Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Google Chrome Virus - Need Help Removing.


  • This topic is locked This topic is locked
15 replies to this topic

#1 surfside

surfside

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 11:28 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-02-2015
Ran by paisley (administrator) on PAISLEY-PC on 05-02-2015 22:24:38
Running from C:\Users\paisley\Desktop
Loaded Profiles: paisley (Available profiles: paisley)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Windows Mail\wabmig.exe
(Google Inc.) C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Google Inc.) C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_305_ActiveX.exe
(Google Inc.) C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
(Google Inc.) C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6342688 2008-06-13] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\Run: [cdloader] => C:\Users\paisley\AppData\Roaming\mjusbsp\cdloader2.exe [51592 2014-07-04] (magicJack L.P.)
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\Run: [fsirefxpxm] => regsvr32.exe /s "C:\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll" <===== ATTENTION
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\MountPoints2: E - E:\autorun.exe
Startup: C:\Users\paisley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKU\S-1-5-21-1768179382-741335731-3357001988-1000 -> DefaultScope {6A1806CD-94D4-4689 URL =
SearchScopes: HKU\S-1-5-21-1768179382-741335731-3357001988-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{C7AE725D-FA5C-4027-BB4C-787EF9F8248A}] - C:\Program Files (x86)\PremierOpinion\firefox

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 PremierOpinion; C:\Program Files (x86)\PremierOpinion\pmservice.exe /service [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 22:24 - 2015-02-05 22:25 - 00007256 _____ () C:\Users\paisley\Desktop\FRST.txt
2015-02-05 22:08 - 2015-02-05 22:09 - 02131968 _____ (Farbar) C:\Users\paisley\Desktop\FRST64.exe
2015-02-05 21:46 - 2015-02-05 22:24 - 00000000 ____D () C:\FRST
2015-02-05 21:01 - 2015-02-05 21:01 - 00007597 _____ () C:\Users\paisley\AppData\Local\Resmon.ResmonCfg
2015-02-05 21:00 - 2015-02-05 21:00 - 00000184 _____ () C:\Windows\wininit.ini
2015-02-05 13:10 - 2015-02-05 13:10 - 00002047 _____ () C:\Users\paisley\Desktop\Budget.lnk
2015-01-22 12:59 - 2015-01-22 12:59 - 00025907 _____ () C:\Users\paisley\Documents\Resthome- Unable.odt
2015-01-14 05:51 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 05:50 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 05:45 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 05:45 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 05:45 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 05:44 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 05:44 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 05:44 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 05:44 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 05:44 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 05:44 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 05:44 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 05:44 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 22:22 - 2014-12-28 21:58 - 01413311 _____ () C:\Windows\WindowsUpdate.log
2015-02-05 22:15 - 2010-11-20 22:47 - 00021582 _____ () C:\Windows\PFRO.log
2015-02-05 22:15 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-05 22:15 - 2009-07-13 23:51 - 00036124 _____ () C:\Windows\setupact.log
2015-02-05 21:40 - 2014-12-29 11:14 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-05 21:06 - 2009-07-13 23:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-05 21:06 - 2009-07-13 23:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-05 20:59 - 2014-12-29 13:11 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-05 14:50 - 2014-12-29 13:11 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-02-04 23:41 - 2014-12-29 11:14 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-04 23:41 - 2014-12-29 11:14 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-04 23:41 - 2014-12-29 11:14 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-02 11:54 - 2014-12-29 00:19 - 00000000 ____D () C:\Users\paisley\AppData\Roaming\mjusbsp
2015-02-02 11:53 - 2014-12-29 01:06 - 00001007 _____ () C:\Users\paisley\Desktop\magicJack.lnk
2015-02-02 11:53 - 2014-12-29 01:06 - 00000993 _____ () C:\Users\paisley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\magicJack.lnk
2015-01-31 13:50 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-21 08:17 - 2009-07-14 00:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 03:32 - 2009-07-14 00:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2015-01-15 03:10 - 2014-12-29 03:49 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 03:02 - 2014-12-29 03:49 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-06 04:36 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2015-02-05 21:01 - 2015-02-05 21:01 - 0007597 _____ () C:\Users\paisley\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-01 18:28

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:14 PM

Posted 06 February 2015 - 12:10 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a Zoek scan. This will help us diagnose your problem.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

zoek.jpg

Please download 51a612a8b27e2-Zoek.pngZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    process;
    services-list;
    systemspecs;
    startupall;
    filesrcm;
    
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.

