956C0C} - System32\Tasks\{8B59E112-DAED-4D0A-B059-A795F3E50B8B} => pcalua.exe -a "C:\Program Files (x86)\Search Extensions\uninstall.exe" -c /u=true /UserID=bc6531e7-4999-4e3c-aa8f-78b5dc80c85e /SourceID=radix|radix_webm /ImplementationID=browsersafeguard-rockettab-ptn /UC=20141213
Task: {E9A8733D-8CDA-4125-B903-27634CF181B9} - System32\Tasks\{14938EA4-EE38-48FF-A468-727AACA985B7} => pcalua.exe -a E:\sp56036.exe -d E:\
Task: {6630BD33-E8C7-4DC3-8E9F-02EF4BEAC1D2} - System32\Tasks\{491D9E3D-E93B-4A07-83D1-C0D3BA347A67} => pcalua.exe -a E:\sp54841.exe -d E:\
Task: {7E9F6641-E5DE-404A-867A-69DB9FB8CA09} - System32\Tasks\{C745524F-6EBD-4712-A36E-7BE628EF3E64} => pcalua.exe -a "C:\Users\Abi and Daniel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCTIDY96\sp55105.exe" -d "C:\Users\Abi and Daniel\Desktop"
E:\sp54841.exe
2015-02-02 20:41 - 2015-02-02 20:41 - 00564736 _____ () C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll
2015-02-02 20:41 - 2015-02-02 20:41 - 00564736 _____ () C:\Program Files (x86)\DEal4me\exyg01egS3st4j.dll
EmptyTemp:

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please post it to your reply.

2.- Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, this time click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the most recent report).

3.- Download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.


#6 mariobros117

mariobros117
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, Ak
  • Local time:03:43 PM

