Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.exe *32 virus - computer is slow


  • This topic is locked This topic is locked
7 replies to this topic

#1 Berna22

Berna22

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 03 February 2015 - 03:21 PM

Please help - 

 

I've noticed that my computer / Chrome / internet connection have been slow for the last couple of days. 

 

I've run Malwarebytes, but the process log still remains the same.

 

processes_zpscbkm9ulf.jpg

 

Thank you for your time! 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 04 February 2015 - 10:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 Berna22

Berna22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 04 February 2015 - 11:37 AM

Hello Nasdaq, thank you for your quick reply.

 

The computer is faster, but I still see the .exe *32 processes in the Task Manager Window.

 

The logs:

 

# AdwCleaner v4.109 - Report created 04/02/2015 at 17:18:29
# Updated 24/01/2015 by Xplode
# Database : 2015-02-03.1 [Live]
# Operating System : Windows 7 Ultimate  (64 bits)
# Username : Elena - TOSHA
# Running from : C:\Users\Elena\Downloads\adwcleaner_4.109.exe
# Option : Scan
 
***** [ Services ] *****
 
Service Found : ProtectMonitor
 
***** [ Files / Folders ] *****
 
File Found : C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
File Found : C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\user.js
File Found : C:\Users\Elena\daemonprocess.txt
File Found : C:\Windows\System32\drivers\rsdrvx64.sys
Folder Found : C:\Program Files (x86)\MyPC Backup
Folder Found : C:\Program Files\PCDApp
Folder Found : C:\Users\Elena\AppData\Local\genienext
Folder Found : C:\Users\Elena\AppData\Local\Mobogenie
Folder Found : C:\Users\Elena\Documents\Mobogenie
 
***** [ Scheduled Tasks ] *****
 
Task Found : DTReg
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{799DE017-F8A1-41E1-9323-E96611967DE5}
Key Found : HKCU\Software\TNT2
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{799DE017-F8A1-41E1-9323-E96611967DE5}
Key Found : [x64] HKCU\Software\TNT2
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\lbidgdoiglndbjlcnnifemecdhnpeabo
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Found : HKLM\SOFTWARE\SoftwareUpdater
Key Found : HKLM\SOFTWARE\Vittalia
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [OKitSpace@OKitSpace.es]
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16561
 
 
-\\ Mozilla Firefox v23.0 (en-US)
 
[tulgsd7x.default] - Line Found : user_pref("browser.search.defaultenginename", "FindWide");
[tulgsd7x.default] - Line Found : user_pref("extensions.enabledAddons", "toolbar11147%40findwide.com:2.0.0.1895,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0");
[tulgsd7x.default] - Line Found : user_pref("plugin.state.npconduitfirefoxplugin", 0);
 
-\\ Google Chrome v40.0.2214.94
 
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.eazel.com/results.php?id=AAA00bde8b08e80e287d4837a8edffc5271&cat=web&co=&lg=en&q={searchTerms}
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://mystart.incredimail.com//?loc=GC_Default_Search&search={searchTerms}&a=1ex67igH3RE
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://en.eazel.com/results.php?cat=web&co=&lg=en&q={searchTerms}&id=6C1BFC4C744F49558F70305D72F4127D&oid=14
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [3864 octets] - [04/02/2015 17:18:29]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3924 octets] ##########
 
 
 
# AdwCleaner v4.109 - Report created 04/02/2015 at 17:23:09
# Updated 24/01/2015 by Xplode
# Database : 2015-02-03.1 [Live]
# Operating System : Windows 7 Ultimate  (64 bits)
# Username : Elena - TOSHA
# Running from : C:\Users\Elena\Downloads\adwcleaner_4.109.exe
# Option : Clean
 