Edited by deeprybka, 06 February 2015 - 12:10 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 surfside

surfside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 12:40 PM

Thank you, deeprybka for your help!

 

Zoek.exe v5.0.0.0 Updated 06-February-2015
Tool run by paisley on Fri 02/06/2015 at 12:23:10.35.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\paisley\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

2/6/2015 12:24:45 PM Zoek.exe System Restore Point Created Succesfully.

==== Running Processes ======================

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
C:\Program Files (x86)\Windows Mail\wabmig.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Users\paisley\AppData\Roaming\mjusbsp\magicJack.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
C:\Users\paisley\Desktop\zoek.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea\qikdwcgx\vorzfsguerc.exe

==== Services(whitelist) ======================
Powered by E Dev

R2 - [AdobeARMservice] - Adobe Acrobat Update Service - c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
R2 - [Ati External Event Utility] - Ati External Event Utility - c:\windows\system32\ati2evxx.exe
R2 - [SDScannerService] - Spybot-S&D 2 Scanner Service - c:\program files (x86)\spybot - search & destroy 2\sdfssvc.exe
R2 - [SDUpdateService] - Spybot-S&D 2 Updating Service - c:\program files (x86)\spybot - search & destroy 2\sdupdsvc.exe
R2 - [SDWSCService] - Spybot-S&D 2 Security Center Service - c:\program files (x86)\spybot - search & destroy 2\sdwscsvc.exe
R2 - [TeamViewer] - TeamViewer 10 - c:\program files (x86)\teamviewer\teamviewer_service.exe
R2 - [wlidsvc] - Windows Live ID Sign-in Assistant - c:\program files\common files\microsoft shared\windows live\wlidsvc.exe
R2 - [WMPNetworkSvc] - Windows Media Player Network Sharing Service - c:\program files\windows media player\wmpnetwk.exe
R2 - [WSearch] - Windows Search - c:\windows\system32\searchindexer.exe
R3 - [VSS] - Volume Shadow Copy - c:\windows\system32\vssvc.exe
S2 - [clr_optimization_v4.0.30319_32] - Microsoft .NET Framework NGEN v4.0.30319_X86 - c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
S2 - [clr_optimization_v4.0.30319_64] - Microsoft .NET Framework NGEN v4.0.30319_X64 - c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
S2 - [PremierOpinion] - PremierOpinion - c:\program files (x86)\premieropinion\pmservice.exe [x]
S2 - [sppsvc] - Software Protection - c:\windows\system32\sppsvc.exe
S3 - [AdobeFlashPlayerUpdateSvc] - Adobe Flash Player Update Service - c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
S3 - [ALG] - Application Layer Gateway Service - c:\windows\system32\alg.exe
S3 - [aspnet_state] - ASP.NET State Service - c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe
S3 - [COMSysApp] - COM+ System Application - c:\windows\system32\dllhost.exe
S3 - [ehRecvr] - Windows Media Center Receiver Service - c:\windows\ehome\ehrecvr.exe
S3 - [ehSched] - Windows Media Center Scheduler Service - c:\windows\ehome\ehsched.exe
S3 - [Fax] - Fax - c:\windows\system32\fxssvc.exe
S3 - [FontCache3.0.0.0] - Windows Presentation Foundation Font Cache 3.0.0.0 - c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe
S3 - [gusvc] - Google Updater Service - c:\program files (x86)\google\common\google updater\googleupdaterservice.exe
S3 - [IEEtwCollectorService] - Internet Explorer ETW Collector Service - c:\windows\system32\ieetwcollector.exe
S3 - [MSDTC] - Distributed Transaction Coordinator - c:\windows\system32\msdtc.exe
S3 - [msiserver] - Windows Installer - c:\windows\system32\msiexec.exe
S3 - [PerfHost] - Performance Counter DLL Host - c:\windows\syswow64\perfhost.exe
S3 - [RpcLocator] - Remote Procedure Call (RPC) Locator - c:\windows\system32\locator.exe
S3 - [SNMPTRAP] - SNMP Trap - c:\windows\system32\snmptrap.exe
S3 - [TrustedInstaller] - Windows Modules Installer - c:\windows\servicing\trustedinstaller.exe
S3 - [vds] - Virtual Disk - c:\windows\system32\vds.exe
S3 - [WatAdminSvc] - Windows Activation Technologies Service - c:\windows\system32\wat\watadminsvc.exe
S3 - [wbengine] - Block Level Backup Engine Service - c:\windows\system32\wbengine.exe
S3 - [wmiApSrv] - WMI Performance Adapter - c:\windows\system32\wbem\wmiapsrv.exe
S4 - [clr_optimization_v2.0.50727_32] - Microsoft .NET Framework NGEN v2.0.50727_X86 - c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
S4 - [clr_optimization_v2.0.50727_64] - Microsoft .NET Framework NGEN v2.0.50727_X64 - c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe

==== System Specs ======================

Windows: Windows 7 Professional Edition (64-bit) Service Pack 1 (Build 7601)
Memory (RAM): 1919 MB
CPU Info: AMD Athlon™ 64 X2 Dual Core Processor 4200+
CPU Speed: 2191.6 MHz
Sound Card: Speakers (Realtek High Definiti |
Handset (USB Internet Phone by  |
Display Adapters: ATI Radeon Xpress 1150 Series | ATI Radeon Xpress 1150 Series | RDPDD Chained DD | RDP Encoder Mirror Driver | RDP Reflector Display Driver
Monitors: 1x; Generic PnP Monitor |
Screen Resolution: 1024 X 768 - 32 bit
Network: Network Present
Network Adapters: Broadcom NetXtreme Gigabit Ethernet
CD / DVD Drives: 2x (D: | E: | ) D: ATAPI   iHAS524   B      | E: YMAX
Ports: COM1 LPT1
Mouse: 16 Button Wheel Mouse Present
Hard Disks: C:  694.8GB
Hard Disks - Free: C:  661.0GB
Manufacturer *: Hewlett-Packard
BIOS Info: AT/AT COMPATIBLE | 08/07/08 | HPQOEM - 20080807
Time Zone: Eastern Standard Time
Motherboard *: Hewlett-Packard 0A64h
Country: United States
Language: ENU

==== System Specs (Software) ======================

Anti-Spyware: Windows Defender disabled (Outdated)
Anti-Spyware: Spybot - Search and Destroy disabled (Outdated)
Internet Explorer Version: 11.0.9600.17501
Adobe Reader version: 11.0.10.32

==== Files Recently Created / Modified ======================

====== C:\Windows ====
2015-02-06 02:00:02 68665AFC323C69F8FF44496A0F1E2378 184 ----a-w- C:\Windows\wininit.ini
====== C:\Users\paisley\AppData\Local\Temp ====
====== Java Cache =====
====== C:\Windows\SysWOW64 =====
====== C:\Windows\SysWOW64\drivers =====
====== C:\Windows\Sysnative =====
====== C:\Windows\Sysnative\drivers =====
2015-01-14 10:44:53 AE3334958D8F631FF14A0AEB3D7EFB3A 141312 ----a-w- C:\Windows\Sysnative\drivers\mrxdav.sys
====== C:\Windows\Tasks ======
====== C:\Windows\Temp ======
======= C:\Program Files =====
======= C:\PROGRA~2 =====
======= C: =====
====== C:\Users\paisley\AppData\Roaming ======
2015-02-06 02:01:26 E63DAE89CAA83A1C5180CD522CC60550 7597 ----a-w- C:\Users\paisley\AppData\Local\Resmon.ResmonCfg
2015-02-05 19:49:54 -------- d-----w- C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Programs
====== C:\Users\paisley ======
2015-02-06 03:08:42 8C53B3CCC34D91A49A4B597AF7CA6892 2131968 ----a-w- C:\Users\paisley\Desktop\FRST64.exe

