Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Numerous ads have been popping up in my google chrome


  • This topic is locked This topic is locked
19 replies to this topic

#1 lumoskid

lumoskid

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 11 February 2015 - 10:20 PM

Hi! I noticed that numerous ads have been popping up in my google chrome. ive tried uninstalling some of the ads but sometimes it just keeps on coming back. I also that I cannot uninstall Yepi Play and Weather Europe Extension. What are these programs?
 
I tried following your advice in a previous thread in this link: 
 
http://www.bleepingcomputer.com/forums/t/554947/various-popups-when-browser-is-open-fpekyl-and-s3tzqheevmbwwvcom-are-blocked/
 
Ive done all three instructions about adwcleaner, junkware removal tool and farbar recovery scan tool and here are the following logs:
 
ADWCLEANER:
 
# AdwCleaner v4.110 - Logfile created 12/02/2015 at 10:48:50
# Updated 05/02/2015 by Xplode
# Database : 2015-02-09.1 [Server]
# Operating system : Windows 8.1 Single Language  (x64)
# Username : Licensed User - LICENSEUSER
# Running from : C:\Users\Licensed User\Downloads\adwcleaner_4.110.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\30fc52244c39ccb3
Folder Deleted : C:\ProgramData\3529786523802782899
Folder Deleted : C:\ProgramData\anffimcndghbfidjlhdhmeinhhhdgeib
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{079E2F0F-FCA0-4163-BC82-5355B879E86E}
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v39.0.2171.95
 
 
*************************
 
AdwCleaner[R0].txt - [10894 bytes] - [03/02/2015 11:02:02]
AdwCleaner[R1].txt - [932 bytes] - [03/02/2015 11:26:43]
AdwCleaner[R2].txt - [1050 bytes] - [03/02/2015 11:39:30]
AdwCleaner[R3].txt - [1362 bytes] - [12/02/2015 10:46:07]
AdwCleaner[S0].txt - [10439 bytes] - [03/02/2015 11:03:09]
AdwCleaner[S1].txt - [994 bytes] - [03/02/2015 11:27:43]
AdwCleaner[S2].txt - [1114 bytes] - [03/02/2015 11:42:23]
AdwCleaner[S3].txt - [1297 bytes] - [12/02/2015 10:48:50]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1356  bytes] ##########
 
 
 
 
 
 
 
Junkware removal tool:
 
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 8.1 Single Language x64
Ran by Licensed User on Thu 02/12/2015 at 10:52:50.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2444213589-946884805-1873367541-1001\Software\Microsoft\Internet Explorer\Main\\Start Page
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 02/12/2015 at 11:02:24.38
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
 
FARBAR:
 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-02-2015 02
Ran by Licensed User (administrator) on LICENSEUSER on 12-02-2015 11:08:10
Running from C:\Users\Licensed User\Downloads
Loaded Profiles: Licensed User (Available profiles: Licensed User)
Platform: Windows 8.1 Single Language (X64) OS Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Firebird Project) C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\Ntrtscan.exe
(GlavSoft LLC.) C:\Program Files (x86)\TightVNC\tvnserver.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Service.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmListen.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-Network.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-BlockDevice.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-SharedFolder.exe
(Firebird Project) C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(H.Shirouzu) C:\Program Files (x86)\IPMsg\ipmsg.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
(GlavSoft LLC.) C:\Program Files (x86)\TightVNC\tvnserver.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\PccNtMon.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12921488 2012-07-02] (Realtek Semiconductor)
HKLM-x32\...\Run: [tvncontrol] => C:\Program Files (x86)\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
HKLM-x32\...\Run: [OfficeScanNT Monitor] => C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe [1462576 2009-06-02] (Trend Micro Inc.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [843480 2014-10-07] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2444213589-946884805-1873367541-1001\...\MountPoints2: {d01c6f70-93da-11e3-824b-806e6f6e6963} - "F:\autorun.exe" /autorun
Startup: C:\Users\Licensed User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50 shades of grey.pdf.lnk
ShortcutTarget: 50 shades of grey.pdf.lnk -> C:\ProgramData\{41d117e2-8444-4287-41d1-117e28445f8a}\50 shades of grey.pdf.exe ()
Startup: C:\Users\Licensed User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IPMSG for Win32.lnk
ShortcutTarget: IPMSG for Win32.lnk -> C:\Program Files (x86)\IPMsg\ipmsg.exe (H.Shirouzu)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKU\S-1-5-21-2444213589-946884805-1873367541-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ph/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.20.254.40
 
FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-24]
CHR Extension: (Google Docs) - C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-24]
CHR Extension: (Google Drive) - C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-24]
CHR Extension: (YouTube) - C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-24]
CHR Extension: (Google Search) - C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-24]
CHR Extension: (Google Sheets) - C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-24]
CHR Extension: (Gmail) - C:\Users\Licensed User\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-24]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [409304 2014-10-07] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [388824 2014-10-07] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [782040 2014-10-07] (BlueStack Systems, Inc.)
R2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [154112 2012-11-01] (Firebird Project) [File not signed]
R3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [5708800 2012-11-01] (Firebird Project) [File not signed]
R2 ntrtscan; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe [1739568 2009-05-22] (Trend Micro Inc.)
R3 TMBMServer; C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe [569608 2009-03-12] (Trend Micro Inc.)
R2 tmlisten; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe [1991080 2009-05-22] (Trend Micro Inc.)
R3 TmPfw; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [594912 2009-03-10] (Trend Micro Inc.)
R3 TmProxy; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [913672 2009-03-10] (Trend Micro Inc.)
R2 tvnserver; C:\Program Files (x86)\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [122072 2014-10-07] (BlueStack Systems)
R2 TmFilter; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [344864 2013-08-14] (Trend Micro Inc.)
R1 tmlwf; C:\Windows\system32\DRIVERS\tmlwf.sys [199696 2009-03-10] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [42272 2013-08-14] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\system32\DRIVERS\tmtdi.sys [100880 2009-03-10] (Trend Micro Inc.)
R2 tmwfp; C:\Windows\system32\DRIVERS\tmwfp.sys [305680 2009-03-10] (Trend Micro Inc.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2014-08-15] (Apple, Inc.) [File not signed]
R2 VSApiNt; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys [2260768 2013-08-14] (Trend Micro Inc.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-12 11:08 - 2015-02-12 11:08 - 00010744 _____ () C:\Users\Licensed User\Downloads\FRST.txt
2015-02-12 11:08 - 2015-02-12 11:08 - 00000000 ____D () C:\FRST
2015-02-12 11:06 - 2015-02-12 11:07 - 02134016 _____ (Farbar) C:\Users\Licensed User\Downloads\FRST64 (1).exe
2015-02-12 11:05 - 2015-02-12 11:05 - 02134016 _____ (Farbar) C:\Users\Licensed User\Downloads\FRST64.exe
2015-02-12 11:02 - 2015-02-12 11:02 - 00001373 _____ () C:\Users\Licensed User\Desktop\JRT.txt
2015-02-12 10:51 - 2015-02-12 10:51 - 01388274 _____ (Thisisu) C:\Users\Licensed User\Downloads\JRT.exe
2015-02-12 10:50 - 2015-02-12 10:50 - 00000116 _____ () C:\Windows\setupact.log
2015-02-12 10:50 - 2015-02-12 10:50 - 00000065 _____ () C:\Windows\TMFilter.log
2015-02-12 10:50 - 2015-02-12 10:50 - 00000000 _____ () C:\Windows\setuperr.log
2015-02-12 10:43 - 2015-02-12 10:44 - 02112512 _____ () C:\Users\Licensed User\Downloads\adwcleaner_4.110.exe
2015-02-12 10:30 - 2015-02-12 10:30 - 00002788 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-02-12 10:30 - 2015-02-12 10:30 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-12 10:28 - 2015-02-12 10:30 - 05325208 _____ (Piriform Ltd) C:\Users\Licensed User\Downloads\ccsetup502.exe
2015-02-11 12:30 - 2015-01-16 06:43 - 00563504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-11 12:30 - 2015-01-16 06:43 - 00177984 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-11 12:30 - 2015-01-14 12:22 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-02-11 12:30 - 2015-01-14 11:53 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2015-02-11 12:30 - 2014-10-29 10:51 - 00154112 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-11 12:30 - 2014-10-29 10:50 - 00736768 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-11 12:30 - 2014-10-29 10:06 - 00736768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-02-11 12:30 - 2014-10-29 10:06 - 00154112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-02-11 12:30 - 2014-10-29 09:31 - 01441792 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-11 12:29 - 2015-02-04 07:38 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-02-11 12:29 - 2015-02-04 07:08 - 00761856 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-02-11 12:29 - 2015-02-04 07:08 - 00414208 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-02-11 12:29 - 2015-02-03 07:11 - 01098752 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-02-11 12:29 - 2015-02-03 07:11 - 00894464 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-02-11 12:29 - 2015-02-03 07:11 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-02-11 12:29 - 2015-01-20 02:42 - 01487976 _____ (Microsoft Corporation) C:\Windows\system32\sppobjs.dll
2015-02-11 12:29 - 2015-01-14 06:11 - 01762840 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-11 12:29 - 2015-01-14 06:04 - 01489072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-02-11 12:29 - 2015-01-12 11:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-11 12:29 - 2015-01-12 10:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-11 12:29 - 2015-01-12 10:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-11 12:29 - 2015-01-12 10:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-11 12:29 - 2015-01-12 10:34 - 00816128 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-02-11 12:29 - 2015-01-12 10:32 - 06041088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-11 12:29 - 2015-01-12 10:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-02-11 12:29 - 2015-01-12 10:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-11 12:29 - 2015-01-12 10:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-02-11 12:29 - 2015-01-12 10:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-11 12:29 - 2015-01-12 10:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-02-11 12:29 - 2015-01-12 10:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-02-11 12:29 - 2015-01-12 09:58 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-02-11 