***** [ Services ] *****
 
[x] Not Deleted : ProtectMonitor
 
***** [ Files / Folders ] *****
 
[x] Not Deleted : C:\Program Files (x86)\MyPC Backup
[x] Not Deleted : C:\Program Files\PCDApp
Folder Deleted : C:\Users\Elena\AppData\Local\genienext
Folder Deleted : C:\Users\Elena\AppData\Local\Mobogenie
Folder Deleted : C:\Users\Elena\Documents\Mobogenie
File Deleted : C:\Windows\System32\drivers\rsdrvx64.sys
File Deleted : C:\Users\Elena\daemonprocess.txt
[x] Not Deleted : C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\user.js
[x] Not Deleted : C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
[x] Not Deleted : DTReg
 
***** [ Shortcuts ] *****
 
[x] Not Disinfected : C:\Users\Public\Desktop\Mozilla Firefox.lnk
[x] Not Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[x] Not Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
 
***** [ Registry ] *****
 
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [OKitSpace@OKitSpace.es]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lbidgdoiglndbjlcnnifemecdhnpeabo
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{799DE017-F8A1-41E1-9323-E96611967DE5}
Key Deleted : HKCU\Software\TNT2
Key Deleted : HKLM\SOFTWARE\SoftwareUpdater
Key Deleted : HKLM\SOFTWARE\Vittalia
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16561
 
 
-\\ Mozilla Firefox v23.0 (en-US)
 
[tulgsd7x.default\prefs.js] - Line Deleted : user_pref("browser.search.defaultenginename", "FindWide");
[tulgsd7x.default\prefs.js] - Line Deleted : user_pref("extensions.enabledAddons", "toolbar11147%40findwide.com:2.0.0.1895,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0");
[tulgsd7x.default\prefs.js] - Line Deleted : user_pref("plugin.state.npconduitfirefoxplugin", 0);
 
