Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Jelbrus Secure Web & do not know how to remove


  • This topic is locked This topic is locked
22 replies to this topic

#1 chimchim

chimchim

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 10 February 2015 - 04:16 AM

Hello and thanks in advance for any help you can give me!

 

There's a folder called Jelbrus Secure Web located in Program Files (x86). I get an advertising sidebar and a zillion pop-ups in Firefox (not in IE) and it gives me occasional messages about how my computer is infected with malware (I didn't manage to copy the exact message). It has diasabled my antivirus software, my Firefox add-ons, and does not appear in the task manager or uninstall list. I tried removing it myself using the guide for the Windows Secure Web Patch, which is what I initially thought this malware might be, so I did the following: rebooted in safe mode with networking, downloaded and ran rkill, but rkill keeps saying "no issues found" and finishes scanning in 5 seconds or so. Tried it about 50 times and get the same results each time. I also tried every version of rkill (.com, .exe, etc.) with the same results. Checked to see that my firewall is on and it is. And now I'm stumped.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
Ran by Alexandra (administrator) on ALEXANDRA-PC on 10-02-2015 00:42:42
Running from C:\Users\Alexandra\Desktop
Loaded Profiles: Alexandra (Available profiles: Alexandra)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7510232 2014-01-17] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374936 2014-01-13] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [285272 2013-12-30] (Waves Audio Ltd.)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3777696 2014-01-16] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [8921600 2013-11-27] (Dell Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2806000 2014-01-15] (Synaptics Incorporated)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2779024 2011-03-14] (CANON INC.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-12-20] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-26] (AVAST Software)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1612920 2011-08-04] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2011-01-15] (CANON INC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2471713172-621678647-3700230076-1000\...\Run: [f.lux] => C:\Users\Alexandra\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
Lsa: [Notification Packages] scecli c:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 0x00
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 0x00
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 0x00
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 0x00
HKU\S-1-5-21-2471713172-621678647-3700230076-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-2471713172-621678647-3700230076-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 0x00
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> DefaultScope {B0DFBFE8-1B36-4519-992F-F4D6F777B0D0} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {52FEA991-F24D-42D8-9A4E-3C26EE8C19CB} URL =
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {B0DFBFE8-1B36-4519-992F-F4D6F777B0D0} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: SecureWebBHO Class -> {D3C24E2B-C820-4492-9B69-11BF7163F998} -> C:\Program Files (x86)\Jelbrus Secure Web\jsie.dll (Jelbrus)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default
FF DefaultSearchEngine: DuckDuckGo
FF Homepage: about:newtab
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\user.js
FF SearchPlugin: C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\searchplugins\Vosteran.xml
FF Extension: Add to Delicious - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\delicious@techraga.com.xpi [2015-01-20]
FF Extension: AmazonSmile 1Button for Firefox - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\smile1Button@amazon.com.xpi [2015-01-07]
FF Extension: Pinterest Pin Button - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\{677a8f98-fd64-40b0-a883-b8c95d0cbf17}.xpi [2015-01-18]
FF Extension: Adblock Plus - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-01-09]
FF Extension: Firefox Helper - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\c36304a546e788d19c8fe61f67244b4f [2015-02-09]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-01-07]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-01-07]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-01-07]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-07] (AVAST Software)
S3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2015-01-07] (Avast Software)
S2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [138192 2011-02-07] ()
S2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
S2 Live Malware Protection; C:\Windows\mlwps.exe [239104 2015-02-09] (AV Security Software) [File not signed]
S2 PrivoxyService; C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe [443202 2015-02-09] (The Privoxy team - www.privoxy.org) [File not signed]
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
S2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2014-04-04] (SoftThinks SAS)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-08-19] (Microsoft Corporation)
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [6170624 2013-11-27] (Dell Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-01-07] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-01-07] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-01-07] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-01-07] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-01-07] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-01-07] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-01-07] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-01-07] ()
S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [172760 2013-11-27] (Broadcom Corporation.)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2013-08-29] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
S2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [271752 2015-01-07] (Avast Software)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-10 00:42 - 2015-02-10 00:43 - 00014865 _____ () C:\Users\Alexandra\Desktop\FRST.txt
2015-02-10 00:42 - 2015-02-10 00:42 - 00000000 ____D () C:\FRST
2015-02-10 00:41 - 2015-02-10 00:41 - 02132992 _____ (Farbar) C:\Users\Alexandra\Desktop\FRST64.exe
2015-02-10 00:21 - 2015-02-10 00:21 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\Alexandra\Downloads\rkill (1).com