Posted 03 February 2015 - 09:38 PM

Everything is running much better now! Here are the logs:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by Abi and Daniel at 2015-02-03 17:16:12 Run:1
Running from C:\Users\Abi and Daniel\Desktop
Loaded Profiles: Abi and Daniel (Available profiles: Abi and Daniel)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO: doWWnloaditkeep -> {61da2fd4-79ab-483b-b114-eccdc63c9d87} -> C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.x64.dll ()
C:\Program Files (x86)\doWWnloaditkeep
BHO: DEal4me -> {9939bddb-ac17-4096-b9ce-d365a4ae1e5b} -> C:\Program Files (x86)\DEal4me\exyg01egS3st4j.x64.dll ()
C:\Program Files (x86)\DEal4me
BHO-x32: doWWnloaditkeep -> {61da2fd4-79ab-483b-b114-eccdc63c9d87} -> C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll ()
BHO-x32: DEal4me -> {9939bddb-ac17-4096-b9ce-d365a4ae1e5b} -> C:\Program Files (x86)\DEal4me\exyg01egS3st4j.dll ()
2015-02-02 22:36 - 2015-02-02 22:36 - 00000000 ____D () C:\ProgramData\110c9bfa000030e7
2015-02-02 20:42 - 2015-02-02 20:45 - 00000000 ____D () C:\Program Files (x86)\doWnloAdoitkEeep
2015-02-02 20:41 - 2015-02-02 20:46 - 00000000 ____D () C:\Program Files (x86)\toopideale
2015-02-02 20:41 - 2015-02-02 20:46 - 00000000 ____D () C:\Program Files (x86)\SoundCloud
2015-02-02 20:41 - 2015-02-02 20:45 - 00000000 ____D () C:\Program Files (x86)\DEal4me
2015-02-02 20:41 - 2015-02-02 20:44 - 00000000 ____D () C:\Program Files (x86)\AppotoU
2015-02-02 20:41 - 2015-02-02 20:42 - 00000000 ____D () C:\ProgramData\5960804387360961682
2015-02-02 20:41 - 2015-02-02 20:41 - 00000000 ____D () C:\Program Files (x86)\doWWnloaditkeep
2015-01-19 10:22 - 2015-02-02 20:16 - 00000000 ____D () C:\ProgramData\2137be80000775b
2015-01-19 10:22 - 2015-01-19 10:22 - 00000000 ____D () C:\Program Files (x86)\sshhoppNdrOp
2015-01-19 10:21 - 2015-01-19 10:21 - 00000000 ____D () C:\Program Files (x86)\dieal44reAl
2015-01-15 19:13 - 2015-01-21 17:29 - 00000000 ____D () C:\ProgramData\sshhoppNdrOp
2015-01-15 19:13 - 2015-01-21 17:29 - 00000000 ____D () C:\ProgramData\dieal44reAl
2015-01-15 19:13 - 2015-01-19 10:22 - 00000000 ____D () C:\ProgramData\52b90802343d7492
2015-02-02 20:16 - 2014-12-12 21:30 - 00000000 ____D () C:\ProgramData\1837308050
2015-01-12 18:45 - 2014-12-12 21:22 - 00000000 ____D () C:\Program Files (x86)\Search Extensions
Task: {444C1C5C-B547-456C-9EEF-74B1E3429F41} - System32\Tasks\RocketTab => cmd.exe /C start "" "C:\Program Files (x86)\Search Extensions\Client.exe" /Preferred=true <==== ATTENTION
Task: {8FB5A948-5DC5-46FA-8546-9BF7C072869C} - System32\Tasks\RocketTab Update Task => C:\Program Files (x86)\Search Extensions\uninstall.exe <==== ATTENTION
Task: {AAF2CC6B-214D-42EF-BC22-567098956C0C} - System32\Tasks\{8B59E112-DAED-4D0A-B059-A795F3E50B8B} => pcalua.exe
-a "C:\Program Files (x86)\Search Extensions\uninstall.exe" -c /u=true /UserID=bc6531e7-4999-4e3c-aa8f-78b5dc80c85e /SourceID=radix|radix_webm /ImplementationID=browsersafeguard-rockettab-ptn /UC=20141213
Task: {E9A8733D-8CDA-4125-B903-27634CF181B9} - System32\Tasks\{14938EA4-EE38-48FF-A468-727AACA985B7} => pcalua.exe -a E:\sp56036.exe -d E:\
Task: {6630BD33-E8C7-4DC3-8E9F-02EF4BEAC1D2} - System32\Tasks\{491D9E3D-E93B-4A07-83D1-C0D3BA347A67} => pcalua.exe -a E:\sp54841.exe -d E:\
Task: {7E9F6641-E5DE-404A-867A-69DB9FB8CA09} - System32\Tasks\{C745524F-6EBD-4712-A36E-7BE628EF3E64} => pcalua.exe -a "C:\Users\Abi and Daniel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCTIDY96\sp55105.exe" -d "C:\Users\Abi and Daniel\Desktop"
E:\sp54841.exe
2015-02-02 20:41 - 2015-02-02 20:41 - 00564736 _____ () C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll
2015-02-02 20:41 - 2015-02-02 20:41 - 00564736 _____ () C:\Program Files (x86)\DEal4me\exyg01egS3st4j.dll
EmptyTemp:

*****************

Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61da2fd4-79ab-483b-b114-eccdc63c9d87}" => Key deleted successfully.
"HKCR\CLSID\{61da2fd4-79ab-483b-b114-eccdc63c9d87}" => Key deleted successfully.
C:\Program Files (x86)\doWWnloaditkeep => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9939bddb-ac17-4096-b9ce-d365a4ae1e5b}" => Key deleted successfully.
"HKCR\CLSID\{9939bddb-ac17-4096-b9ce-d365a4ae1e5b}" => Key deleted successfully.
C:\Program Files (x86)\DEal4me => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61da2fd4-79ab-483b-b114-eccdc63c9d87}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{61da2fd4-79ab-483b-b114-eccdc63c9d87}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9939bddb-ac17-4096-b9ce-d365a4ae1e5b}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{9939bddb-ac17-4096-b9ce-d365a4ae1e5b}" => Key deleted successfully.
C:\ProgramData\110c9bfa000030e7 => Moved successfully.
C:\Program Files (x86)\doWnloAdoitkEeep => Moved successfully.
C:\Program Files (x86)\toopideale => Moved successfully.
C:\Program Files (x86)\SoundCloud => Moved successfully.
"C:\Program Files (x86)\DEal4me" => File/Directory not found.
C:\Program Files (x86)\AppotoU => Moved successfully.
C:\ProgramData\5960804387360961682 => Moved successfully.
"C:\Program Files (x86)\doWWnloaditkeep" => File/Directory not found.
C:\ProgramData\2137be80000775b => Moved successfully.
C:\Program Files (x86)\sshhoppNdrOp => Moved successfully.
C:\Program Files (x86)\dieal44reAl => Moved successfully.
C:\ProgramData\sshhoppNdrOp => Moved successfully.
C:\ProgramData\dieal44reAl => Moved successfully.
C:\ProgramData\52b90802343d7492 => Moved successfully.
C:\ProgramData\1837308050 => Moved successfully.
C:\Program Files (x86)\Search Extensions => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{444C1C5C-B547-456C-9EEF-74B1E3429F41}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{444C1C5C-B547-456C-9EEF-74B1E3429F41}" => Key deleted successfully.
C:\Windows\System32\Tasks\RocketTab => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RocketTab" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8FB5A948-5DC5-46FA-8546-9BF7C072869C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FB5A948-5DC5-46FA-8546-9BF7C072869C}" => Key deleted successfully.
C:\Windows\System32\Tasks\RocketTab Update Task => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RocketTab Update Task" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AAF2CC6B-214D-42EF-BC22-567098956C0C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AAF2CC6B-214D-42EF-BC22-567098956C0C}" => Key deleted successfully.
C:\Windows\System32\Tasks\{8B59E112-DAED-4D0A-B059-A795F3E50B8B} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{8B59E112-DAED-4D0A-B059-A795F3E50B8B}" => Key deleted successfully.
-a "C:\Program Files (x86)\Search Extensions\uninstall.exe" -c /u=true /UserID=bc6531e7-4999-4e3c-aa8f-78b5dc80c85e /SourceID=radix|radix_webm /ImplementationID=browsersafeguard-rockettab-ptn /UC=20141213 => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E9A8733D-8CDA-4125-B903-27634CF181B9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9A8733D-8CDA-4125-B903-27634CF181B9}" => Key deleted successfully.
C:\Windows\System32\Tasks\{14938EA4-EE38-48FF-A468-727AACA985B7} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{14938EA4-EE38-48FF-A468-727AACA985B7}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6630BD33-E8C7-4DC3-8E9F-02EF4BEAC1D2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6630BD33-E8C7-4DC3-8E9F-02EF4BEAC1D2}" => Key deleted successfully.
C:\Windows\System32\Tasks\{491D9E3D-E93B-4A07-83D1-C0D3BA347A67} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{491D9E3D-E93B-4A07-83D1-C0D3BA347A67}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7E9F6641-E5DE-404A-867A-69DB9FB8CA09}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7E9F6641-E5DE-404A-867A-69DB9FB8CA09}" => Key deleted successfully.
C:\Windows\System32\Tasks\{C745524F-6EBD-4712-A36E-7BE628EF3E64} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C745524F-6EBD-4712-A36E-7BE628EF3E64}" => Key deleted successfully.
"E:\sp54841.exe" => File/Directory not found.
"C:\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll" => File/Directory not found.
"C:\Program Files (x86)\DEal4me\exyg01egS3st4j.dll" => File/Directory not found.
EmptyTemp: => Removed 653.9 MB temporary data.

The system needed a reboot.

==== End of Fixlog 17:16:34 ====

 

 