-\\ Google Chrome v40.0.2214.94
 
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.eazel.com/results.php?id=AAA00bde8b08e80e287d4837a8edffc5271&cat=web&co=&lg=en&q={searchTerms}
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://mystart.incredimail.com//?loc=GC_Default_Search&search={searchTerms}&a=1ex67igH3RE
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.eazel.com/results.php?cat=web&co=&lg=en&q={searchTerms}&id=6C1BFC4C744F49558F70305D72F4127D&oid=14
[C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [4024 octets] - [04/02/2015 17:18:29]
AdwCleaner[S0].txt - [4050 octets] - [04/02/2015 17:23:09]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4110 octets] ##########
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-02-2015
Ran by Elena (administrator) on TOSHA on 04-02-2015 17:32:20
Running from C:\Users\Elena\Downloads
Loaded Profiles: Elena (Available profiles: Elena)
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(BitTorrent Inc.) C:\Users\Elena\AppData\Roaming\BitTorrent\BitTorrent.exe
(Farbar) C:\Users\Elena\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\...\Run: [BitTorrent] => C:\Users\Elena\AppData\Roaming\BitTorrent\BitTorrent.exe [1388888 2014-11-25] (BitTorrent Inc.)
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\...\MountPoints2: {9f357e3b-f177-11e3-ae1b-7054d2899ee4} - G:\SISetup.exe
Startup: C:\Users\Elena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\configuration.lnk
ShortcutTarget: configuration.lnk -> C:\configuration\configuration.exe (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?trackid=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?q={searchTerms}
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/?trackid=sp-006
SearchScopes: HKLM-x32 -> {EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4002286674-2776550414-2016994620-1000 -> {4B3F958B-ED8B-410C-AF9B-EB6041C11360} URL = http://search.yahoo.com/search?p={searchTerms}&fr=tightropetb&type=11147
SearchScopes: HKU\S-1-5-21-4002286674-2776550414-2016994620-1000 -> {EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} URL = https://www.google.com/search?q={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKU\S-1-5-21-4002286674-2776550414-2016994620-1000 -> FindWide Toolbar - {7A4005A7-E6EB-48D8-A2C2-E4F02B3E76F1} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKU\S-1-5-21-4002286674-2776550414-2016994620-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Elena\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF user.js: detected! => C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\user.js
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-14]
FF HKLM-x32\...\Firefox\Extensions: [OKitSpace@Vittalia.es] - C:\Users\Elena\AppData\Roaming\okitspace\Firefox
FF Extension: No Name - C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\extensions\toolbar11147@findwide.com.xpi [Not Found]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-07]
CHR Extension: (Google Drive) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-07]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (YouTube) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-07]
CHR Extension: (Google Search) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-07]
CHR Extension: (AdBlock) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-04-17]
CHR Extension: (View Image Info (properties)) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\jldjjifbpipdmligefcogandjojpdagn [2013-08-22]
CHR Extension: (Skype Click to Call) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-07-08]
CHR Extension: (Google Mail Checker) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff [2013-08-22]
CHR Extension: (Google Wallet) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Gmail) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-07]
CHR Profile: C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-13]
CHR Extension: (Google Docs) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-13]
CHR Extension: (Google Drive) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-13]
CHR Extension: (YouTube) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-13]
CHR Extension: (Google Search) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-13]
CHR Extension: (Google Sheets) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-13]
CHR Extension: (Skype Click to Call) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-01-13]
CHR Extension: (Google Wallet) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-13]
CHR Extension: (Gmail) - C:\Users\Elena\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-13]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S4 GFNEXSrv; C:\Windows\System32\GFNEXSrv.exe [162824 2010-09-09] ()
S4 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S4 ProtectMonitor; C:\Program Files\PCDApp\StartHelp.exe [97007 2014-04-10] () [File not signed] <==== ATTENTION
S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-04] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
S3 RtkBtFilter; C:\Windows\System32\DRIVERS\RtkBtfilter.sys [21096 2012-01-05] (Realtek Microelectronics)