2015-02-10 00:20 - 2015-02-10 00:20 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Alexandra\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-09 23:50 - 2015-02-09 23:50 - 02480312 _____ (Sysinternals - www.sysinternals.com) C:\Users\Alexandra\Downloads\procexp.exe
2015-02-09 23:31 - 2015-02-09 23:31 - 00000000 __SHD () C:\Users\Alexandra\AppData\Local\EmieBrowserModeList
2015-02-09 23:28 - 2015-02-09 23:30 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Alexandra\Downloads\spybot-2.4.exe
2015-02-09 23:15 - 2015-02-10 00:26 - 00002588 _____ () C:\Users\Alexandra\Desktop\Rkill.txt
2015-02-09 23:15 - 2015-02-09 23:15 - 00000000 ____D () C:\Users\Alexandra\Desktop\rkill
2015-02-09 22:10 - 2015-02-09 22:10 - 00003756 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-02-09 22:10 - 2015-02-09 22:10 - 00000000 ____D () C:\Windows\AutoKMS
2015-02-09 21:54 - 2015-02-09 21:54 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2015-02-09 21:48 - 2015-02-09 21:48 - 00003294 _____ () C:\Windows\System32\Tasks\Jelbrus Secure Web Task
2015-02-09 21:32 - 2015-02-09 21:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint
2015-02-09 21:32 - 2015-02-09 21:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-02-09 21:30 - 2015-02-09 21:30 - 00000000 ____D () C:\Program Files\Microsoft Synchronization Services
2015-02-09 21:29 - 2015-02-09 21:29 - 00000000 ____D () C:\Windows\PCHEALTH
2015-02-09 21:29 - 2015-02-09 21:29 - 00000000 ____D () C:\Program Files\Microsoft Sync Framework
2015-02-09 21:29 - 2015-02-09 21:29 - 00000000 ____D () C:\Program Files\Microsoft SQL Server Compact Edition
2015-02-09 21:26 - 2015-02-09 21:26 - 00000000 ____D () C:\Program Files (x86)\Microsoft Visual Studio 8
2015-02-09 21:25 - 2015-02-09 21:25 - 00000000 ____D () C:\Program Files\Microsoft Analysis Services
2015-02-09 21:25 - 2015-02-09 21:25 - 00000000 ____D () C:\Program Files (x86)\Microsoft Analysis Services
2015-02-09 21:24 - 2015-02-09 21:29 - 00000000 ____D () C:\Program Files\Microsoft Office
2015-02-09 21:23 - 2015-02-09 21:23 - 00000000 __RHD () C:\MSOCache
2015-02-09 20:59 - 2015-02-09 21:04 - 00000000 ____D () C:\Program Files\Microsoft Office 2010
2015-02-09 20:42 - 2015-02-09 20:42 - 03469871 _____ (LIGHTNING UK!) C:\Users\Alexandra\Downloads\SetupImgBurn_2.5.8.0.exe
2015-02-09 20:07 - 2015-02-09 20:07 - 00239104 _____ (AV Security Software) C:\Windows\mlwps.exe
2015-02-09 20:07 - 2015-02-09 20:07 - 00003282 _____ () C:\Windows\System32\Tasks\mcleaner
2015-02-09 20:06 - 2015-02-09 20:07 - 00851968 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp.exe
2015-02-09 20:06 - 2015-02-09 20:06 - 00000000 ____D () C:\Program Files (x86)\Jelbrus Secure Web
2015-02-09 20:06 - 2015-02-09 20:06 - 00000000 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp
2015-02-09 20:01 - 2015-02-09 22:28 - 00000000 ____D () C:\Users\Alexandra\Downloads\Microsoft Office ProPlus 2010 SP2 VL x64 en-US Jun2014
2015-02-09 17:25 - 2015-02-09 17:25 - 00000197 _____ () C:\Windows\system32\2015-02-10-01-25-13.034-AvastVBoxSVC.exe-2620.log
2015-02-09 16:29 - 2015-02-09 16:29 - 00000094 _____ () C:\Users\Alexandra\Desktop\MRH order Feb 2015.txt
2015-02-08 21:43 - 2015-02-09 16:20 - 00000770 _____ () C:\Users\Alexandra\Desktop\label pricing.txt
2015-02-08 18:12 - 2015-02-08 18:12 - 00000000 ____D () C:\Users\Alexandra\Downloads\garden
2015-02-08 17:55 - 2015-02-08 17:56 - 00000197 _____ () C:\Windows\system32\2015-02-09-01-55-50.088-AvastVBoxSVC.exe-3048.log
2015-02-08 14:23 - 2015-02-08 14:23 - 00000000 ____D () C:\Users\Alexandra\Downloads\dogsflower
2015-02-04 22:20 - 2015-02-04 22:20 - 05070512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-02-03 15:49 - 2015-02-09 18:20 - 00000000 ____D () C:\Users\Alexandra\AppData\Local\CutePDF Writer
2015-02-03 15:47 - 2015-02-03 15:47 - 00003158 _____ () C:\Windows\System32\Tasks\{6699A432-D854-4E11-BA9C-8AEECD812B16}
2015-02-03 15:46 - 2015-02-03 15:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CutePDF
2015-02-03 15:46 - 2015-02-03 15:46 - 00000000 ____D () C:\Program Files (x86)\GPLGS
2015-02-03 15:46 - 2015-02-03 15:46 - 00000000 ____D () C:\Program Files (x86)\Acro Software
2015-02-03 15:46 - 2013-10-23 15:24 - 00087600 _____ () C:\Windows\system32\cpwmon64.dll
2015-01-30 17:27 - 2015-01-30 17:27 - 00000000 ____D () C:\Users\Alexandra\Downloads\glorioussunset
2015-01-28 17:37 - 2015-01-28 22:49 - 00000000 ____D () C:\Users\Alexandra\Downloads\Harford Springs
2015-01-26 16:11 - 2015-02-09 21:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-22 14:42 - 2015-02-08 21:52 - 00036352 ___SH () C:\Users\Alexandra\Documents\Thumbs.db
2015-01-15 23:38 - 2015-01-15 23:38 - 00111249 _____ () C:\Users\Alexandra\Downloads\garden gate.3gp
2015-01-14 20:39 - 2015-01-14 20:39 - 00000000 ___HD () C:\ProgramData\CanonIJSolutionMenuEX
2015-01-14 20:39 - 2015-01-14 20:39 - 00000000 ___HD () C:\ProgramData\CanonIJMyPrinter
2015-01-14 20:39 - 2015-01-14 20:39 - 00000000 ___HD () C:\ProgramData\CanonIJEPPEX2
2015-01-14 20:39 - 2015-01-14 20:39 - 00000000 ___HD () C:\ProgramData\CanonEPP
2015-01-14 20:39 - 2015-01-14 20:39 - 00000000 ____D () C:\Users\Alexandra\AppData\Roaming\Canon
2015-01-14 20:38 - 2015-02-09 17:21 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2015-01-14 20:38 - 2015-01-14 20:38 - 00000000 ____D () C:\ProgramData\Canon IJ Network Tool
2015-01-14 20:38 - 2011-04-27 11:00 - 00323584 _____ (CANON INC.) C:\Windows\SysWOW64\CNC_ARL.dll
2015-01-14 20:38 - 2011-03-31 10:07 - 00114688 _____ (CANON INC.) C:\Windows\SysWOW64\CNC_ARU.dll
2015-01-14 20:38 - 2010-11-29 09:17 - 00063744 _____ () C:\Windows\SysWOW64\CNC1752D.TBL
2015-01-14 20:38 - 2008-08-25 18:02 - 00015872 _____ (CANON INC.) C:\Windows\SysWOW64\CNHMCA.dll
2015-01-14 20:37 - 2015-01-14 20:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG3100 series User Registration
2015-01-14 20:33 - 2015-01-14 20:33 - 00000000 ____D () C:\Program Files\Common Files\CANON
2015-01-14 20:32 - 2015-01-14 20:32 - 00000000 ____D () C:\ProgramData\CanonIJWSpt
2015-01-14 20:30 - 2015-01-14 20:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
2015-01-14 20:30 - 2015-01-14 20:36 - 00000000 ____D () C:\Program Files\Canon
2015-01-14 20:30 - 2015-01-14 20:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG3100 series Manual
2015-01-14 20:29 - 2015-01-14 20:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG3100 series
2015-01-14 20:29 - 2015-01-14 20:29 - 00000000 ___HD () C:\Windows\system32\CanonIJ Uninstaller Information
2015-01-14 20:29 - 2015-01-14 20:29 - 00000000 ___HD () C:\ProgramData\CanonBJ
2015-01-14 20:29 - 2015-01-14 20:29 - 00000000 ___HD () C:\Program Files\CanonBJ
2015-01-14 20:29 - 2015-01-14 20:29 - 00000000 ____D () C:\Windows\system32\STRING
