Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7, clean scans, Threats detected when connected to internet


  • This topic is locked This topic is locked
7 replies to this topic

#1 gavtek303

gavtek303

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 15 February 2015 - 03:46 PM

Hello,  I friend brought me his pc which original ran slow and wouldn't let him download files.   He had no AV or AM software installed at the time.  Finally got Avast installed thru safe mode.  Scanned and cleaned.  Now, scans come back negative but as soon as the computer is connected to the net,  all hell breaks loose.  URL threats detected constantly.  Help?  Thanks!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-02-2015
Ran by Robert W. Stone (administrator) on DELL-1 on 15-02-2015 14:36:40
Running from C:\Users\Robert W. Stone\Desktop
Loaded Profiles: Robert W. Stone (Available profiles: Robert W. Stone)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSvc.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
(Creative Home) C:\Program Files (x86)\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [111640 2009-09-30] ()
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2011-10-31] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-02-12] (AVAST Software)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\Run: [GoogleChromeAutoLaunch_5D68F124AC5DDEE93068C0119E07F179] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [843592 2015-02-04] (Google Inc.)
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\RunOnce: [Adobe Speed Launcher] => 1424032474
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\MountPoints2: {3bff89b0-91f0-11e3-bf0d-806e6f6e6963} - D:\SETUP.EXE
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk
ShortcutTarget: Event Planner Reminder.lnk -> C:\Program Files (x86)\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe (Creative Home)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
URLSearchHook: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> {33C319FC-7EA1-4805-857D-88C4B7AA9D8D} URL = https://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20141146,20028,0,31,0
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} -  No File
Toolbar: HKLM-x32 - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} -  No File
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 208.180.42.68 208.180.42.100
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-02-12]
FF HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\Firefox\Extensions: [{8E3C10E3-9B89-B515-883F-0A45FF62B29F}] - C:\Program Files (x86)\BlockAndSurf-soft\161.xpi
 