# AdwCleaner v4.109 - Report created 03/02/2015 at 17:24:36
# Updated 24/01/2015 by Xplode
# Database : 2015-02-03.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Abi and Daniel - ABIANDDANIEL-PC
# Running from : C:\Users\Abi and Daniel\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\P0bdce491_add7_4935_81e7_c9880effe8bd_.P0bdce491_add7_4935_81e7_c9880effe8bd_
Key Deleted : HKLM\SOFTWARE\Classes\P0bdce491_add7_4935_81e7_c9880effe8bd_.P0bdce491_add7_4935_81e7_c9880effe8bd_.9
Key Deleted : HKLM\SOFTWARE\Classes\Pc3ee6962_8421_4062_8c95_fc950730b0fb_.Pc3ee6962_8421_4062_8c95_fc950730b0fb_
Key Deleted : HKLM\SOFTWARE\Classes\Pc3ee6962_8421_4062_8c95_fc950730b0fb_.Pc3ee6962_8421_4062_8c95_fc950730b0fb_.9
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0bdce491-add7-4935-81e7-c9880effe8bd}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{c3ee6962-8421-4062-8c95-fc950730b0fb}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{079E2F0F-FCA0-4163-BC82-5355B879E86E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0bdce491-add7-4935-81e7-c9880effe8bd}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{c3ee6962-8421-4062-8c95-fc950730b0fb}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0bdce491-add7-4935-81e7-c9880effe8bd}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{c3ee6962-8421-4062-8c95-fc950730b0fb}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0bdce491-add7-4935-81e7-c9880effe8bd}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{c3ee6962-8421-4062-8c95-fc950730b0fb}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{0bdce491-add7-4935-81e7-c9880effe8bd}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{c3ee6962-8421-4062-8c95-fc950730b0fb}
Key Deleted : HKCU\Software\RocketTabInstalled
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\RocketTab
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7E7FAE3D-3358-D280-8DBF-E8E2D94326D1}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\playsushi.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\sweetwater.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.sweetwater.com

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [3393 octets] - [03/02/2015 17:22:50]
AdwCleaner[S0].txt - [3312 octets] - [03/02/2015 17:24:36]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3372 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Home Premium x64
Ran by Abi and Daniel on Tue 02/03/2015 at 17:30:06.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/03/2015 at 17:32:49.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#7 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 04 February 2015 - 10:39 AM

Follow these steps:
 
1.- Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Please open Malwarebytes Anti-Malware
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
MBAMThreatScan_zpsc6c6daeb.jpg
  • After viewing the results, please click on the Copy to Clipboard button > OK.
    MBAMScanLog_zps21b494ad.jpg
  • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.
2.-  Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes and if it finds anything, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#8 mariobros117

mariobros117
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, Ak
  • Local time:03:43 PM

Posted 05 February 2015 - 02:19 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/4/2015
Scan Time: 8:32:31 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.05.02
Rootkit Database: v2015.02.03.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Abi and Daniel

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 325450
Time Elapsed: 16 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.DesktopDockApp.A, HKU\S-1-5-21-3902584003-3642212217-1098631534-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DesktopDockApp, Quarantined, [9d75d2480486fd3988a16a2273908d73],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 C:\FRST\Quarantine\C\Program Files (x86)\DEal4me\exyg01egS3st4j.dll a variant of Win32/Adware.MultiPlug.EG application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\DEal4me\exyg01egS3st4j.x64.dll a variant of Win64/Adware.MultiPlug.F application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.dll a variant of Win32/Adware.MultiPlug.EG application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.exe a variant of Win32/AdWare.MultiPlug.BN application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\doWWnloaditkeep\gpVHN34YxkZxBx.x64.dll a variant of Win64/Adware.MultiPlug.F application cleaned by deleting - quarantined
 



#9 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 05 February 2015 - 09:22 AM

How are things running now?

#10 mariobros117

mariobros117
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, Ak
  • Local time:03:43 PM

Posted 05 February 2015 - 10:34 PM

Things are running great! The IE add-ons I mentioned initially are gone so no more annoying pop-ups and ads. Things greatly improved right after the farbar fix.



#11 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 06 February 2015 - 11:51 AM

If the computer is running fine and you're not having any other problem, then follow these final steps:

Create a System restore point.

Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

Remove ESET Online Scanner:

Click on Start, Settings, Control Panel
Double click on Add/Remove Programs
Find: Eset Online Scanner in the list of installed programs and click on Change/Remove to uninstall it.

Run Delfix

This program will remove the tools used and its logs. If anything remains, you can delete manually delete them.
Please download Delfix and save it to your desktop.
Double click on Delfix.exe to run the tool and click on the Run button.

Finally, to help protect your computer in the future I recommend you to read this article: So how did I get infected in the first place?. I also recommend running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Be sure to post back if you have any more problems.

#12 mariobros117

mariobros117
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, Ak
  • Local time:03:43 PM

Posted 08 February 2015 - 12:58 AM

Thank you for all your help



#13 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 09 February 2015 - 09:05 AM

You are welcome.

#14 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:08:43 PM

Posted 06 April 2015 - 07:06 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users