2015-01-14 20:29 - 2011-05-23 05:00 - 00385536 _____ (CANON INC.) C:\Windows\system32\CNMLMAR.DLL
2015-01-14 20:29 - 2011-02-03 01:20 - 00256000 _____ (CANON INC.) C:\Windows\system32\CNMIUAR.DLL
2015-01-14 20:29 - 2011-02-01 09:23 - 00355840 _____ (CANON INC.) C:\Windows\system32\CNMN6PPM.DLL
2015-01-14 20:29 - 2011-02-01 09:23 - 00038400 _____ (CANON INC.) C:\Windows\system32\CNMN6UI.DLL
2015-01-14 20:26 - 2015-01-14 20:39 - 00000000 ____D () C:\Program Files (x86)\Canon
2015-01-14 03:24 - 2015-01-14 03:24 - 00000197 _____ () C:\Windows\system32\2015-01-14-11-24-27.087-AvastVBoxSVC.exe-2704.log
2015-01-13 13:15 - 2014-12-11 21:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 13:15 - 2014-12-11 21:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-13 13:15 - 2014-12-11 21:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-13 13:15 - 2014-12-11 21:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-13 13:15 - 2014-12-11 21:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-13 13:15 - 2014-12-11 21:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-13 13:15 - 2014-12-11 21:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 13:15 - 2014-12-11 09:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 13:14 - 2014-12-18 19:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 13:14 - 2014-12-18 17:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 13:14 - 2014-12-05 20:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 13:14 - 2014-12-05 19:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-13 13:14 - 2014-12-05 19:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-13 03:22 - 2015-01-13 03:22 - 00000197 _____ () C:\Windows\system32\2015-01-13-11-22-36.005-AvastVBoxSVC.exe-2848.log
2015-01-12 03:31 - 2015-01-12 03:32 - 00000197 _____ () C:\Windows\system32\2015-01-12-11-31-44.040-AvastVBoxSVC.exe-2740.log
2015-01-11 22:21 - 2015-01-11 22:21 - 00000000 ____D () C:\Users\Alexandra\AppData\Roaming\PeaZip
2015-01-11 20:11 - 2015-01-11 20:11 - 00000247 _____ () C:\Windows\system32\2015-01-12-04-11-35.027-aswFe.exe-4604.log
2015-01-11 20:05 - 2015-01-11 20:11 - 00000247 _____ () C:\Windows\system32\2015-01-12-04-05-14.099-aswFe.exe-4000.log
2015-01-11 20:05 - 2015-01-11 20:05 - 00000197 _____ () C:\Windows\system32\2015-01-12-04-05-07.061-AvastVBoxSVC.exe-1920.log
2015-01-11 14:15 - 2015-01-11 14:15 - 00000000 ____D () C:\Users\Default\AppData\Local\Microsoft Help
2015-01-11 14:15 - 2015-01-11 14:15 - 00000000 ____D () C:\Users\Default User\AppData\Local\Microsoft Help
2015-01-11 03:06 - 2015-01-11 03:06 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-01-11 03:06 - 2015-01-11 03:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-09 23:15 - 2009-07-13 21:13 - 00781790 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-09 23:10 - 2010-11-20 19:47 - 00192228 _____ () C:\Windows\PFRO.log
2015-02-09 23:10 - 2009-07-13 20:45 - 00456072 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-09 23:05 - 2015-01-09 23:03 - 00000000 ____D () C:\Users\Alexandra\AppData\Roaming\uTorrent
2015-02-09 23:02 - 2014-08-19 22:16 - 01342603 _____ () C:\Windows\WindowsUpdate.log
2015-02-09 22:44 - 2015-01-08 10:18 - 00000000 ____D () C:\Users\Alexandra\Desktop\LDMN photos & notes
2015-02-09 22:28 - 2015-01-10 14:41 - 00000000 ____D () C:\ProgramData\Microsoft Toolkit
2015-02-09 22:20 - 2014-08-19 20:27 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-09 22:06 - 2015-01-07 20:45 - 00120552 _____ () C:\Users\Alexandra\AppData\Local\GDIPFONTCACHEV1.DAT
2015-02-09 22:01 - 2015-01-10 14:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-09 21:58 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\System
2015-02-09 21:58 - 2009-07-13 18:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-09 21:31 - 2010-11-20 23:16 - 00000000 ____D () C:\Windows\ShellNew
2015-02-09 21:31 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-02-09 21:29 - 2009-07-13 21:32 - 00000000 ____D () C:\Program Files (x86)\MSBuild
2015-02-09 21:24 - 2014-08-19 20:45 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-02-09 17:30 - 2009-07-13 20:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-09 17:30 - 2009-07-13 20:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-09 17:25 - 2014-08-19 20:48 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery
2015-02-09 17:22 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-09 17:22 - 2009-07-13 20:51 - 00036980 _____ () C:\Windows\setupact.log
2015-02-09 17:08 - 2015-01-10 14:45 - 00000000 ____D () C:\Users\Alexandra\AppData\Local\Microsoft Help
2015-02-09 16:45 - 2015-01-07 23:46 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2015-02-09 14:08 - 2015-01-07 20:17 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-02-08 17:52 - 2015-01-07 18:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-05 19:36 - 2014-10-28 23:03 - 00000000 ____D () C:\Users\Alexandra\Documents\Herbal
2015-02-04 22:20 - 2014-08-19 20:27 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-04 22:20 - 2014-08-19 20:27 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-04 22:20 - 2014-08-19 20:27 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-04 02:25 - 2012-06-05 23:39 - 00000000 ____D () C:\Users\Alexandra\Desktop\Mom's Genealogy
2015-01-29 16:08 - 2012-09-22 19:13 - 00000000 ____D () C:\Users\Alexandra\Documents\Etsy and Amazon stores
2015-01-26 19:54 - 2015-01-07 20:10 - 00000000 ____D () C:\Users\Alexandra\AppData\Local\Adobe
2015-01-25 02:57 - 2013-06-26 21:57 - 00093184 _____ () C:\Users\Alexandra\Desktop\Budget sheets.xls
2015-01-24 15:22 - 2015-01-07 22:00 - 00005957 _____ () C:\Users\Alexandra\Downloads\Accounts info.txt
2015-01-23 23:14 - 2015-01-07 20:28 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-23 23:14 - 2015-01-07 20:27 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-14 20:38 - 2009-07-13 19:20 - 00000000 __RSD () C:\Windows\Media
2015-01-14 03:05 - 2015-01-08 03:12 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 03:01 - 2015-01-08 03:12 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-12 20:12 - 2014-12-28 01:42 - 00000721 _____ () C:\Users\Alexandra\Desktop\leather tooling price calculations.txt
2015-01-12 04:14 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2015-01-11 22:40 - 2014-06-14 22:50 - 00000000 ____D () C:\Users\Alexandra\Desktop\Uh Oh It's Magic
2015-01-11 20:05 - 2012-12-08 21:47 - 00000000 ____D () C:\Users\Alexandra\Desktop\Xmas
2015-01-11 14:18 - 2011-04-07 21:20 - 00000000 ____D () C:\Users\Alexandra\Documents\Receipts & Taxes
2015-01-11 14:18 - 2011-04-07 15:43 - 00000000 ____D () C:\Users\Alexandra\Documents\Everything.Data
2015-01-11 03:06 - 2014-08-19 20:43 - 00000000 ____D () C:\ProgramData\Skype