Chrome: 
=======
CHR Profile: C:\Users\Robert W. Stone\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Robert W. Stone\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-06]
CHR Extension: (Google Wallet) - C:\Users\Robert W. Stone\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-22]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-02-12]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-02-12] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2015-02-12] (Avast Software)
R2 EpsonBidirectionalService; C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION) [File not signed]
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-02-12] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-02-12] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-02-12] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-02-12] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-02-12] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-02-12] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-02-12] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-02-12] ()
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [16152 2014-05-03] ()
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-02-15] ()
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-15 14:36 - 2015-02-15 14:37 - 00011942 _____ () C:\Users\Robert W. Stone\Desktop\FRST.txt
2015-02-15 14:36 - 2015-02-15 14:36 - 02085888 _____ (Farbar) C:\Users\Robert W. Stone\Desktop\FRST64.exe
2015-02-15 14:31 - 2015-02-15 14:31 - 00000000 ____D () C:\Users\Robert W. Stone\AppData\Roaming\Process Hacker 2
2015-02-15 14:16 - 2015-02-15 14:16 - 00001892 _____ () C:\Users\Robert W. Stone\Desktop\Process Hacker 2.lnk
2015-02-15 14:16 - 2015-02-15 14:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2
2015-02-15 14:15 - 2015-02-15 14:15 - 01932448 _____ (wj32 ) C:\Users\Robert W. Stone\Downloads\processhacker-2.33-setup.exe
2015-02-14 10:12 - 2015-02-14 10:12 - 00000908 _____ () C:\Users\Robert W. Stone\Desktop\JRT.txt
2015-02-14 09:56 - 2015-02-14 09:56 - 00000000 ____D () C:\Users\Robert W. Stone\AppData\Local\CrashDumps
2015-02-14 09:54 - 2015-02-15 13:51 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-02-14 09:54 - 2015-02-14 09:54 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-14 09:45 - 2015-02-14 09:50 - 15431256 _____ () C:\Users\Robert W. Stone\Downloads\RogueKiller.exe
2015-02-14 09:06 - 2015-02-14 09:06 - 00000000 ____D () C:\Users\Robert W. Stone\AppData\Roaming\Google
2015-02-13 22:56 - 2015-02-15 14:36 - 00121281 _____ () C:\Windows\WindowsUpdate.log
2015-02-13 22:55 - 2015-02-13 22:55 - 00148680 _____ () C:\Users\Robert W. Stone\AppData\Local\GDIPFONTCACHEV1.DAT
2015-02-13 22:53 - 2015-02-15 14:31 - 00000202 _____ () C:\Windows\setupact.log
2015-02-13 22:53 - 2015-02-13 22:53 - 00000000 _____ () C:\Windows\setuperr.log
2015-02-13 22:36 - 2015-02-13 22:36 - 00490720 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-13 00:52 - 2015-02-13 00:52 - 00000247 _____ () C:\Windows\system32\2015-02-13-06-52-38.044-aswFe.exe-3416.log
2015-02-13 00:50 - 2015-02-13 00:50 - 00000197 _____ () C:\Windows\system32\2015-02-13-06-50-29.008-AvastVBoxSVC.exe-2840.log
2015-02-12 18:37 - 2015-02-12 18:39 - 00000000 ____D () C:\Windows\SysWOW64\vbox
2015-02-12 18:37 - 2015-02-12 18:39 - 00000000 ____D () C:\Windows\system32\vbox
2015-02-12 18:37 - 2015-02-12 18:37 - 00001964 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-02-12 18:37 - 2015-02-12 18:37 - 00000000 ____D () C:\Users\Robert W. Stone\AppData\Roaming\AVAST Software
2015-02-12 18:37 - 2015-02-12 18:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-02-12 18:36 - 2015-02-12 18:37 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2015-02-12 18:36 - 2015-02-12 18:37 - 00087912 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2015-02-12 18:36 - 2015-02-12 18:37 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-02-12 18:36 - 2015-02-12 18:36 - 00000000 ____D () C:\ProgramData\Google
2015-02-12 18:36 - 2015-02-12 18:35 - 00436624 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-02-12 18:36 - 2015-02-12 18:35 - 00364512 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-02-12 18:36 - 2015-02-12 18:35 - 00267632 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2015-02-12 18:36 - 2015-02-12 18:35 - 00116728 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-02-12 18:36 - 2015-02-12 18:35 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-02-12 18:36 - 2015-02-12 18:35 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2015-02-12 18:36 - 2015-02-12 18:35 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2015-02-12 18:35 - 2015-02-12 18:35 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-02-12 18:35 - 2015-02-12 18:35 - 00000000 ____D () C:\Program Files\AVAST Software
2015-02-12 18:34 - 2015-02-12 18:35 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-02-12 14:05 - 2015-02-12 14:05 - 00003304 ____N () C:\bootsqm.dat
2015-02-12 10:10 - 2015-01-22 22:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-12 10:10 - 2015-01-22 22:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-12 10:10 - 2015-01-22 21:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-02-12 10:10 - 2015-01-22 21:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-02-11 22:31 - 2015-02-15 14:18 - 00000000 ____D () C:\Users\Robert W. Stone\Desktop\Malware Tools
2015-02-11 21:19 - 2015-02-15 14:36 - 00000000 ____D () C:\FRST
2015-02-11 13:41 - 2015-01-13 23:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-11 13:41 - 2015-01-13 23:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-02-11 13:41 - 2015-01-11 21:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-11 13:41 - 2015-01-11 21:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-11 13:41 - 2015-01-11 21:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-11 13:41 - 2015-01-11 20:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-11 13:41 - 2015-01-11 20:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-11 13:41 - 2015-01-11 20:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-11 13:41 - 2015-01-11 20:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-11 13:41 - 2015-01-11 20:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-11 13:41 - 2015-01-11 20:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-11 13:41 - 2015-01-11 20:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-11 13:41 - 2015-01-11 20:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-11 13:41 - 2015-01-11 20:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-11 13:41 - 2015-01-11 20:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-11 13:41 - 2015-01-11 20:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-02-11 13:41 - 2015-01-11 20:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-11 13:41 - 2015-01-11 20:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-02-11 13:41 - 2015-01-11 20:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-11 13:41 - 2015-01-11 20:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-11 13:41 - 2015-01-11 20:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-02-11 13:41 - 2015-01-11 20:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-11 13:41 - 2015-01-11 20:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-11 13:41 - 2015-01-11 20:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-02-11 13:41 - 2015-01-11 20:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-02-11 13:41 - 2015-01-11 20:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-02-11 13:41 - 2015-01-11 20:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-11 13:41 - 2015-01-11 20:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-02-11 13:41 - 2015-01-11 20:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-02-11 13:41 - 2015-01-11 19:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-02-11 13:41 - 2015-01-11 19:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-02-11 13:41 - 2015-01-11 19:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-02-11 13:41 - 2015-01-11 19:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-11 13:41 - 2015-01-11 19:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-11 13:41 - 2015-01-11 19:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-11 13:41 - 2015-01-11 19:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-11 13:41 - 2015-01-11 19:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-02-11 13:41 - 2015-01-11 19:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-11 13:41 - 2015-01-11 19:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-02-11 13:41 - 2015-01-11 19:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-02-11 