====== C: exe-files ==
2015-02-06 14:57:01 CDE2B3E090FC244BC79BD0FAE198065F 11427488 ---ha-w- C:\Users\paisley\AppData\Roaming\mjusbsp\in00000\setup.exe
2015-02-06 03:08:42 8C53B3CCC34D91A49A4B597AF7CA6892 2131968 ----a-w- C:\Users\paisley\Desktop\FRST64.exe
2015-02-06 02:45:28 8C53B3CCC34D91A49A4B597AF7CA6892 2131968 ----a-w- C:\Users\paisley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RAVONINX\FRST64.exe
2015-02-01 22:02:30 2608EB3DB2AD14E9B1CEC36970CDC8D8 1097504 ---ha-w- C:\Users\paisley\AppData\Roaming\mjusbsp\ar00000\install.exe
=== C: other files ==

==== Startup Registry Enabled ======================

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="C:\Users\paisley\AppData\Roaming\mjusbsp\cdloader2.exe MAGICJACK"
"fsirefxpxm"="regsvr32.exe /s C:\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll"
"Spybot-S&D Cleaning"="C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe /autoclean"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun"
"SDTray"="C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="C:\Users\paisley\AppData\Roaming\mjusbsp\cdloader2.exe MAGICJACK"
"fsirefxpxm"="regsvr32.exe /s C:\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll"
"Spybot-S&D Cleaning"="C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe /autoclean"

==== Startup Registry Enabled x64 ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe"

==== Startup Folders ======================

2014-12-29 17:37:06 1242 ----a-w- C:\Users\paisley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

==== Task Scheduler Jobs ======================

C:\Windows\tasks\Adobe Flash Player Updater.job --a------ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [02/04/2015 11:41 PM]

==== Other Scheduled Tasks ======================

"C:\Windows\SysNative\tasks\Adobe Acrobat Update Task" [C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe]
"C:\Windows\SysNative\tasks\Adobe Flash Player Updater" [C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe]

==== C:\zoek_backup content ======================

C:\zoek_backup (files=0 folders=0 0 bytes)

==== EOF on Fri 02/06/2015 at 12:30:09.52 ======================



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:14 PM

Posted 06 February 2015 - 01:07 PM

Step 1

Upload File(s) to
virustotal.png
I want you to upload the following file(s) to an online virus-scanner to scan.
  • Click the Choose File button.
  • Please copy/paste the following text into the 'File name:' box:
    C:\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll
    
  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analyzed: click Reanalyse
  • Copy and Paste the link of the result page in your reply.
warning.gif Malware Warning

If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, Email, eBay, Paypal, online forums, etc).

Step 2

frst.pngfrstfix.png
Please download the attached fixlist txt.gif and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.
Attached File  fixlist.txt   714bytes   4 downloads

After the Reboot:

Step 3

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 surfside

surfside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 01:16 PM

Before I proceed with this next step, why do I need to change all of my account information that I may have used with this computer? Are you suggesting that I change my accounts or just my account usernames and passwords?



#6 surfside

surfside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 01:28 PM

Also, the instructions on Step 2 tell me to save the fixlist.txt file in the "same directory as FRST". I have the FRST64.exe file on my desktop. However, I have an FRST file in my C: drive that includes 3 folders: Hives, Logs and Quarantine. So, should I put the fixlist.txt file on my desktop with the FRST64.exe file or in the C: file along with the FRST folder?



#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:14 PM

Posted 06 February 2015 - 01:30 PM

Better safe than sorry!

Nowadays Malware is very sophisticated. If that computer was used for online banking etc. I always recommend to change passwords.

http://virusradar.com/en/Win32_TrojanDownloader.Tracur.AL/description


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:14 PM

Posted 06 February 2015 - 01:31 PM

Also, the instructions on Step 2 tell me to save the fixlist.txt file in the "same directory as FRST". I have the FRST64.exe file on my desktop. However, I have an FRST file in my C: drive that includes 3 folders: Hives, Logs and Quarantine. So, should I put the fixlist.txt file on my desktop with the FRST64.exe file or in the C: file along with the FRST folder?

 

Please save it to the Desktop! :)


Edited by deeprybka, 06 February 2015 - 01:33 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 surfside

surfside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 01:46 PM

Fixlog.txt file...