==================== Files in the root of some directories =======

2015-02-09 20:06 - 2015-02-09 20:06 - 0000000 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp
2015-02-09 20:06 - 2015-02-09 20:07 - 0851968 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp.exe
2014-08-19 22:18 - 2014-08-19 22:18 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some content of TEMP:
====================
C:\Users\Alexandra\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Alexandra\AppData\Local\Temp\ose00000.exe
C:\Users\Alexandra\AppData\Local\Temp\ose00001.exe
C:\Users\Alexandra\AppData\Local\Temp\SRLDetectionLibrary1555254272090885741.dll
C:\Users\Alexandra\AppData\Local\Temp\uninstall.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-05 20:22

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 12 February 2015 - 04:44 PM

Just realized I should probably clarify what I already tried: Because "Jelbrus secure web" also appeared in the Windows secure web patch malware, I thought that might be what my computer is infected with. So following the guide for removing Windows secure web patch, I:

--started up in safe mode with networking

--ensured that both Firefox and IE were not using proxy servers to connect

--downloaded rkill

--attempted to stop the malware using rkill (unsuccessfully--tried all renamed versions multiple times)

--set folder view options to display hidden files, to see if I could stop the malware through Task Manager (but they still don't show up)

--downloaded MBAM, but did not run since I was not able to stop the malware processes and it has already rendered Avast, Spybot, AdBlock and all other add-ons non-operational

--I've left the computer running in safe mode with networking but am not using it.

 

I mostly don't get the prompts to purchase anti-virus software that seem to be characteristic of Windows secure web patch. Instead I'm getting an advertising sidebar, pop-up "coupons," hyperlinks everywhere, really unstable web connection, and everything is incredibly slow. I did get one pop-up saying something about my computer being infected.



#3 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:41 AM

Posted 13 February 2015 - 11:50 PM

Hi chimchim,

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

bullseye_zpse9eaf36e.gif P2P - (Peer to Peer)

I see you have/had P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall this now.

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:

  • uTorrent

If you choose to not remove this programs please refrain from using it until we have finished cleaning your computer.

=========================

If you can carry out these steps in Normal Mode please do so. If not, use Safe Mode w/ Networking.

=========================

bullseye_zpse9eaf36e.gif Security Check

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=========================

bullseye_zpse9eaf36e.gif FRST Fix Script

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the desktop as fixlist.txt




Start
CloseProcesses:
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> DefaultScope {B0DFBFE8-1B36-4519-992F-F4D6F777B0D0} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {52FEA991-F24D-42D8-9A4E-3C26EE8C19CB} URL =
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {B0DFBFE8-1B36-4519-992F-F4D6F777B0D0} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
BHO-x32: SecureWebBHO Class -> {D3C24E2B-C820-4492-9B69-11BF7163F998} -> C:\Program Files (x86)\Jelbrus Secure Web\jsie.dll (Jelbrus)
FF SearchPlugin: C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\searchplugins\Vosteran.xml
S2 PrivoxyService; C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe [443202 2015-02-09] (The Privoxy team - www.privoxy.org) [File not signed]
2015-02-09 21:48 - 2015-02-09 21:48 - 00003294 _____ () C:\Windows\System32\Tasks\Jelbrus Secure Web Task
2015-02-09 20:06 - 2015-02-09 20:06 - 00000000 ____D () C:\Program Files (x86)\Jelbrus Secure Web
C:\Users\Alexandra\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Alexandra\AppData\Local\Temp\ose00000.exe
C:\Users\Alexandra\AppData\Local\Temp\ose00001.exe
C:\Users\Alexandra\AppData\Local\Temp\SRLDetectionLibrary1555254272090885741.dll
C:\Users\Alexandra\AppData\Local\Temp\uninstall.exe
EmptyTemp:
CMD: ipconfig /flushdns
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

=========================

bullseye_zpse9eaf36e.gif Reboot

=========================

bullseye_zpse9eaf36e.gif Please download AdwCleaner by Xplode and save to your Desktop.

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a log file (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that log file in your next reply.
  • A copy of all log files are saved in the C:\AdwCleaner folder which was created when running the tool.

=========================

bullseye_zpse9eaf36e.gif Re-run Farbar Recovery Scan Tool it should be on your desktop.

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

=========================

In your next post please provide the following:

  • Fixlog.txt
  • AdwCleaner[R0].txt
  • new FRST.txt
  • How is the computer running at the moment?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#4 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 14 February 2015 - 02:39 AM

Thank you OCD!

 

Checkup.txt:

 

 Results of screen317's Security Check version 0.99.96  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Java 8 Update 25  
 Java 8 Update 31  
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31  
 Adobe Flash Player 16.0.0.305  
 Adobe Reader XI  
 Mozilla Firefox (35.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled!
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast ng vbox\AvastVBoxSVC.exe
 AVAST Software Avast avastui.exe  
 AVAST Software Avast ng ngservice.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
 



#5 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 14 February 2015 - 02:40 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-02-2015

Ran by Alexandra at 2015-02-13 23:23:05 Run:1
Running from C:\Users\Alexandra\Desktop
Loaded Profiles: Alexandra (Available profiles: Alexandra)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CloseProcesses:
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> DefaultScope {B0DFBFE8-1B36-4519-992F-F4D6F777B0D0} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {52FEA991-F24D-42D8-9A4E-3C26EE8C19CB} URL =
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {B0DFBFE8-1B36-4519-992F-F4D6F777B0D0} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2471713172-621678647-3700230076-1000 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
BHO-x32: SecureWebBHO Class -> {D3C24E2B-C820-4492-9B69-11BF7163F998} -> C:\Program Files (x86)\Jelbrus Secure Web\jsie.dll (Jelbrus)
FF SearchPlugin: C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\searchplugins\Vosteran.xml
S2 PrivoxyService; C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe [443202 2015-02-09] (The Privoxy team - www.privoxy.org) [File not signed]
2015-02-09 21:48 - 2015-02-09 21:48 - 00003294 _____ () C:\Windows\System32\Tasks\Jelbrus Secure Web Task
2015-02-09 20:06 - 2015-02-09 20:06 - 00000000 ____D () C:\Program Files (x86)\Jelbrus Secure Web
C:\Users\Alexandra\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Alexandra\AppData\Local\Temp\ose00000.exe
C:\Users\Alexandra\AppData\Local\Temp\ose00001.exe
C:\Users\Alexandra\AppData\Local\Temp\SRLDetectionLibrary1555254272090885741.dll
C:\Users\Alexandra\AppData\Local\Temp\uninstall.exe
EmptyTemp:
CMD: ipconfig /flushdns
End
*****************