R3 RTL8192Ce; C:\Windows\System32\DRIVERS\rtwlane.sys [1082472 2012-01-16] (Realtek Semiconductor Corporation                           )
S1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-04 17:32 - 2015-02-04 17:32 - 00015104 _____ () C:\Users\Elena\Downloads\FRST.txt
2015-02-04 17:32 - 2015-02-04 17:32 - 00000000 ____D () C:\FRST
2015-02-04 17:28 - 2015-02-04 17:31 - 02131968 _____ (Farbar) C:\Users\Elena\Downloads\FRST64 (1).exe
2015-02-04 17:26 - 2015-02-04 17:26 - 00004198 _____ () C:\Users\Elena\Desktop\AdwCleaner[S0].txt
2015-02-04 17:20 - 2015-02-04 17:20 - 00004024 _____ () C:\Users\Elena\Desktop\adwcln1.txt
2015-02-04 17:18 - 2015-02-04 17:23 - 00000000 ____D () C:\AdwCleaner
2015-02-04 17:16 - 2015-02-04 17:17 - 02194432 _____ () C:\Users\Elena\Downloads\adwcleaner_4.109.exe
2015-02-03 20:53 - 2015-02-03 20:55 - 00000050 _____ () C:\Users\Elena\Downloads\FixPoweliks64.log
2015-02-03 20:48 - 2015-02-03 20:51 - 02747488 _____ (Symantec Corporation) C:\Users\Elena\Desktop\FixPoweliks64.exe
2015-02-03 20:43 - 2015-02-03 20:48 - 02131456 _____ (Farbar) C:\Users\Elena\Downloads\FRST64.exe
2015-02-03 20:07 - 2015-02-04 17:28 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-03 20:05 - 2015-02-03 20:05 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-03 20:05 - 2015-02-03 20:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-03 20:05 - 2015-02-03 20:05 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-03 20:05 - 2015-02-03 20:05 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-03 20:05 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-03 20:05 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-03 20:05 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-03 19:27 - 2015-02-03 20:04 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Elena\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-03 19:25 - 2015-02-03 19:27 - 01061020 _____ (Malwarebytes Corporation ) C:\Users\Elena\Downloads\Unconfirmed 763988.crdownload
2015-01-26 18:30 - 2015-01-26 18:30 - 00053666 _____ () C:\Users\Elena\Downloads\Kuki labrador Lemonis 26.01.2015. (1).xlsx
2015-01-25 19:20 - 2015-01-25 19:20 - 00001106 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro CC 2014.lnk
2015-01-25 19:07 - 2015-01-25 19:09 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-25 19:06 - 2015-01-25 19:06 - 00001534 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
2015-01-25 19:06 - 2015-01-25 19:06 - 00001522 _____ () C:\Users\Public\Desktop\Adobe Application Manager.lnk
2015-01-05 20:47 - 2015-01-05 20:48 - 05141504 _____ () C:\Users\Elena\Downloads\Amigos.pps
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-04 17:31 - 2013-07-08 00:28 - 01212679 _____ () C:\Windows\WindowsUpdate.log
2015-02-04 17:30 - 2009-07-14 05:45 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-04 17:30 - 2009-07-14 05:45 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-04 17:25 - 2013-07-07 20:25 - 00000000 ____D () C:\Users\Elena\AppData\Roaming\BitTorrent
2015-02-04 17:25 - 2013-07-07 17:32 - 00000828 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-02-04 17:25 - 2013-07-07 17:11 - 00690506 _____ () C:\Windows\PFRO.log
2015-02-04 17:25 - 2013-07-07 17:01 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-04 17:25 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-04 17:25 - 2009-07-14 05:51 - 00081103 _____ () C:\Windows\setupact.log
2015-02-04 17:23 - 2013-07-07 16:37 - 00000000 ____D () C:\Users\Elena
2015-02-04 17:20 - 2013-07-08 19:18 - 00000000 ____D () C:\Users\Elena\AppData\Local\Adobe
2015-02-03 21:56 - 2013-07-07 17:01 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-03 21:45 - 2013-08-25 14:55 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-03 20:34 - 2014-04-25 21:13 - 00000000 ____D () C:\Program Files\PCDApp
2015-02-01 16:46 - 2013-07-07 17:32 - 00000830 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2015-01-26 18:27 - 2013-07-07 17:01 - 00085768 _____ () C:\Users\Elena\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-26 18:26 - 2009-07-14 05:45 - 05036024 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-25 19:31 - 2013-07-09 16:56 - 00000000 ____D () C:\Program Files\Adobe
2015-01-25 19:21 - 2013-07-09 17:03 - 00000000 ____D () C:\ProgramData\regid.1986-12.com.adobe
2015-01-25 19:20 - 2013-07-09 16:40 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2015-01-25 19:20 - 2013-07-08 19:22 - 00000000 ____D () C:\Users\Elena\AppData\Roaming\Adobe
2015-01-17 21:18 - 2013-12-12 17:45 - 00000000 _RSHD () C:\configuration
2015-01-15 19:42 - 2014-10-31 12:58 - 00000000 ____D () C:\Users\Elena\Desktop\visa lottery 2016
2015-01-13 22:39 - 2014-08-31 10:57 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-13 22:23 - 2014-08-31 10:57 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-06 04:36 - 2013-07-07 17:00 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2014-02-16 17:34 - 2014-02-16 17:34 - 0000132 _____ () C:\Users\Elena\AppData\Roaming\Adobe AIFF Format CS6 Prefs
2013-11-14 13:20 - 2010-05-28 23:37 - 0015086 _____ () C:\ProgramData\Amazon.ico
 