12:29 - 2015-01-12 09:55 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-02-11 12:29 - 2015-01-12 09:51 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-02-11 12:29 - 2015-01-12 09:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-11 12:29 - 2015-01-12 09:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-11 12:29 - 2015-01-12 09:48 - 00374272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-11 12:29 - 2015-01-12 09:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-11 12:29 - 2015-01-12 09:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-02-11 12:29 - 2015-01-12 09:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-11 12:29 - 2015-01-12 09:34 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2015-02-11 12:29 - 2015-01-12 09:30 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-02-11 12:29 - 2015-01-12 09:29 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-02-11 12:29 - 2015-01-12 09:27 - 02865152 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2015-02-11 12:29 - 2015-01-12 09:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-11 12:29 - 2015-01-12 09:25 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-02-11 12:29 - 2015-01-12 09:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-02-11 12:29 - 2015-01-12 09:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-02-11 12:29 - 2015-01-12 09:23 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-02-11 12:29 - 2015-01-12 09:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-02-11 12:29 - 2015-01-12 09:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-11 12:29 - 2015-01-12 09:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-11 12:29 - 2015-01-12 09:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-02-11 12:29 - 2015-01-12 08:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-02-11 12:29 - 2015-01-12 08:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-02-11 12:29 - 2015-01-10 17:10 - 07472960 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-11 12:29 - 2015-01-10 17:10 - 01733440 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-02-11 12:29 - 2015-01-10 16:28 - 01498360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-02-11 12:29 - 2015-01-10 16:22 - 04175872 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-11 12:29 - 2015-01-10 15:00 - 00430080 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-11 12:29 - 2015-01-10 14:38 - 00359424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-02-11 12:29 - 2014-12-19 16:57 - 00788680 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-11 12:29 - 2014-12-19 16:25 - 00602776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-02-11 12:29 - 2014-12-09 11:45 - 00393728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-02-11 12:29 - 2014-12-09 09:56 - 00538624 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-11 12:29 - 2014-12-09 07:12 - 00391526 _____ () C:\Windows\system32\ApnDatabase.xml
2015-02-11 12:29 - 2014-10-29 10:02 - 00285184 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-02-11 12:29 - 2014-10-29 10:02 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-02-11 12:29 - 2014-10-29 09:57 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-02-11 12:29 - 2014-10-29 09:15 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-02-11 12:29 - 2014-10-29 09:15 - 00005632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-02-11 12:29 - 2014-10-29 09:14 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-02-11 12:29 - 2014-10-29 09:13 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-02-11 12:29 - 2014-10-29 09:13 - 00008704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-02-08 16:54 - 2015-02-08 16:57 - 00000000 ____D () C:\ProgramData\{41d117e2-8444-4287-41d1-117e28445f8a}
2015-02-05 10:09 - 2015-02-05 10:09 - 00049418 _____ () C:\Users\Licensed User\Downloads\UP PSOHNS QUOTATION.xlsx
2015-02-03 12:25 - 2015-02-03 12:25 - 00000000 _____ () C:\autoexec.bat
2015-02-03 12:20 - 2015-02-03 12:20 - 03044736 _____ (Enigma Software Group USA, LLC.) C:\Users\Licensed User\Downloads\SpyHunter-Installer.exe
2015-02-03 11:49 - 2015-02-03 11:49 - 03577744 _____ (K9 Tools ) C:\Users\Licensed User\Downloads\setup.exe
2015-02-03 11:36 - 2015-02-03 11:38 - 05155328 _____ () C:\Users\Licensed User\Downloads\WindowsDefender.msi
2015-02-03 11:01 - 2015-02-12 10:48 - 00000000 ____D () C:\AdwCleaner
2015-02-02 17:19 - 2015-02-02 17:19 - 00000000 ____D () C:\Program Files (x86)\Yepi Play
2015-02-01 15:38 - 2015-02-01 15:38 - 00000000 ____D () C:\Program Files (x86)\Weather Europe Extension
2015-01-30 17:44 - 2015-01-30 17:44 - 00040747 _____ () C:\Users\Licensed User\Downloads\abstract-form.xlsx
2015-01-30 11:54 - 2015-01-30 11:54 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-01-29 10:16 - 2015-01-29 10:16 - 00000000 ____D () C:\ProgramData\McAfee
2015-01-29 10:15 - 2015-01-29 10:15 - 00002457 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-29 10:15 - 2015-01-29 10:15 - 00002039 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2015-01-29 10:15 - 2015-01-29 10:15 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-01-27 11:23 - 2015-02-07 12:12 - 00092672 ___SH () C:\Users\Licensed User\Documents\Thumbs.db
2015-01-24 13:39 - 2015-01-24 13:52 - 00000000 ____D () C:\Users\Licensed User\Documents\MRT Hearing Loss
2015-01-24 10:40 - 2015-01-24 10:40 - 00000000 ____H () C:\Users\Licensed User\Documents\Default.rdp
2015-01-22 11:05 - 2015-01-22 11:05 - 00001890 _____ () C:\Users\Licensed User\Documents\fastView.lnk
2015-01-22 11:05 - 2015-01-22 11:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\syngo-fastView
2015-01-22 11:05 - 2015-01-22 11:05 - 00000000 ____D () C:\Program Files (x86)\Siemens
2015-01-22 10:13 - 2015-01-22 10:13 - 00001147 _____ () C:\Users\Licensed User\Documents\Photoshop CS6 x64.lnk
2015-01-22 10:13 - 2015-01-22 10:13 - 00001055 _____ () C:\Users\Licensed User\Documents\Photoshop CS6.lnk
2015-01-15 12:56 - 2015-01-15 12:57 - 00000000 ____D () C:\Users\Licensed User\Documents\ENT images
2015-01-14 12:48 - 2014-12-19 14:26 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 12:48 - 2014-12-12 10:04 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 12:48 - 2014-12-12 08:51 - 00075776 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ahcache.sys