Processes closed successfully.
HKU\S-1-5-21-2471713172-621678647-3700230076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-2471713172-621678647-3700230076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{52FEA991-F24D-42D8-9A4E-3C26EE8C19CB}" => Key deleted successfully.
HKCR\CLSID\{52FEA991-F24D-42D8-9A4E-3C26EE8C19CB} => Key not found.
"HKU\S-1-5-21-2471713172-621678647-3700230076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B0DFBFE8-1B36-4519-992F-F4D6F777B0D0}" => Key deleted successfully.
HKCR\CLSID\{B0DFBFE8-1B36-4519-992F-F4D6F777B0D0} => Key not found.
"HKU\S-1-5-21-2471713172-621678647-3700230076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key deleted successfully.
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3C24E2B-C820-4492-9B69-11BF7163F998}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{D3C24E2B-C820-4492-9B69-11BF7163F998}" => Key deleted successfully.
C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\searchplugins\Vosteran.xml => Moved successfully.
PrivoxyService => Service deleted successfully.
C:\Windows\System32\Tasks\Jelbrus Secure Web Task => Moved successfully.
C:\Program Files (x86)\Jelbrus Secure Web => Moved successfully.
"C:\Users\Alexandra\AppData\Local\Temp\MSETUP4.EXE" => File/Directory not found.
"C:\Users\Alexandra\AppData\Local\Temp\ose00000.exe" => File/Directory not found.
"C:\Users\Alexandra\AppData\Local\Temp\ose00001.exe" => File/Directory not found.
"C:\Users\Alexandra\AppData\Local\Temp\SRLDetectionLibrary1555254272090885741.dll" => File/Directory not found.
C:\Users\Alexandra\AppData\Local\Temp\uninstall.exe => Moved successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 4.8 GB temporary data.


The system needed a reboot.

==== End of Fixlog 23:25:37 ====



#6 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 14 February 2015 - 04:16 AM

Ok, I followed all the instructions up through downloadingarrow-10x10.png and running AdwCleaner. But I have been running the scan for about 2 hours now and it never changes from "Waiting for action. Please uncheck elements you want to keep." The status bar and results pane have been empty the whole time. The scan button is greyed out. I haven't closed the window, in case it's doing something, but there is no sign that anything is happening.



#7 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:41 AM

Posted 14 February 2015 - 03:12 PM

Hi chimchim,
 

AdwCleaner. But I have been running the scan for about 2 hours now and it never changes from "Waiting for action. Please uncheck elements you want to keep.


It should of created a .txt document.

A copy of all log files are saved in the C:\AdwCleaner folder which was created when running the tool.

C:\AdwCleaner\AdwCleaner[R0].txt


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#8 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 14 February 2015 - 03:58 PM

# AdwCleaner v4.110 - Logfile created 13/02/2015 at 23:41:18
# Updated 05/02/2015 by Xplode
# Database : 2015-02-14.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Alexandra - ALEXANDRA-PC
# Running from : C:\Users\Alexandra\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\user.js
Folder Found : C:\Program Files (x86)\Dynamo Combo

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\InstallCore
Key Found : [x64] HKCU\Software\InstallCore
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[yxg5c6zj.default] - Line Found : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,eBay,Twitter,Vosteran,Wikipedia (en)");
[yxg5c6zj.default] - Line Found : user_pref("extensions.srchvstrn.hmpgUrl", "hxxp://Vosteran.com/?f=1&a=vst_ggfc_15_02_ff&cd=2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0C0Azyzz0Dzyzz0E0EyEtN0D0Tzu0StCtCtDtBtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDy[...]
[yxg5c6zj.default] - Line Found : user_pref("extensions.srchvstrn.newTabUrl", "hxxp://Vosteran.com/?f=2&a=vst_ggfc_15_02_ff&cd=2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0C0Azyzz0Dzyzz0E0EyEtN0D0Tzu0StCtCtDtBtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzyt[...]
[yxg5c6zj.default] - Line Found : user_pref("extensions.srchvstrn.prtnrId", "WSE_Vosteran");
[yxg5c6zj.default] - Line Found : user_pref("extensions.srchvstrn.srchPrvdr", "Vosteran");
[yxg5c6zj.default] - Line Found : user_pref("extensions.srchvstrn.tlbrSrchUrl", "hxxp://Vosteran.com/?f=3&a=vst_ggfc_15_02_ff&cd=2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0C0Azyzz0Dzyzz0E0EyEtN0D0Tzu0StCtCtDtBtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBz[...]
*************************

AdwCleaner[R0].txt - [1987 bytes] - [13/02/2015 23:41:18]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2046 bytes] ##########
 


Edited by chimchim, 14 February 2015 - 04:02 PM.