Some content of TEMP:
====================
C:\Users\Elena\AppData\Local\Temp\26384-672334-skype.exe
C:\Users\Elena\AppData\Local\Temp\26384-673000-skype.exe
C:\Users\Elena\AppData\Local\Temp\26384-673934-skype.exe
C:\Users\Elena\AppData\Local\Temp\6_Offer_3.exe
C:\Users\Elena\AppData\Local\Temp\79787-672468-google-chrome.exe
C:\Users\Elena\AppData\Local\Temp\Deldevice.dll
C:\Users\Elena\AppData\Local\Temp\DelVista.dll
C:\Users\Elena\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Elena\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Elena\AppData\Local\Temp\Installer.dll
C:\Users\Elena\AppData\Local\Temp\Quarantine.exe
C:\Users\Elena\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Elena\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Elena\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Elena\AppData\Local\Temp\sqlite3.dll
C:\Users\Elena\AppData\Local\Temp\vcredist_x64.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-12-11 17:33
 
==================== End Of Log ============================

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 05 February 2015 - 09:21 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\...\Run: [AdobeBridge] => [X]
ShortcutTarget: configuration.lnk -> C:\configuration\configuration.exe (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?trackid=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?q={searchTerms}
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?q={searchTerms}
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/?trackid=sp-006
SearchScopes: HKLM-x32 -> {EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4002286674-2776550414-2016994620-1000 -> {EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} URL = https://www.google.com/search?q={searchTerms}
Toolbar: HKU\S-1-5-21-4002286674-2776550414-2016994620-1000 -> FindWide Toolbar - {7A4005A7-E6EB-48D8-A2C2-E4F02B3E76F1} -  No File
FF user.js: detected! => C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\user.js
FF HKLM-x32\...\Firefox\Extensions: [OKitSpace@Vittalia.es] - C:\Users\Elena\AppData\Roaming\okitspace\Firefox
FF Extension: No Name - C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\extensions\toolbar11147@findwide.com.xpi [Not Found]
S4 ProtectMonitor; C:\Program Files\PCDApp\StartHelp.exe [97007 2014-04-10] () [File not signed] <==== ATTENTION
S1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:6DDED7D9
AlternateDataStreams: C:\ProgramData\TEMP:C76EDAC3
C:\Users\Elena\AppData\Local\Temp\26384-672334-skype.exe
C:\Users\Elena\AppData\Local\Temp\26384-673000-skype.exe
C:\Users\Elena\AppData\Local\Temp\26384-673934-skype.exe
C:\Users\Elena\AppData\Local\Temp\6_Offer_3.exe
C:\Users\Elena\AppData\Local\Temp\79787-672468-google-chrome.exe
C:\Users\Elena\AppData\Local\Temp\Deldevice.dll
C:\Users\Elena\AppData\Local\Temp\DelVista.dll
C:\Users\Elena\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Elena\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Elena\AppData\Local\Temp\Installer.dll
C:\Users\Elena\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Elena\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Elena\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Elena\AppData\Local\Temp\sqlite3.dll
C:\Users\Elena\AppData\Local\Temp\vcredist_x64.exe
C:\Program Files\PCDApp

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

The number of Chrome.exe *32 items reported is not an issue.
Chrome will start as many that is needed to run the Extensions that are active.

#5 Berna22

Berna22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 05 February 2015 - 12:49 PM

Thank you nasdaq,

 

The logs:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-02-2015
Ran by Elena at 2015-02-05 18:31:28 Run:1
Running from C:\Users\Elena\Downloads
Loaded Profiles: Elena (Available profiles: Elena)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\...\Run: [AdobeBridge] => [X]
ShortcutTarget: configuration.lnk -> C:\configuration\configuration.exe (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No
File
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?trackid=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?q={searchTerms}
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?q={searchTerms}
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/?trackid=sp-006
SearchScopes: HKLM-x32 -> {EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL
=
SearchScopes: HKU\S-1-5-21-4002286674-2776550414-2016994620-1000 -> {EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} URL = https://www.google.com/search?q={searchTerms}
Toolbar: HKU\S-1-5-21-4002286674-2776550414-2016994620-1000 -> FindWide Toolbar - {7A4005A7-E6EB-48D8-A2C2-E4F02B3E76F1} -  No File
FF user.js: detected! => C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\user.js
FF HKLM-x32\...\Firefox\Extensions: [OKitSpace@Vittalia.es] - C:\Users\Elena\AppData\Roaming\okitspace\Firefox
FF Extension: No Name - C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\extensions\toolbar11147@findwide.com.xpi [Not Found]
S4 ProtectMonitor; C:\Program Files\PCDApp\StartHelp.exe [97007 2014-04-10] () [File not signed] <==== ATTENTION
S1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:6DDED7D9
AlternateDataStreams:
C:\ProgramData\TEMP:C76EDAC3
C:\Users\Elena\AppData\Local\Temp\26384-672334-skype.exe
C:\Users\Elena\AppData\Local\Temp\26384-673000-skype.exe
C:\Users\Elena\AppData\Local\Temp\26384-673934-skype.exe
C:\Users\Elena\AppData\Local\Temp\6_Offer_3.exe
C:\Users\Elena\AppData\Local\Temp\79787-672468-google-chrome.exe
C:\Users\Elena\AppData\Local\Temp\Deldevice.dll
C:\Users\Elena\AppData\Local\Temp\DelVista.dll
C:\Users\Elena\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Elena\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Elena\AppData\Local\Temp\Installer.dll
C:\Users\Elena\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Elena\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Elena\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Elena\AppData\Local\Temp\sqlite3.dll
C:\Users\Elena\AppData\Local\Temp\vcredist_x64.exe
C:\Program Files\PCDApp
 