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-02-2015
Ran by paisley at 2015-02-06 13:34:53 Run:1
Running from C:\Users\paisley\Desktop
Loaded Profiles: paisley (Available profiles: paisley)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CloseProcesses:
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea
C:\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\Run: [fsirefxpxm] => regsvr32.exe /s "C:\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll"
SearchScopes: HKU\S-1-5-21-1768179382-741335731-3357001988-1000 -> DefaultScope {6A1806CD-94D4-4689 URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S2 PremierOpinion; C:\Program Files (x86)\PremierOpinion\pmservice.exe /service [X]
C:\Program Files (x86)\PremierOpinion
CreateRestorePoint:
EmptyTemp:
*****************

Processes closed successfully.
C:\Users\paisley\AppData\LocalLow\Microsoft\xunnxpnea => Moved successfully.
C:\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll => Moved successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => Key deleted successfully.
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Windows\CurrentVersion\Run\\fsirefxpxm => value deleted successfully.
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
PremierOpinion => Service deleted successfully.
"C:\Program Files (x86)\PremierOpinion" => File/Directory not found.
Restore point was successfully created.
EmptyTemp: => Removed 493 MB temporary data.

The system needed a reboot.

==== End of Fixlog 13:37:04 ====



#10 surfside

surfside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 01:49 PM

FRST.txt after reboot/new scan....

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-02-2015
Ran by paisley (administrator) on PAISLEY-PC on 06-02-2015 13:46:20
Running from C:\Users\paisley\Desktop
Loaded Profiles: paisley (Available profiles: paisley)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_305_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6342688 2008-06-13] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\Run: [cdloader] => C:\Users\paisley\AppData\Roaming\mjusbsp\cdloader2.exe [51592 2014-07-04] (magicJack L.P.)
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\...\MountPoints2: E - E:\autorun.exe
Startup: C:\Users\paisley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?gws_rd=ssl
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-1768179382-741335731-3357001988-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKU\S-1-5-21-1768179382-741335731-3357001988-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{C7AE725D-FA5C-4027-BB4C-787EF9F8248A}] - C:\Program Files (x86)\PremierOpinion\firefox

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-06 12:24 - 2015-02-06 12:30 - 00011109 _____ () C:\zoek-results.log
2015-02-06 12:22 - 2015-02-06 12:22 - 00000000 ____D () C:\zoek_backup
2015-02-06 12:15 - 2015-02-06 12:15 - 01295360 _____ () C:\Users\paisley\Desktop\zoek.exe
2015-02-06 11:14 - 2015-02-06 11:14 - 00197176 _____ () C:\Users\paisley\Desktop\FakeGoogleChromeVirus_TskMgr.odg
2015-02-05 22:26 - 2015-02-05 22:27 - 00021790 _____ () C:\Users\paisley\Desktop\Addition.txt
2015-02-05 22:24 - 2015-02-06 13:46 - 00006507 _____ () C:\Users\paisley\Desktop\FRST.txt
2015-02-05 22:08 - 2015-02-05 22:09 - 02131968 _____ (Farbar) C:\Users\paisley\Desktop\FRST64.exe
2015-02-05 21:46 - 2015-02-06 13:46 - 00000000 ____D () C:\FRST
2015-02-05 21:01 - 2015-02-05 21:01 - 00007597 _____ () C:\Users\paisley\AppData\Local\Resmon.ResmonCfg
2015-02-05 21:00 - 2015-02-05 21:00 - 00000184 _____ () C:\Windows\wininit.ini
2015-02-05 13:10 - 2015-02-05 13:10 - 00002047 _____ () C:\Users\paisley\Desktop\Budget.lnk
2015-01-22 12:59 - 2015-01-22 12:59 - 00025907 _____ () C:\Users\paisley\Documents\Resthome- Unable.odt
2015-01-14 05:51 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 05:50 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 05:45 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 05:45 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 05:45 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 05:44 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 05:44 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 05:44 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 05:44 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 05:44 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 05:44 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 05:44 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 05:44 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-06 13:46 - 2009-07-13 23:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-06 13:46 - 2009-07-13 23:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-06 13:40 - 2014-12-29 11:14 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-06 13:38 - 2010-11-20 22:47 - 00021914 _____ () C:\Windows\PFRO.log
2015-02-06 13:38 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-06 13:38 - 2009-07-13 23:51 - 00036180 _____ () C:\Windows\setupact.log
2015-02-06 13:37 - 2014-12-28 21:58 - 01454987 _____ () C:\Windows\WindowsUpdate.log
2015-02-06 13:34 - 2014-12-28 20:23 - 00000000 ____D () C:\Users\paisley\AppData\Local\VirtualStore
2015-02-06 09:57 - 2014-12-29 01:06 - 00001007 _____ () C:\Users\paisley\Desktop\magicJack.lnk
2015-02-06 09:57 - 2014-12-29 01:06 - 00000993 _____ () C:\Users\paisley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\magicJack.lnk
2015-02-06 09:57 - 2014-12-29 00:19 - 00000000 ____D () C:\Users\paisley\AppData\Roaming\mjusbsp
2015-02-05 20:59 - 2014-12-29 13:11 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-05 14:50 - 2014-12-29 13:11 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-02-04 23:41 - 2014-12-29 11:14 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-04 23:41 - 2014-12-29 11:14 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-04 23:41 - 2014-12-29 11:14 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-31 13:50 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-21 08:17 - 2009-07-14 00:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 03:32 - 2009-07-14 00:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2015-01-15 03:10 - 2014-12-29 03:49 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 03:02 - 2014-12-29 03:49 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Files in the root of some directories =======