#9 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 14 February 2015 - 04:13 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-02-2015
Ran by Alexandra (administrator) on ALEXANDRA-PC on 14-02-2015 13:09:04
Running from C:\Users\Alexandra\Desktop
Loaded Profiles: Alexandra (Available profiles: Alexandra)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(AV Security Software) C:\Windows\mlwps.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\setup\instup.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(Flux Software LLC) C:\Users\Alexandra\AppData\Local\FluxSoftware\Flux\flux.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngtool.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7510232 2014-01-17] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374936 2014-01-13] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [285272 2013-12-30] (Waves Audio Ltd.)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3777696 2014-01-16] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [8921600 2013-11-27] (Dell Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2806000 2014-01-15] (Synaptics Incorporated)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2779024 2011-03-14] (CANON INC.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-12-20] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-26] (AVAST Software)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1612920 2011-08-04] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2011-01-15] (CANON INC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2471713172-621678647-3700230076-1000\...\Run: [f.lux] => C:\Users\Alexandra\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
Lsa: [Notification Packages] scecli c:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 0x00
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 0x00
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 0x00
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 0x00
HKU\S-1-5-21-2471713172-621678647-3700230076-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-2471713172-621678647-3700230076-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 0x00
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default
FF DefaultSearchEngine: DuckDuckGo
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\user.js
FF Extension: Add to Delicious - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\delicious@techraga.com.xpi [2015-01-20]
FF Extension: AmazonSmile 1Button for Firefox - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\smile1Button@amazon.com.xpi [2015-01-07]
FF Extension: Pinterest Pin Button - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\{677a8f98-fd64-40b0-a883-b8c95d0cbf17}.xpi [2015-01-18]
FF Extension: Adblock Plus - C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-01-09]
FF Extension: Firefox Helper - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\c36304a546e788d19c8fe61f67244b4f [2015-02-09]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-01-07]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-01-07]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-01-07]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-07] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2015-01-07] (Avast Software)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [138192 2011-02-07] ()
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
R2 Live Malware Protection; C:\Windows\mlwps.exe [239104 2015-02-09] (AV Security Software) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2014-04-04] (SoftThinks SAS)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-08-19] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [6170624 2013-11-27] (Dell Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-01-07] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-01-07] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-01-07] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-01-07] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-01-07] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-01-07] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-01-07] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-01-07] ()
S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [172760 2013-11-27] (Broadcom Corporation.)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2013-08-29] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [271752 2015-01-07] (Avast Software)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-14 13:09 - 2015-02-14 13:09 - 00017277 _____ () C:\Users\Alexandra\Desktop\FRST.txt
2015-02-14 13:08 - 2015-02-14 13:08 - 00000197 _____ () C:\Windows\system32\2015-02-14-21-08-58.020-AvastVBoxSVC.exe-4556.log
2015-02-14 13:04 - 2015-02-14 13:05 - 00026808 _____ () C:\Users\Alexandra\Desktop\FRSTb.txt
2015-02-13 23:37 - 2015-02-14 03:30 - 00000000 ____D () C:\AdwCleaner
2015-02-13 23:36 - 2015-02-13 23:36 - 02112512 _____ () C:\Users\Alexandra\Desktop\AdwCleaner.exe
2015-02-13 23:31 - 2015-02-13 23:31 - 00000197 _____ () C:\Windows\system32\2015-02-14-07-31-18.051-AvastVBoxSVC.exe-2612.log
2015-02-13 23:22 - 2015-02-14 13:03 - 00000000 ____D () C:\Users\Alexandra\Desktop\FRST-OlderVersion
2015-02-13 23:21 - 2015-02-13 23:21 - 00001096 _____ () C:\Users\Alexandra\Desktop\checkup.txt
2015-02-13 23:17 - 2015-02-13 23:17 - 00852594 _____ () C:\Users\Alexandra\Desktop\SecurityCheck.exe
2015-02-13 23:14 - 2015-02-13 23:14 - 00000197 _____ () C:\Windows\system32\2015-02-14-07-14-25.001-AvastVBoxSVC.exe-4024.log
2015-02-12 12:12 - 2015-02-13 23:11 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-12 12:12 - 2015-02-12 12:12 - 00001393 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-02-12 12:12 - 2015-02-12 12:12 - 00000656 _____ () C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2015-02-12 12:12 - 2015-02-12 12:12 - 00000628 _____ () C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2015-02-12 12:12 - 2015-02-12 12:12 - 00000458 _____ () C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2015-02-12 12:12 - 2015-02-12 12:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-02-12 12:12 - 2015-02-12 12:12 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-02-12 12:12 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-02-10 00:43 - 2015-02-10 00:43 - 00025623 _____ () C:\Users\Alexandra\Desktop\Addition.txt
2015-02-10 00:42 - 2015-02-14 13:09 - 00000000 ____D () C:\FRST
2015-02-10 00:42 - 2015-02-10 00:43 - 00032190 _____ () C:\Users\Alexandra\Desktop\FRSTa.txt
2015-02-10 00:41 - 2015-02-14 13:03 - 02134528 _____ (Farbar) C:\Users\Alexandra\Desktop\FRST64.exe
2015-02-10 00:21 - 2015-02-10 00:21 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\Alexandra\Downloads\rkill (1).com
2015-02-10 00:20 - 2015-02-10 00:20 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Alexandra\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-09 23:50 - 2015-02-09 23:50 - 02480312 _____ (Sysinternals - www.sysinternals.com) C:\Users\Alexandra\Downloads\procexp.exe
2015-02-09 23:31 - 2015-02-09 23:31 - 00000000 __SHD () C:\Users\Alexandra\AppData\Local\EmieBrowserModeList