End
*****************
 
Processes closed successfully.
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value deleted successfully.
C:\configuration\configuration.exe not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => Key deleted successfully.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => Key not found. 
File => Error: No automatic fix found for this entry.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} => Key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
= => Error: No automatic fix found for this entry.
"HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D}" => Key deleted successfully.
HKCR\CLSID\{EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} => Key not found. 
HKU\S-1-5-21-4002286674-2776550414-2016994620-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7A4005A7-E6EB-48D8-A2C2-E4F02B3E76F1} => value deleted successfully.
"HKCR\CLSID\{7A4005A7-E6EB-48D8-A2C2-E4F02B3E76F1}" => Key deleted successfully.
C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\user.js => Moved successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\OKitSpace@Vittalia.es => value deleted successfully.
C:\Users\Elena\AppData\Roaming\Mozilla\Firefox\Profiles\tulgsd7x.default\extensions\toolbar11147@findwide.com.xpi not found.
ProtectMonitor => Service deleted successfully.
ElRawDisk => Service deleted successfully.
C:\ProgramData\TEMP => ":6DDED7D9" ADS removed successfully.
AlternateDataStreams: => Error: No automatic fix found for this entry.
Could not move "C:\ProgramData\TEMP:C76EDAC3" => Scheduled to move on reboot.
C:\Users\Elena\AppData\Local\Temp\26384-672334-skype.exe => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\26384-673000-skype.exe => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\26384-673934-skype.exe => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\6_Offer_3.exe => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\79787-672468-google-chrome.exe => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\Deldevice.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\DelVista.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\DseShExt-x64.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\DseShExt-x86.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\Installer.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\SDShelEx-win32.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\SDShelEx-x64.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Elena\AppData\Local\Temp\vcredist_x64.exe => Moved successfully.
C:\Program Files\PCDApp => Moved successfully.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-02-05 18:33:50)<=
 
"C:\ProgramData\TEMP:C76EDAC3" => File could not move.
 
==== End of Fixlog 18:33:52 ====

 

 

 

 

 

 

 

 

 Results of screen317's Security Check version 0.99.96  
 Windows 7  x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Java 7 Update 45  
 Java version 32-bit out of Date! 
  Java 64-bit 8 Update 31  
  Adobe Flash Player 12.0.0.77 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox 23.0 Firefox out of Date!  
 Google Chrome (40.0.2214.93) 
 Google Chrome (40.0.2214.94) 
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 4% 
````````````````````End of Log`````````````````````` 
 
 
 
It's not the number of Chrome extensions, it's the *32 next to them that I am worried about.
 
I think the computer is running much better now! 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 06 February 2015 - 08:17 AM

Windows 7 x64 (UAC is enabled)
Out of date service pack!!

For your added security I suggest you get the Windows 7 Service pack 1.

Click on the link Out of date service pack!! and follow the instructions.
===

Remove this old version of Java 7 Update 45 using the Add/Remove programs applet.

==

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

Version as of Feb. 04, 2014 is: Flash 16.0.0.305
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 Berna22

Berna22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 07 February 2015 - 04:59 AM

Thank you!! 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 07 February 2015 - 08:50 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users