2015-02-05 21:01 - 2015-02-05 21:01 - 0007597 _____ () C:\Users\paisley\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-01 18:28

==================== End Of Log ============================



#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:14 PM

Posted 06 February 2015 - 01:51 PM

What about step 1? :)
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#12 surfside

surfside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 02:09 PM

YIKES!! I am surprised that I missed that! Very sorry. Do I need to start all over again?



#13 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:14 PM

Posted 06 February 2015 - 02:18 PM

YIKES!! I am surprised that I missed that! Very sorry. Do I need to start all over again?

:lol: No...I am just curious!.


Let's do a final check up:

Step 1


Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif


lesestoff.png

Can you please tell me which problems still persist now?
How is the computer running?

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#14 surfside

surfside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2015 - 08:33 PM

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=dae6ccfe3dda074cb060f060f3383552
# engine=22350
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-02-07 01:28:22
# local_time=2015-02-06 08:28:22 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 174815952 0 0
# scanned=27347
# found=23
# cleaned=0
# scan_time=1250
sh=B0DA3CB4833A2D25A9FE60445BC9616CE4E623EC ft=1 fh=e3e751becd735e57 vn="a variant of Win32/Kryptik.CUPN trojan" ac=I fn="C:\FRST\Quarantine\C\Users\paisley\AppData\Local\VirtualStore\fsirefxpxm.dll.xBAD"
sh=B0DA3CB4833A2D25A9FE60445BC9616CE4E623EC ft=1 fh=e3e751becd735e57 vn="a variant of Win32/Kryptik.CUPN trojan" ac=I fn="C:\Users\paisley\AppData\LocalLow\bdsrauv.dll"
sh=94F850FA5E86E6AB2BEE2552716C9491CA58354E ft=1 fh=546bb2a66f4e8a03 vn="Win32/Idmsq.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\IDM2.exe"
sh=498E55D356A8991A9B56DD7B21F01454DFA61F70 ft=1 fh=9ce63ba366238ec8 vn="a variant of Win32/Toolbar.Visicom.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\iMeshV10.exe"
sh=949DA799F3197B6BA95D7E13D604C20BA63069F5 ft=1 fh=1342330a47d7975f vn="a variant of Win32/Toolbar.Visicom.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\iMeshV9.exe"
sh=6844FDE4AFEBA49A442C79792B149C87973BD0C1 ft=1 fh=408ea01ba08fd1c6 vn="a variant of Win32/ClientConnect.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\InstallConverter_TSV499JUR.exe"
sh=6844FDE4AFEBA49A442C79792B149C87973BD0C1 ft=1 fh=408ea01ba08fd1c6 vn="a variant of Win32/ClientConnect.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\InstallConverter_TSV499JUU.exe"
sh=016E229D24A1270FF62DFE57D491267AFBC67EA1 ft=1 fh=b48811c120bcafa1 vn="Win32/OpenCandy potentially unsafe application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\musicnotesSuite.exe"
sh=B5A1876830C8CEA0917A046417A22CE76CB0B161 ft=1 fh=e26c60c3baddfee8 vn="a variant of Win32/SoftPulse.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\Player_Setup(1).exe"
sh=9409A9D836CDDA242FC70021675BF1ABC39D71EF ft=1 fh=d4ff60f8baddfee8 vn="a variant of Win32/SoftPulse.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\Player_Setup(2).exe"
sh=481CE9E03E98FAF07C6EC92376838A42E0DA6F5A ft=1 fh=ce599c4c6bc9e988 vn="a variant of Win32/SoftPulse.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\Player_Setup(3).exe"