2015-02-09 23:28 - 2015-02-09 23:30 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Alexandra\Downloads\spybot-2.4.exe
2015-02-09 23:15 - 2015-02-09 23:15 - 00000000 ____D () C:\Users\Alexandra\Desktop\rkill
2015-02-09 22:10 - 2015-02-13 23:32 - 00003758 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-02-09 22:10 - 2015-02-13 23:14 - 00000000 ____D () C:\Windows\AutoKMS
2015-02-09 21:54 - 2015-02-09 21:54 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2015-02-09 21:32 - 2015-02-09 21:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint
2015-02-09 21:32 - 2015-02-09 21:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-02-09 21:30 - 2015-02-09 21:30 - 00000000 ____D () C:\Program Files\Microsoft Synchronization Services
2015-02-09 21:29 - 2015-02-09 21:29 - 00000000 ____D () C:\Windows\PCHEALTH
2015-02-09 21:29 - 2015-02-09 21:29 - 00000000 ____D () C:\Program Files\Microsoft Sync Framework
2015-02-09 21:29 - 2015-02-09 21:29 - 00000000 ____D () C:\Program Files\Microsoft SQL Server Compact Edition
2015-02-09 21:26 - 2015-02-09 21:26 - 00000000 ____D () C:\Program Files (x86)\Microsoft Visual Studio 8
2015-02-09 21:25 - 2015-02-09 21:25 - 00000000 ____D () C:\Program Files\Microsoft Analysis Services
2015-02-09 21:25 - 2015-02-09 21:25 - 00000000 ____D () C:\Program Files (x86)\Microsoft Analysis Services
2015-02-09 21:24 - 2015-02-09 21:29 - 00000000 ____D () C:\Program Files\Microsoft Office
2015-02-09 21:23 - 2015-02-09 21:23 - 00000000 __RHD () C:\MSOCache
2015-02-09 20:59 - 2015-02-09 21:04 - 00000000 ____D () C:\Program Files\Microsoft Office 2010
2015-02-09 20:42 - 2015-02-09 20:42 - 03469871 _____ (LIGHTNING UK!) C:\Users\Alexandra\Downloads\SetupImgBurn_2.5.8.0.exe
2015-02-09 20:07 - 2015-02-09 20:07 - 00239104 _____ (AV Security Software) C:\Windows\mlwps.exe
2015-02-09 20:07 - 2015-02-09 20:07 - 00003282 _____ () C:\Windows\System32\Tasks\mcleaner
2015-02-09 20:06 - 2015-02-09 20:07 - 00851968 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp.exe
2015-02-09 20:06 - 2015-02-09 20:06 - 00000000 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp
2015-02-09 17:25 - 2015-02-09 17:25 - 00000197 _____ () C:\Windows\system32\2015-02-10-01-25-13.034-AvastVBoxSVC.exe-2620.log
2015-02-09 16:29 - 2015-02-09 16:29 - 00000094 _____ () C:\Users\Alexandra\Desktop\MRH order Feb 2015.txt
2015-02-08 21:43 - 2015-02-09 16:20 - 00000770 _____ () C:\Users\Alexandra\Desktop\label pricing.txt
2015-02-08 18:12 - 2015-02-08 18:12 - 00000000 ____D () C:\Users\Alexandra\Downloads\garden
2015-02-08 17:55 - 2015-02-08 17:56 - 00000197 _____ () C:\Windows\system32\2015-02-09-01-55-50.088-AvastVBoxSVC.exe-3048.log
2015-02-08 14:23 - 2015-02-08 14:23 - 00000000 ____D () C:\Users\Alexandra\Downloads\dogsflower
2015-02-04 22:20 - 2015-02-04 22:20 - 05070512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-02-03 15:49 - 2015-02-09 18:20 - 00000000 ____D () C:\Users\Alexandra\AppData\Local\CutePDF Writer
2015-02-03 15:47 - 2015-02-03 15:47 - 00003158 _____ () C:\Windows\System32\Tasks\{6699A432-D854-4E11-BA9C-8AEECD812B16}
2015-02-03 15:46 - 2015-02-03 15:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CutePDF
2015-02-03 15:46 - 2015-02-03 15:46 - 00000000 ____D () C:\Program Files (x86)\GPLGS
2015-02-03 15:46 - 2015-02-03 15:46 - 00000000 ____D () C:\Program Files (x86)\Acro Software
2015-02-03 15:46 - 2013-10-23 15:24 - 00087600 _____ () C:\Windows\system32\cpwmon64.dll
2015-01-30 17:27 - 2015-01-30 17:27 - 00000000 ____D () C:\Users\Alexandra\Downloads\glorioussunset
2015-01-28 17:37 - 2015-01-28 22:49 - 00000000 ____D () C:\Users\Alexandra\Downloads\Harford Springs
2015-01-26 16:11 - 2015-02-09 21:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-22 14:42 - 2015-02-08 21:52 - 00036352 ___SH () C:\Users\Alexandra\Documents\Thumbs.db
2015-01-15 23:38 - 2015-01-15 23:38 - 00111249 _____ () C:\Users\Alexandra\Downloads\garden gate.3gp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-14 13:07 - 2015-01-07 20:17 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-02-14 13:06 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-14 13:06 - 2009-07-13 20:51 - 00037148 _____ () C:\Windows\setupact.log
2015-02-14 03:32 - 2009-07-13 21:13 - 00781790 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-14 03:20 - 2014-08-19 22:16 - 01695687 _____ () C:\Windows\WindowsUpdate.log
2015-02-14 03:20 - 2014-08-19 20:27 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-14 03:01 - 2015-01-10 14:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-13 23:37 - 2009-07-13 20:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-13 23:37 - 2009-07-13 20:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-13 23:31 - 2015-01-14 20:38 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2015-02-13 23:31 - 2014-08-19 20:48 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery
2015-02-13 23:27 - 2010-11-20 19:47 - 00192564 _____ () C:\Windows\PFRO.log
2015-02-13 23:13 - 2015-01-09 23:03 - 00000000 ____D () C:\Users\Alexandra\AppData\Roaming\uTorrent
2015-02-09 23:10 - 2009-07-13 20:45 - 00456072 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-09 22:44 - 2015-01-08 10:18 - 00000000 ____D () C:\Users\Alexandra\Desktop\LDMN photos & notes
2015-02-09 22:28 - 2015-01-10 14:41 - 00000000 ____D () C:\ProgramData\Microsoft Toolkit
2015-02-09 22:06 - 2015-01-07 20:45 - 00120552 _____ () C:\Users\Alexandra\AppData\Local\GDIPFONTCACHEV1.DAT
2015-02-09 21:58 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\System
2015-02-09 21:58 - 2009-07-13 18:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-09 21:31 - 2010-11-20 23:16 - 00000000 ____D () C:\Windows\ShellNew
2015-02-09 21:31 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-02-09 21:29 - 2009-07-13 21:32 - 00000000 ____D () C:\Program Files (x86)\MSBuild
2015-02-09 21:24 - 2014-08-19 20:45 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-02-09 17:08 - 2015-01-10 14:45 - 00000000 ____D () C:\Users\Alexandra\AppData\Local\Microsoft Help
2015-02-09 16:45 - 2015-01-07 23:46 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2015-02-08 17:52 - 2015-01-07 18:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-05 19:36 - 2014-10-28 23:03 - 00000000 ____D () C:\Users\Alexandra\Documents\Herbal
2015-02-04 22:20 - 2014-08-19 20:27 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-04 22:20 - 2014-08-19 20:27 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-04 22:20 - 2014-08-19 20:27 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-04 02:25 - 2012-06-05 23:39 - 00000000 ____D () C:\Users\Alexandra\Desktop\Mom's Genealogy
2015-01-29 16:08 - 2012-09-22 19:13 - 00000000 ____D () C:\Users\Alexandra\Documents\Etsy and Amazon stores
2015-01-26 19:54 - 2015-01-07 20:10 - 00000000 ____D () C:\Users\Alexandra\AppData\Local\Adobe
2015-01-25 02:57 - 2013-06-26 21:57 - 00093184 _____ () C:\Users\Alexandra\Desktop\Budget sheets.xls
2015-01-24 15:22 - 2015-01-07 22:00 - 00005957 _____ () C:\Users\Alexandra\Downloads\Accounts info.txt
2015-01-23 23:14 - 2015-01-07 20:28 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-23 23:14 - 2015-01-07 20:27 - 00000000 ____D () C:\Program Files (x86)\Java