13:41 - 2015-01-11 19:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-02-11 13:41 - 2015-01-11 19:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-02-11 13:41 - 2015-01-11 19:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-11 13:41 - 2015-01-11 19:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-02-11 13:41 - 2015-01-11 19:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-02-11 13:41 - 2015-01-11 19:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-02-11 13:41 - 2015-01-11 19:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-02-11 13:41 - 2015-01-11 19:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-11 13:41 - 2015-01-11 19:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-11 13:41 - 2015-01-11 19:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-02-11 13:41 - 2015-01-11 18:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-02-11 13:41 - 2015-01-11 18:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-02-11 13:40 - 2015-01-15 02:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-11 13:40 - 2015-01-15 02:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-11 13:40 - 2015-01-15 02:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-11 13:40 - 2015-01-15 02:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-11 13:40 - 2015-01-15 02:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-11 13:40 - 2015-01-15 02:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-11 13:40 - 2015-01-15 02:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-11 13:40 - 2015-01-15 02:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-11 13:40 - 2015-01-15 02:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-11 13:40 - 2015-01-15 02:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-11 13:40 - 2015-01-15 02:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-11 13:40 - 2015-01-15 01:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-02-11 13:40 - 2015-01-15 01:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-02-11 13:40 - 2015-01-15 01:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-02-11 13:40 - 2015-01-15 01:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-02-11 13:40 - 2015-01-15 01:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-02-11 13:40 - 2015-01-15 01:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-02-11 13:40 - 2015-01-14 22:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-11 13:40 - 2015-01-14 00:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-11 13:40 - 2015-01-14 00:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-02-11 13:40 - 2015-01-14 00:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-02-11 13:40 - 2015-01-14 00:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-02-11 13:40 - 2015-01-13 23:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-02-11 13:40 - 2015-01-13 23:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-02-11 13:40 - 2015-01-13 23:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-02-11 13:40 - 2015-01-12 21:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-11 13:40 - 2015-01-12 20:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-02-11 13:40 - 2015-01-10 00:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-11 13:40 - 2015-01-10 00:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-11 13:40 - 2015-01-10 00:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-11 13:40 - 2015-01-10 00:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-11 13:40 - 2015-01-10 00:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-11 13:40 - 2015-01-10 00:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-11 13:40 - 2015-01-10 00:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-11 13:40 - 2015-01-10 00:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-02-11 13:40 - 2015-01-10 00:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-02-11 13:40 - 2015-01-10 00:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-02-11 13:40 - 2015-01-10 00:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-02-11 13:40 - 2015-01-10 00:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-02-11 13:40 - 2015-01-10 00:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-02-11 13:40 - 2015-01-10 00:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-02-11 13:40 - 2015-01-08 20:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-11 13:40 - 2014-12-07 21:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-11 13:40 - 2014-12-07 20:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-02-06 07:48 - 2015-02-15 14:32 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-06 07:48 - 2015-02-06 07:48 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-03 08:45 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-02-02 18:54 - 2015-02-02 18:54 - 00000000 ____D () C:\Users\Robert W. Stone\AppData\Roaming\EncryptStick
2015-02-02 12:46 - 2015-02-02 12:46 - 00000000 _____ () C:\Windows\EEventManager.INI
2015-02-02 11:50 - 2015-02-02 13:18 - 00000609 _____ () C:\Users\Robert W. Stone\AppData\Roaming\Microsoft\Windows\Start Menu\Southside Bank, Tyler, East Texas, DFW and Austin - Car Loans, Personal Loans, Commercial Loans, Mortgage Loans (New, Construction, Refinancing, Home Equity).website
2015-02-01 16:09 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-02-01 16:09 - 2014-12-11 11:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-02-01 16:09 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-02-01 16:09 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-02-01 16:09 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-15 14:34 - 2014-02-25 12:19 - 00007650 _____ () C:\Users\Robert W. Stone\AppData\Local\resmon.resmoncfg
2015-02-15 14:32 - 2014-05-02 08:18 - 00000464 __RSH () C:\ProgramData\ntuser.pol
2015-02-15 14:31 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-14 10:24 - 2014-02-13 21:14 - 00000000 ____D () C:\Program Files (x86)\Google
2015-02-14 10:23 - 2015-01-03 09:47 - 00000000 ____D () C:\Windows\pss
2015-02-14 09:56 - 2014-02-13 21:14 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-14 09:43 - 2014-02-09 19:20 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-14 09:06 - 2014-02-13 21:14 - 00000000 ____D () C:\Users\Robert W. Stone\AppData\Local\Google
2015-02-14 08:30 - 2009-07-13 22:45 - 00025520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-14 08:30 - 2009-07-13 22:45 - 00025520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-13 19:54 - 2014-07-22 10:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSoftwareUpdater
2015-02-13 19:54 - 2014-06-12 09:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlashLive! Updater
2015-02-13 19:53 - 2014-02-09 19:10 - 00000000 ____D () C:\Windows\Panther
2015-02-13 07:11 - 2014-02-24 14:08 - 00000000 ____D () C:\temp
2015-02-12 18:47 - 2014-05-09 04:11 - 00000000 ____D () C:\Program Files (x86)\Object Browser
2015-02-12 18:36 - 2014-02-21 19:21 - 00000000 ____D () C:\Program Files\Google
2015-02-12 09:58 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2015-02-12 09:36 - 2014-02-25 12:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-12 06:57 - 2009-07-13 20:34 - 00000678 _____ () C:\Windows\win.ini
2015-02-12 06:34 - 2014-03-28 14:29 - 00000000 ____D () C:\Windows\system32\MRT
2015-02-12 04:48 - 2014-03-28 14:29 - 116773704 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-02-11 23:14 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-11 22:05 - 2015-01-04 14:36 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2015-02-11 17:49 - 2009-07-13 23:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-11 13:42 - 2009-07-13 23:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-02-06 07:48 - 2014-02-13 21:14 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-05 15:40 - 2014-02-21 19:20 - 00002102 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-05 09:11 - 2014-02-09 19:20 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-05 09:11 - 2014-02-09 19:20 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-05 09:11 - 2014-02-09 19:20 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-03 11:16 - 2014-08-26 16:33 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-01 16:27 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\rescache
2015-02-01 16:03 - 2014-02-09 17:40 - 00000000 ____D () C:\Users\Robert W. Stone
2015-02-01 15:56 - 2014-02-09 19:20 - 00000000 ____D () C:\Windows\system32\Macromed
2015-02-01 15:55 - 2015-01-05 17:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epson Software
2015-02-01 15:41 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\registration
2015-02-01 15:04 - 2010-11-21 01:16 - 00000000 ___RD () C:\Users\Public\Recorded TV
 