2015-01-14 12:48 - 2014-12-09 09:50 - 00225280 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 12:47 - 2014-12-09 03:42 - 00535640 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2015-01-14 12:47 - 2014-12-09 03:42 - 00531616 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2015-01-14 12:47 - 2014-12-09 03:42 - 00448792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2015-01-14 12:47 - 2014-12-09 03:42 - 00413248 _____ (Microsoft Corporation) C:\Windows\system32\Faultrep.dll
2015-01-14 12:47 - 2014-12-09 03:42 - 00372408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Faultrep.dll
2015-01-14 12:47 - 2014-12-09 03:42 - 00108944 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-01-14 12:47 - 2014-12-09 03:42 - 00038264 _____ (Microsoft Corporation) C:\Windows\system32\WerFaultSecure.exe
2015-01-14 12:47 - 2014-12-09 03:42 - 00033584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFaultSecure.exe
2015-01-14 12:47 - 2014-12-06 11:17 - 00360448 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-14 12:47 - 2014-12-06 09:41 - 00391680 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 12:47 - 2014-12-06 09:35 - 00229888 _____ (Microsoft Corporation) C:\Windows\system32\AudioEndpointBuilder.dll
2015-01-14 12:47 - 2014-10-29 12:00 - 00465320 _____ (Microsoft Corporation) C:\Windows\system32\WerFault.exe
2015-01-14 12:47 - 2014-10-29 12:00 - 00139984 _____ (Microsoft Corporation) C:\Windows\system32\wermgr.exe
2015-01-14 12:47 - 2014-10-29 11:52 - 00500016 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2015-01-14 12:47 - 2014-10-29 11:52 - 00482872 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2015-01-14 12:47 - 2014-10-29 11:52 - 00394120 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2015-01-14 12:47 - 2014-10-29 11:52 - 00272248 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2015-01-14 12:47 - 2014-10-29 11:12 - 00413136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFault.exe
2015-01-14 12:47 - 2014-10-29 11:12 - 00136296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wermgr.exe
2015-01-14 12:47 - 2014-10-29 11:07 - 00424544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2015-01-14 12:47 - 2014-10-29 11:07 - 00370424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2015-01-14 12:47 - 2014-10-29 11:07 - 00344536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2015-01-14 12:47 - 2014-10-29 10:44 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\werdiagcontroller.dll
2015-01-14 12:47 - 2014-10-29 09:59 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\werdiagcontroller.dll
2015-01-14 12:47 - 2014-10-29 09:24 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-01-14 12:47 - 2014-10-29 09:02 - 00911360 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-01-14 12:47 - 2014-10-29 09:01 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-12 11:01 - 2014-02-12 19:45 - 01728929 _____ () C:\Windows\WindowsUpdate.log
2015-02-12 11:00 - 2013-08-22 23:36 - 00000000 ____D () C:\Windows\system32\sru
2015-02-12 10:52 - 2014-10-14 10:11 - 00316416 ___SH () C:\Users\Licensed User\Downloads\Thumbs.db
2015-02-12 10:50 - 2014-10-02 12:30 - 00000031 _____ () C:\tmuninst.ini
2015-02-12 10:50 - 2014-08-28 13:31 - 00000926 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-12 10:50 - 2013-08-22 22:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-12 10:48 - 2014-08-28 13:31 - 00000930 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-12 10:33 - 2014-12-04 10:49 - 00000000 ____D () C:\ProgramData\BlueStacksSetup
2015-02-12 10:33 - 2014-10-28 12:58 - 00000000 ____D () C:\Users\Licensed User\AppData\Roaming\uTorrent
2015-02-12 10:33 - 2014-02-12 19:42 - 00000000 ____D () C:\Windows\Panther
2015-02-12 10:22 - 2013-08-22 23:20 - 00000000 ____D () C:\Windows\CbsTemp
2015-02-12 10:19 - 2014-02-19 13:41 - 00003970 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{D48AC59B-45CC-416B-AF4D-4D025DDA9F87}
2015-02-12 10:16 - 2013-08-22 22:44 - 00483192 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-11 19:03 - 2014-12-12 18:58 - 00000000 ____D () C:\Windows\system32\appraiser
2015-02-11 19:03 - 2014-10-18 19:36 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-02-11 19:03 - 2013-08-22 21:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-02-11 17:51 - 2013-08-22 23:36 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-02-11 12:24 - 2013-08-22 23:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-02-10 13:34 - 2013-08-22 23:36 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-08 19:08 - 2014-02-12 11:55 - 00833616 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-08 18:46 - 2014-09-20 13:38 - 00000000 ____D () C:\Users\Licensed User\AppData\Roaming\vlc
2015-02-07 13:59 - 2014-02-12 11:56 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2444213589-946884805-1873367541-1001
2015-02-04 03:31 - 2013-08-22 23:38 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-04 03:31 - 2013-08-22 23:38 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-03 13:59 - 2014-12-06 12:14 - 00000000 ____D () C:\ProgramData\Apple
2015-02-03 13:59 - 2014-12-06 12:14 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-02-03 10:52 - 2014-02-12 11:51 - 00000000 ____D () C:\Users\Licensed User\AppData\Local\Packages
2015-01-31 12:04 - 2014-11-20 11:05 - 00000000 ____D () C:\Users\Licensed User\Documents\Patient Safety 2015
2015-01-29 11:01 - 2014-12-11 15:23 - 00000000 ____D () C:\Users\Licensed User\Downloads\New folder
2015-01-29 10:17 - 2015-01-10 11:30 - 00000000 ____D () C:\ProgramData\Adobe
2015-01-29 10:16 - 2015-01-10 12:01 - 00000000 ____D () C:\Users\Licensed User\AppData\Local\Adobe
2015-01-29 10:16 - 2014-02-12 11:51 - 00000000 ____D () C:\Users\Licensed User\AppData\Roaming\Adobe
2015-01-22 11:05 - 2014-02-12 11:56 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-22 10:13 - 2015-01-10 11:28 - 00000000 ____D () C:\Program Files (x86)\Photoshop CS6
2015-01-21 18:54 - 2013-08-22 23:36 - 00000000 ____D () C:\Windows\LiveKernelReports
2015-01-21 13:30 - 2014-10-30 09:35 - 00010058 _____ () C:\Windows\cfgall.ini
2015-01-14 13:01 - 2014-02-19 13:47 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 12:58 - 2014-02-19 13:47 - 113365784 ____N (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
Some content of TEMP:
====================
C:\Users\Licensed User\AppData\Local\Temp\Quarantine.exe
C:\Users\Licensed User\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-07 11:15
 