sh=A35937B3C99A9802A5E1AEA156C382C346DAE42E ft=1 fh=f0bd927b6bc9e988 vn="a variant of Win32/SoftPulse.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\Player_Setup(4).exe"
sh=786C7A1A959CBFD87C19D239BB2A3B1915C2AD69 ft=1 fh=32dc384e6bc9e988 vn="a variant of Win32/SoftPulse.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\Player_Setup(5).exe"
sh=1E0F7D9007B181B35402B877671964E58F290E6F ft=1 fh=7045d4096bc9e988 vn="a variant of Win32/SoftPulse.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\Player_Setup(6).exe"
sh=EE84F75D829A8247170B398E13E3E804AAC5B72F ft=1 fh=333d00fabaddfee8 vn="a variant of Win32/SoftPulse.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\Player_Setup.exe"
sh=6AAF8BD843B4975E8F6F90E056CB64E6487CD2CC ft=1 fh=30bce093a15a8d23 vn="Win32/Systweak.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\rcpuninau_2006111702366.exe"
sh=6AAF8BD843B4975E8F6F90E056CB64E6487CD2CC ft=1 fh=30bce093a15a8d23 vn="Win32/Systweak.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\rcpuninau_2006111949552.exe"
sh=2DD5BDE756E0BB974BCCE667F751C23864C8263C ft=1 fh=b3c5f9c4ee1e944b vn="Win32/Systweak.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\regclean_my40945(1).exe"
sh=2DD5BDE756E0BB974BCCE667F751C23864C8263C ft=1 fh=b3c5f9c4ee1e944b vn="Win32/Systweak.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\regclean_my40945(2).exe"
sh=2DD5BDE756E0BB974BCCE667F751C23864C8263C ft=1 fh=b3c5f9c4ee1e944b vn="Win32/Systweak.D potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\regclean_my40945.exe"
sh=0F2D7CD3AA955443F8B4A55F70C06DCDEE794454 ft=1 fh=ec1634c31f4ea0f6 vn="a variant of Win32/SmartTweak.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\UpdateMyDrivers(1).exe"
sh=0F2D7CD3AA955443F8B4A55F70C06DCDEE794454 ft=1 fh=ec1634c31f4ea0f6 vn="a variant of Win32/SmartTweak.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\UpdateMyDrivers(2).exe"
sh=0F2D7CD3AA955443F8B4A55F70C06DCDEE794454 ft=1 fh=ec1634c31f4ea0f6 vn="a variant of Win32/SmartTweak.A potentially unwanted application" ac=I fn="C:\Users\paisley\Desktop\Old Computer Backup\Downloads\UpdateMyDrivers.exe"

 

PC is running faster than it was. Definitely an improvement. Thank you!
 



#15 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:14 PM

Posted 07 February 2015 - 02:16 AM

Hi,

Step 1

frst.pngfrstfix.png
Please download the attached fixlist txt.gif and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.
Attached File  fixlist.txt   1.68KB   2 downloads

 
warning.gif No Resident Protection Warning

Always have one (and no more than one!) AntiVirus program, as the resident protection is absolutely a must-have on any Windows!
Nowadays we have plenty of free AV programs. This choice is up to you.
 
 
That's it! abklatsch.gif
Your logs look clean to me at the moment. :thumbup2:
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free, however...
If I have helped you then please consider donating to continue the fight against malware: btn_donate_SM.gif
Thank you!


Clean Upcleanupm.PNG

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:
  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download delfix.pngDelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.
Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.

 
Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

Edited by deeprybka, 07 February 2015 - 02:18 AM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users