==================== Files in the root of some directories =======
 
2014-05-02 08:18 - 2014-05-02 08:18 - 0000318 _____ () C:\Users\Robert W. Stone\AppData\Roaming\aps.uninstall.scan.results
2014-02-16 21:21 - 2014-02-16 21:21 - 0005003 _____ () C:\Users\Robert W. Stone\AppData\Roaming\UserTile.png
2014-03-11 11:04 - 2014-07-19 08:00 - 0000113 _____ () C:\Users\Robert W. Stone\AppData\Roaming\WB.CFG
2014-10-02 02:04 - 2014-10-02 02:04 - 0150690 _____ () C:\Users\Robert W. Stone\AppData\Local\anltkwtr
2014-09-29 13:43 - 2014-09-29 13:43 - 0068415 _____ () C:\Users\Robert W. Stone\AppData\Local\kdpwgsjb
2014-02-19 18:53 - 2014-02-19 18:53 - 0295728 _____ (VuuPC Limited) C:\Users\Robert W. Stone\AppData\Local\nsa6176.tmp
2014-02-25 12:19 - 2015-02-15 14:34 - 0007650 _____ () C:\Users\Robert W. Stone\AppData\Local\resmon.resmoncfg
2014-10-01 12:02 - 2014-10-01 12:02 - 0150690 _____ () C:\Users\Robert W. Stone\AppData\Local\wapejipe
2014-11-14 17:54 - 2014-11-14 17:54 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some content of TEMP:
====================
C:\Users\Robert W. Stone\AppData\Local\Temp\dllnt_dump.dll
 