==================== End Of Log ============================
 
Additional text from FARBAR:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-02-2015 02
Ran by Licensed User at 2015-02-12 11:09:06
Running from C:\Users\Licensed User\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Trend Micro Client/Server Security Agent Antivirus (Enabled - Up to date) {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
AS: Trend Micro Client/Server Security Agent Anti-spyware (Disabled - Up to date) {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall (Disabled) {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-2444213589-946884805-1873367541-1001\...\uTorrent) (Version: 3.4.2.35702 - BitTorrent Inc.)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
BizBox Hospital Information System 8.0 (HKLM-x32\...\{ADE95325-E811-42EE-946D-37ADECF8AC2B}) (Version: 0.1 - alisql)
BlueStacks App Player (HKLM-x32\...\BlueStacks App Player) (Version: 0.9.4.4078 - BlueStack Systems, Inc.)
BlueStacks Notification Center (HKLM-x32\...\{152E0B21-19D5-4772-9EF8-8E76074B0C0A}) (Version: 0.9.4.4078 - BlueStack Systems, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.02 - Piriform)
eBIRForms version 4.7 (HKLM-x32\...\eBIRForms_is1) (Version: 4.7 - )
Firebird 2.5.2.26539 (x64) (HKLM\...\FBDBServer_2_5_x64_is1) (Version: 2.5.2.26539 - Firebird Project)
Firebird/InterBase® ODBC driver 2.0.1.152 (HKLM\...\Firebird ODBC Driver_is1) (Version: 2.0.1.152 - Firebird Project)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2843 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
IP Messenger for Win (HKLM-x32\...\IPMSG for Win32) (Version:  - )
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSI to redistribute MS VS2005 CRT libraries (HKLM-x32\...\{A8D93648-9F7F-407D-915C-62044644C3DA}) (Version: 8.0.50727.42 - The Firebird Project)
MSI to redistribute MS VS2005 CRT libraries (HKLM-x32\...\{EBFC96E5-4409-426E-88B7-650ADB342E78}) (Version: 8.0.50727.42 - The Firebird Project)
Nero Burning ROM 2014 (HKLM-x32\...\{B0E4ACBC-4CFA-4B6D-9B7B-E13C171BCC23}) (Version: 15.0.05300 - Nero AG)
Nero Info (HKLM-x32\...\{B791E0AB-87A9-41A4-8D98-D13C2E37D928}) (Version: 15.1.0030 - Nero AG)
Prerequisite installer (x32 Version: 15.0.0005 - Nero AG) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6680 - Realtek Semiconductor Corp.)
syngo fastView (HKLM-x32\...\{4CF46E90-60EC-4177-9BE7-5F4BE89BC2E7}) (Version: VX57L38 - Siemens MedSW)
TightVNC 2.0.2 (HKLM-x32\...\TightVNC) (Version: 2.0.2 - GlavSoft LLC.)
Trend Micro Client/Server Security Agent (HKLM-x32\...\OfficeScanNT) (Version: 16.0.1331 - Trend Micro)
User Agent Switcher (HKLM-x32\...\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}) (Version:  - ) <==== ATTENTION
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Weather Europe Extension (HKLM-x32\...\{6933C2BA-C67D-42C7-8C77-1FF4B364AF54}) (Version:  - "") <==== ATTENTION
Yepi Play (HKLM-x32\...\{9D9BEFAE-9499-F52B-6CC4-94818CCC2AB5}) (Version:  - "")
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
21-01-2015 14:09:04 Scheduled Checkpoint
29-01-2015 12:04:23 Windows Update
03-02-2015 13:58:20 Removed Apple Application Support
11-02-2015 12:46:40 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 21:25 - 2013-08-22 21:25 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {03A7E8CC-5767-4B09-8F54-09BF930C6A83} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {06E742A7-F8B5-4275-9DE8-D062B9764C97} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2015-01-14] (Microsoft Corporation)
Task: {0FF908A9-CFEF-41F7-8E95-638FA1C8BFC5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-08-28] (Google Inc.)
Task: {339C1102-3E92-4815-AEA0-02830CBD1624} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-01-21] (Piriform Ltd)
Task: {61B60795-B3BD-480F-869B-82264A8DB05E} - System32\Tasks\Nero\Nero Info => C:\Program Files (x86)\Common Files\Nero\Nero Info\NeroInfo.exe [2013-10-16] (Nero AG)
Task: {851D5E51-B494-4EDC-915D-32BB1C0DF882} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-08-28] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2011-05-29 18:07 - 2006-12-29 13:22 - 00089088 _____ () C:\Program Files (x86)\Trend Micro\Client Server Security Agent\zlibwapi.dll
2011-05-29 18:06 - 2009-03-10 21:03 - 00740104 _____ () C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfwCtl.dll
2014-02-12 12:01 - 2012-08-29 19:18 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-12-13 10:51 - 2014-12-06 09:50 - 01077064 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\libglesv2.dll
2014-12-13 10:51 - 2014-12-06 09:50 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\libegl.dll
2014-12-13 10:51 - 2014-12-06 09:50 - 09009480 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\pdf.dll
2014-12-13 10:51 - 2014-12-06 09:50 - 01677128 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ffmpegsumo.dll
2014-12-13 10:51 - 2014-12-06 09:50 - 14913352 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2444213589-946884805-1873367541-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 10.20.254.40
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
HKLM\...\StartupApproved\Run32: => "BlueStacks Agent"
HKLM\...\StartupApproved\Run32: => "iTunesHelper"
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2444213589-946884805-1873367541-500 - Administrator - Disabled)
Guest (S-1-5-21-2444213589-946884805-1873367541-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2444213589-946884805-1873367541-1003 - Limited - Enabled)
Licensed User (S-1-5-21-2444213589-946884805-1873367541-1001 - Administrator - Enabled) => C:\Users\Licensed User
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/12/2015 11:04:56 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LIcenseUser)
Description: Activation of application windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel failed with error: -2144927151 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (02/12/2015 11:04:43 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LIcenseUser)
Description: Activation of application windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel failed with error: -2144927151 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
 