==================== Files in the root of some directories =======

2015-02-09 20:06 - 2015-02-09 20:06 - 0000000 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp
2015-02-09 20:06 - 2015-02-09 20:07 - 0851968 _____ () C:\Users\Alexandra\AppData\Roaming\315F.tmp.exe
2014-08-19 22:18 - 2014-08-19 22:18 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some content of TEMP:
====================
C:\Users\Alexandra\AppData\Local\Temp\Quarantine.exe
C:\Users\Alexandra\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-14 01:36

==================== End Of Log ============================



#10 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 14 February 2015 - 04:52 PM

So far everything seems to be running perfectly! Thank you so much!!!



#11 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:41 AM

Posted 15 February 2015 - 02:24 AM

Hi chimchim,

You're welcome. :)

It's important that you follow through with the remainder of the steps I will outline. Absence of symptoms doesn't necessarily translate into malware free. We are making progress so please stay with me until I give you the "all clean" sign. :thumbup:

bullseye_zpse9eaf36e.gif Re- run AdwCleaner

It should be on your desktop

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a log file report (AdwCleaner[S1].txt) will open automatically.
  • Copy and paste the contents of that log file in your next reply.
  • A copy of that log file will also be saved in the C:\AdwCleaner folder.

=========================

bullseye_zpse9eaf36e.gif Junkware Removal Tool

Download Junkware Removal Tool to your desktop.

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Shut down your protection software now to avoid potential conflicts.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

=========================

In your next post please provide the following:

  • AdwCleaner[S1].txt
  • JRT.txt

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#12 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 15 February 2015 - 03:27 AM

# AdwCleaner v4.110 - Logfile created 15/02/2015 at 00:10:31
# Updated 05/02/2015 by Xplode
# Database : 2015-02-14.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Alexandra - ALEXANDRA-PC
# Running from : C:\Users\Alexandra\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Dynamo Combo
File Deleted : C:\Users\Alexandra\AppData\Roaming\Mozilla\Firefox\Profiles\yxg5c6zj.default\user.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKCU\Software\InstallCore

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[yxg5c6zj.default\prefs.js] - Line Deleted : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,eBay,Twitter,Vosteran,Wikipedia (en)");
[yxg5c6zj.default\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.hmpgUrl", "hxxp://Vosteran.com/?f=1&a=vst_ggfc_15_02_ff&cd=2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0C0Azyzz0Dzyzz0E0EyEtN0D0Tzu0StCtCtDtBtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDy[...]
[yxg5c6zj.default\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.newTabUrl", "hxxp://Vosteran.com/?f=2&a=vst_ggfc_15_02_ff&cd=2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0C0Azyzz0Dzyzz0E0EyEtN0D0Tzu0StCtCtDtBtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzyt[...]
[yxg5c6zj.default\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.prtnrId", "WSE_Vosteran");
[yxg5c6zj.default\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.srchPrvdr", "Vosteran");
[yxg5c6zj.default\prefs.js] - Line Deleted : user_pref("extensions.srchvstrn.tlbrSrchUrl", "hxxp://Vosteran.com/?f=3&a=vst_ggfc_15_02_ff&cd=2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0C0Azyzz0Dzyzz0E0EyEtN0D0Tzu0StCtCtDtBtN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBz[...]

*************************

AdwCleaner[R0].txt - [2129 bytes] - [13/02/2015 23:41:18]
AdwCleaner[R1].txt - [2188 bytes] - [13/02/2015 23:58:03]
AdwCleaner[R2].txt - [2247 bytes] - [14/02/2015 03:29:24]
AdwCleaner[R3].txt - [2306 bytes] - [15/02/2015 00:08:40]
AdwCleaner[S0].txt - [2262 bytes] - [15/02/2015 00:10:31]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2321  bytes] ##########
 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Home Premium x64
Ran by Alexandra on Sun 02/15/2015 at  0:21:28.98
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\Windows\prefetch\ENABLETOOLBARW32.EXE-F6CF4CC4.pf



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\pcdr"
Successfully deleted: [Folder] "C:\Users\Alexandra\AppData\Roaming\pcdr"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 02/15/2015 at  0:25:59.23
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#13 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:41 AM

Posted 15 February 2015 - 11:41 AM

Hi chimchim ,

Please post all requested logs within one (1) reply window, unless the the forum tells you the post is too large.

bullseye_zpse9eaf36e.gif Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware (save it to your desktop).
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Select Scan tab.
    MBAMDashboard_zpsddef9b5f.gif
  • Select type of scan to perform:
    MBAMScanTab_zps2c5e74bd.gif
    • Threat Scan < --- Select this type of scan
    • Custom Scan
    • Hyper Scan
  • Next click the Scan button.
  • When the scan is complete, if no malicious items are found you can close the program.
  • If malicious items are found be sure that everything is checked, and click Quarantine .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
=========================

bullseye_zpse9eaf36e.gif ESET Online Scanner

*Note:
  • It is recommended to disable on-board antivirus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
  • Please don't go surfing while your resident protection is disabled!
  • Once the scan is finished remember to re-enable your antivirus along with your anti-spyware programs.
** You need to run your browser with Administrator Rights, to do so right click your browsers short cut and select "Run as Administrator".

= = = = = = = = = = = = = = = = = = = =

Go here to run ESET Online Scanner

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your Antivirus software. You can usually do this with its Notification Tray icon near the clock
  • Click Start
  • Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is Checked.
  • Click Scan.
  • Wait for the scan to finish.
  • When the scan completes, click List of found threats
  • click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  • Include the contents of this report in your next reply

    Note - when ESET doesn't find any threats, no report will be created.
  • Push the back button.
  • Push Finish
  • Re-enable your Antivirus software.
=========================

In your next post please provide the following:
  • MBAM log
  • ESET's log.txt
  • How's the computer running, any symptoms?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#14 chimchim

chimchim
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 16 February 2015 - 02:53 AM

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2015/02/15 21:51:14 -0800</date>
<logfile>mbam-log-2015-02-15 (21-51-10).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.4.1028</version>
<malware-database>v2015.02.16.03</malware-database>
<rootkit-database>v2015.02.03.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>Alexandra</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>338335</objects>
<time>1994</time>
<processes>0</processes>
<modules>0</modules>
<keys>1</keys>
<values>1</values>
<datas>0</datas>
<folders>0</folders>
<files>1</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKU\S-1-5-21-2471713172-621678647-3700230076-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{D3C24E2B-C820-4492-9B69-11BF7163F998}</path><vendor>PUP.Optional.SecureWeb.A</vendor><action>success</action><hash>e53ee8378109a5917b27749024df1ee2</hash></key>
<value><path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY</path><valuename>AppPath</valuename><vendor>PUP.Optional.Vosteran</vendor><action>success</action><valuedata>C:\Program Files (x86)\WSE_Vosteran\\</valuedata><hash>0a194bd44347d95df45e32e74eb7a45c</hash></value>
<file><path>C:\Users\Alexandra\Downloads\SetupImgBurn_2.5.8.0.exe</path><vendor>PUP.Optional.OpenCandy</vendor><action>success</action><hash>45dead720a80023424c87f6822e39c64</hash></file>
</items>
</mbam-log>
 

 

C:\FRST\Quarantine\C\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\Jelbrus Secure Web\jsweb.dll    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\Jelbrus Secure Web\jswff.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\Jelbrus Secure Web\jswtask.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe    a variant of Win32/HiddenStart.A potentially unsafe application    deleted - quarantined
 

 

Sorry for posting the previous logs in separate windows! I haven't experienced any more symptoms.



#15 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:41 AM

Posted 16 February 2015 - 02:59 AM

Hi chimchim,

bullseye_zpse9eaf36e.gif Uninstall via Programs and Features

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:
  • Java 8 Update 25
=========================

bullseye_zpse9eaf36e.gif Re-run Farbar Recovery Scan Tool it should be on your desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
=========================

In your next post please provide the following:
  • FRST.txt
  • Any remaining issues?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users