System errors:
=============
Error: (02/12/2015 11:08:56 AM) (Source: DCOM) (EventID: 10010) (User: LIcenseUser)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}
 
Error: (02/12/2015 11:08:26 AM) (Source: DCOM) (EventID: 10010) (User: LIcenseUser)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}
 
Error: (02/12/2015 11:07:56 AM) (Source: DCOM) (EventID: 10010) (User: LIcenseUser)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}
 
Error: (02/12/2015 11:07:26 AM) (Source: DCOM) (EventID: 10010) (User: LIcenseUser)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}
 
Error: (02/12/2015 11:06:56 AM) (Source: DCOM) (EventID: 10010) (User: LIcenseUser)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}
 
 
Microsoft Office Sessions:
=========================
 
 
 
I hope you can help me!!!!
 
Thank you!!!

Edit: Topic moved from Am I Infected forum to the more appropriate forum due to FRST log. ~ Animal

Edited by Animal, 12 February 2015 - 01:21 AM.
Moved to AII from Windows 8. ~ OB


BC AdBot (Login to Remove)

 


m

#2 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:09 AM

Posted 12 February 2015 - 06:14 AM

Hello lumoskid and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:
 

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

I am looking at your logs now and will reply with instructions shortly.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:09 AM

Posted 12 February 2015 - 07:18 AM

Hello again lumoskid

P2P - I see you have P2P software, (uTorrent), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================

Note: Please carry out these instructions in the order given.

===================================================

Let’s try forcing the uninstall of Yepi Play and Weather - Europe

Download Revo Uninstaller
 

  • double click the installation file on the desktop to run the installer
  • let it install to the default location
  • double click the new Revo Uninstaller Icon on the desktop to start the program.

You will now see a list of installed programs that Revo Uninstaller can remove.
 

  • locate the program you are uninstalling <Yepi Play
  • right-click the icon then choose Uninstall
  • click Yes to the warning and choose the Uninstall Mode
  • choose the Advanced option and then click Next
  • this will launch the programs built in uninstaller. Be patient it can take several seconds
  • once the uninstaller is done click Next
  • Revo Uninstaller will now scan for leftover information. Be patient it can take several seconds.
  • once this scan is done click Next
  • you will then be presented of the leftover entries found by Revo Uninstaller
  • look at ALL of the entries to ensure they relate to the uninstall
  • next, click Select All > Delete to remove the entries
  • click Next
  • if there are any program file folders left over you will be presented with a list to be removed
  • again look at ALL of the entries to ensure they are related to the uninstall
  • click Select All > Delete to remove the entries
  • click Finish to go back to the uninstall list
  • repeat the process for Weather Europe and User Agent Switcher
  • when you have removed both of the programs, close RevoUninstaller.

===================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below.


CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2015-02-02 17:19 - 2015-02-02 17:19 - 00000000 ____D () C:\Program Files (x86)\Yepi Play
2015-02-01 15:38 - 2015-02-01 15:38 - 00000000 ____D () C:\Program Files (x86)\Weather Europe Extension
C:\Program Files (x86)\Yepi Play
C:\Program Files (x86)\Weather Europe Extension

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work – FRST is saved in C:\Users\Licensed User\Downloads
  • run FRST64 then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Download Malwarebytes-Anti-Malware

Click here.
 

  • double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7 users, please right-click and select “Run as Administrator”)
  • select the “Scan” tab at the top
  • there are three scan types; choose Threat Scan, then click on Scan
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs to include with the next post:

Fixlog.txt
Mbam.txt


Can you tell me if there were any problems.

Satchfan


Edited by satchfan, 12 February 2015 - 07:27 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#4 lumoskid

lumoskid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 12 February 2015 - 07:58 AM

Hello Satchfan, thank you for your reply! I will try this once I get back to my office computer which will be in 2 days time. Please do not close this thread yet. I'm excited to try the things you instructed. :)

#5 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:09 AM

Posted 12 February 2015 - 11:44 AM

Due to some of the entries I'd seen, I did wonder if this was a work computer.

 

I'm afraid we offer free computer help and tech support for home and personal use only. We are not here to support others that work for profit, or to support/replace your company's IT department.

Plus, working on a corporate computer can sometimes change settings and potentially harm your system which your company might not be too pleased about and could leave us liable for a lawsuit.

 

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 lumoskid

lumoskid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 12 February 2015 - 03:47 PM

It's not work as in work. It is my own clinic computer. I'm the only one using it in my own private clinic.

#7 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:09 AM

Posted 13 February 2015 - 03:04 AM

OK. I'll keep this open until I hear from you.

 

Have a good weekend.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 lumoskid

lumoskid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 13 February 2015 - 10:23 PM

Hello Satchfan, I've followed everything you instructed. Here are the logs:

 

FIXLOG:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-02-2015 02
Ran by Licensed User at 2015-02-14 10:45:03 Run:1
Running from C:\Users\Licensed User\Downloads
Loaded Profiles: Licensed User (Available profiles: Licensed User)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2015-02-02 17:19 - 2015-02-02 17:19 - 00000000 ____D () C:\Program Files (x86)\Yepi Play
2015-02-01 15:38 - 2015-02-01 15:38 - 00000000 ____D () C:\Program Files (x86)\Weather Europe Extension
C:\Program Files (x86)\Yepi Play
C:\Program Files (x86)\Weather Europe Extension
*****************
 
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"C:\Program Files (x86)\Yepi Play" => File/Directory not found.
"C:\Program Files (x86)\Weather Europe Extension" => File/Directory not found.
"C:\Program Files (x86)\Yepi Play" => File/Directory not found.
"C:\Program Files (x86)\Weather Europe Extension" => File/Directory not found.
 
==== End of Fixlog 10:45:03 ====
 
MBAM :
 
<?xml version="1.0" encoding="UTF-16"?>
 
-<mbam-log>
 
 
-<header>
 
<date>2015/02/14 10:55:42 +0800</date>
 
<logfile>mbam-log-2015-02-14 (10-50-50).xml</logfile>
 
<isadmin>yes</isadmin>
 
</header>
 
 
-<engine>
 
<version>2.00.4.1028</version>
 
<malware-database>v2015.02.13.09</malware-database>
 
<rootkit-database>v2015.02.03.01</rootkit-database>
 
<license>free</license>
 
<file-protection>disabled</file-protection>
 
<web-protection>disabled</web-protection>
 
<self-protection>disabled</self-protection>
 
</engine>
 
 
-<system>
 
<osversion>Windows 8.1</osversion>
 
<arch>x64</arch>
 
<username>Licensed User</username>
 
<filesys>NTFS</filesys>
 
</system>
 
 
-<summary>
 
<type>threat</type>
 
<result>completed</result>
 
<objects>327112</objects>
 
<time>606</time>
 
<processes>0</processes>
 
<modules>0</modules>
 
<keys>0</keys>
 
<values>0</values>
 
<datas>0</datas>
 
<folders>0</folders>
 
<files>3</files>
 
<sectors>0</sectors>
 
</summary>
 
 
-<options>
 
<memory>enabled</memory>
 
<startup>enabled</startup>
 
<filesystem>enabled</filesystem>
 
<archives>enabled</archives>
 
<rootkits>disabled</rootkits>
 
<deeprootkit>disabled</deeprootkit>
 
<heuristics>enabled</heuristics>
 
<pup>enabled</pup>
 
<pum>enabled</pum>
 
</options>
 
 
-<items>
 
 
-<file>
 
<path>C:\$Recycle.Bin\S-1-5-21-2444213589-946884805-1873367541-1001\$RGWP1CH\Yepi Play.exe</path>
 
<vendor>PUP.Optional.Multiplug</vendor>
 
<action>success</action>
 
<hash>fffea578cdbdf244312323d855ad18e8</hash>
 
</file>
 
 
-<file>
 
<path>C:\$Recycle.Bin\S-1-5-21-2444213589-946884805-1873367541-1001\$RUWIXP8\Weather Europe Extension.exe</path>
 
<vendor>PUP.Optional.Multiplug</vendor>
 
<action>success</action>
 
<hash>d528fd20aedce056aca830cb06fc44bc</hash>
 
</file>
 
 
-<file>
 
<path>C:\Users\Licensed User\AppData\Local\Temp\PHQGHU.tmp\User Agent Switcher.exe</path>
 
<vendor>Trojan.Agent</vendor>
 
<action>success</action>
 
<hash>29d436e7296104323db31fe63dc5b14f</hash>
 
</file>
 
</items>
 
</mbam-log>
 
 
 
I hope this fix works... Perhaps I'll know later on while im using this computer. Thanks very much!


#9 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:09 AM

Posted 14 February 2015 - 04:05 AM

I’d like to see the .txt version of Malwarebytes.

Please click on History > Application Logs. Open the last scan by double-clicking on it. At the bottom of that window are two options, "Copy to clipboard" and "Export"

Select "Copy to clipboard"; that copies the full log to the windows clipboard, so in your reply, right click in the text field and select "Paste", (or press Ctrl+V).

 

Thanks
 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 lumoskid

lumoskid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 16 February 2015 - 09:07 PM

Malwarebytes:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2/14/2015
Scan Time: 10:55:42 AM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.02.13.09
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Licensed User
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327112
Time Elapsed: 10 min, 6 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 3
PUP.Optional.Multiplug, C:\$Recycle.Bin\S-1-5-21-2444213589-946884805-1873367541-1001\$RGWP1CH\Yepi Play.exe, Quarantined, [fffea578cdbdf244312323d855ad18e8], 
PUP.Optional.Multiplug, C:\$Recycle.Bin\S-1-5-21-2444213589-946884805-1873367541-1001\$RUWIXP8\Weather Europe Extension.exe, Quarantined, [d528fd20aedce056aca830cb06fc44bc], 
Trojan.Agent, C:\Users\Licensed User\AppData\Local\Temp\PHQGHU.tmp\User Agent Switcher.exe, Quarantined, [29d436e7296104323db31fe63dc5b14f], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#11 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:09 AM

Posted 17 February 2015 - 02:21 AM

Looks as if that got rid of the three that were the problem.

Let’s run a final scan and if that is clear and you are happy we can tidy up.


Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or  Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.


    Note - if ESET doesn't find any threats, no report will be created.
     

  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:


o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found
 

If threats were found:


o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    Click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here.
 

Thanks

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 lumoskid

lumoskid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 19 February 2015 - 12:34 AM

ESET :

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\AllCheapPPrice\AllCheapPPrice.exe.vir a variant of Win32/AdWare.MultiPlug.BN application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ChheAipMe\WY5uCrfgIBjEUo.exe.vir a variant of Win32/AdWare.MultiPlug.BN application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\DDiggiSaaver\d4WI8Cb1VaXCqk.exe.vir a variant of Win32/AdWare.MultiPlug.BN application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\DiscoUntExtenesi\DiscoUntExtenesi.exe.vir a variant of Win32/AdWare.MultiPlug.BN application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ExstrraCeOuPon\ExstrraCeOuPon.exe.vir a variant of Win32/AdWare.MultiPlug.BN application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\RoboSSaveer\V5jRwPARpvfq7T.exe.vir a variant of Win32/AdWare.MultiPlug.BN application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\TampaGeneration\TampaGeneration.dll.vir a variant of Win32/SProtector.L potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\uniisaleSS\o1W4Z7nkqIvyLY.dll.vir Win32/Adware.MultiPlug.EG application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\uniisaleSS\o1W4Z7nkqIvyLY.exe.vir a variant of Win32/BHOUninstaller.AA potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\uniisaleSS\o1W4Z7nkqIvyLY.x64.dll.vir a variant of Win64/Adware.MultiPlug.F application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\uniiSSauleess\dh3D36OPyxt3iX.dll.vir Win32/Adware.MultiPlug.EG application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\uniiSSauleess\dh3D36OPyxt3iX.x64.dll.vir a variant of Win64/Adware.MultiPlug.F application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\youtubeadblocker\Q3PYKqgPiuidzz.dll.vir Win32/Adware.MultiPlug.EG application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\youtubeadblocker\Q3PYKqgPiuidzz.x64.dll.vir a variant of Win64/Adware.MultiPlug.F application
C:\AdwCleaner\Quarantine\C\ProgramData\anffimcndghbfidjlhdhmeinhhhdgeib\content.js.vir JS/Adware.MultiPlug.B application
C:\AdwCleaner\Quarantine\C\ProgramData\anffimcndghbfidjlhdhmeinhhhdgeib\IzcfivaI.js.vir JS/Kryptik.ATL trojan
C:\AdwCleaner\Quarantine\C\ProgramData\fegchmcoplammpolpcccdnabdnbbkolk\Fhpg.js.vir JS/Kryptik.ATB trojan
C:\AdwCleaner\Quarantine\C\ProgramData\iipmidpmkjbhfadpdjnidcaimpfanpfl\content.js.vir JS/Adware.MultiPlug.B application
C:\AdwCleaner\Quarantine\C\ProgramData\iipmidpmkjbhfadpdjnidcaimpfanpfl\GjwhnO.js.vir JS/Kryptik.ATB trojan
C:\AdwCleaner\Quarantine\C\ProgramData\jacejnidphmdkimabbomfgicphhdmfge\J4f.js.vir JS/Kryptik.ATB trojan
C:\AdwCleaner\Quarantine\C\ProgramData\jbaekaiabjadpihnkomgnkjglchlciki\ANZiY6kV.js.vir JS/Kryptik.ATB trojan
C:\AdwCleaner\Quarantine\C\ProgramData\jbaekaiabjadpihnkomgnkjglchlciki\lsdb.js.vir JS/Kryptik.ATB trojan
C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome.dll Win32/Patched.NFQ trojan
C:\ProgramData\{41d117e2-8444-4287-41d1-117e28445f8a}\50 shades of grey.pdf.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Users\All Users\{41d117e2-8444-4287-41d1-117e28445f8a}\50 shades of grey.pdf.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Users\Licensed User\Documents\New Folder\ccsetup502.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Licensed User\Documents\New Folder\setup.exe Win32/Systweak.K potentially unwanted application
Operating memory a variant of Win32/Adware.MultiPlug.EP application


#13 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:09 AM

Posted 19 February 2015 - 04:14 AM

Part of the Online scan result is only reporting what has already been quarantined: whatever is in those folders can't cause any harm and will be removed when we tidy up.

Please copy all text in the code box below and paste it into Notepad:
 


@echo off
del /f /s /q "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome.dll”
del /f /s /q "C:\ProgramData\{41d117e2-8444-4287-41d1-117e28445f8a}\50 shades of grey.pdf.exe”
del /f /s /q "C:\Users\All Users\{41d117e2-8444-4287-41d1-117e28445f8a}\50 shades of grey.pdf.exe”
del /f /s /q "C:\Users\Licensed User\Documents\New Folder\ccsetup502.exe”
del /f /s /q "C:\Users\Licensed User\Documents\New Folder\setup.exe”
del %0
  • save the Notepad file to your desktop and name it delfiles.bat
  • save type as "All Files"
  • on your desktop, double-click on delfiles.bat to run it, (a black CMD window will flash, then disappear - this is normal).

The files/folders, if found, will have been deleted and the "delfile.bat" file will also be deleted.

Can you tell me if there are any outstanding problems – if not, I’ll send instructions to tidy up.

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 lumoskid

lumoskid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 21 February 2015 - 12:01 AM

Done!

 

Thanks so much Satchfan.

 

so far I haven't encountered any problems.



#15 lumoskid

lumoskid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 21 February 2015 - 12:20 AM

Ooops I spoke too soon, I noticed an ad that popped out while using Google Chrome browsing thru Gmail. Is that normal? 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users