 
Some zero byte size files/folders:
==========================
C:\Windows\System32\kckgxw.dll
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-01 16:19
 
==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 18 February 2015 - 10:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=adk_14_18&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0F0C0EtByBtB0D0B0BtN0D0Tzu0SzzzyzytN1L2XzutBtFtBtCtFyEtFtCtN1L1Czu1T1Q1J1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StD0C0AtCyDyB0AyDtG0BtAtDyBtGtB0FzzyCtG0C0E0F0CtGtDtC0BtCtC0FyD0ByCyC0Fzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCtDtD0BtCzz0DtCtG0EyBtB0FtGyB0CtD0DtG0FzzzztAtGyB0FtDtAyE0EtAyB0C0AyDtB2Q&cr=284165636&ir=
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKLM - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} -  No File
Toolbar: HKLM-x32 - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} -  No File
Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\Firefox\Extensions: [{8E3C10E3-9B89-B515-883F-0A45FF62B29F}] - C:\Program Files (x86)\BlockAndSurf-soft\161.xpi
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {F832FD77-7DC7-4B09-A049-4E36193E1CFC} - \ShopperPro No Task File <==== ATTENTION
Task: {B0158B93-1AA4-4817-9B6F-E24A8E247EA0} - \ShopperProJSUpd No Task File <==== ATTENTION
Task: {D1C97871-0807-43BD-819B-E1BE84F11226} - \TidyNetwork Update No Task File <==== ATTENTION
Task: {8060452E-4086-4342-B357-47393ED94B7A} - \SPDriver No Task File <==== ATTENTION
Task: {5AB63804-1180-4E59-8EED-7E20E097F6FE} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
Task: {39E8AB2F-86C0-4BBC-9FEB-695FF0C632CB} - System32\Tasks\LaunchApp => C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe <==== ATTENTION
Task: {01E9D17F-EDF7-4875-B286-B9E5CEB4C51C} - \Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 No Task File <==== ATTENTION
C:\Windows\System32\kckgxw.dll
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:D346F792
C:\Program Files (x86)\BlockAndSurf-soft

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 gavtek303

gavtek303
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 18 February 2015 - 09:17 PM

Hey nasdaq, thanks for the reply and the assistance.   System seems to be running normally.  I was pretty sure I hosed up the first fixlist while running in safe mode.  I reran everything (against your better judgement, i'm sure ;) in normal after seeing some improvement in performance but still getting threat detects in normal mode.   At this time,  the system has been up, in normal mode for about 30 minutes with no Avast URL Threat alerts.  

 

Please let me know if additional steps need to be taken.  Both sets of logs are below.  Thanks again.

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2015
Ran by Robert W. Stone at 2015-02-18 18:31:06 Run:1
Running from C:\Users\Robert W. Stone\Desktop
Loaded Profiles: Robert W. Stone (Available profiles: Robert W. Stone)
Boot Mode: Safe Mode (with Networking)
==============================================
 
Content of fixlist:
*****************
start CloseProcesses: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks! GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION URLSearchHook: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=adk_14_18&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0F0C0EtByBtB0D0B0BtN0D0Tzu0SzzzyzytN1L2XzutBtFtBtCtFyEtFtCtN1L1Czu1T1Q1J1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StD0C0AtCyDyB0AyDtG0BtAtDyBtGtB0FzzyCtG0C0E0F0CtGtDtC0BtCtC0FyD0ByCyC0Fzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCtDtD0BtCzz0DtCtG0EyBtB0FtGyB0CtD0DtG0FzzzztAtGyB0FtDtAyE0EtAyB0C0AyDtB2Q&cr=284165636&ir= BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File Toolbar: HKLM - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} - No File Toolbar: HKLM-x32 - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} - No File Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\Firefox\Extensions: [{8E3C10E3-9B89-B515-883F-0A45FF62B29F}] - C:\Program Files (x86)\BlockAndSurf-soft\161.xpi S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] Task: {F832FD77-7DC7-4B09-A049-4E36193E1CFC} - \ShopperPro No Task File <==== ATTENTION Task: {B0158B93-1AA4-4817-9B6F-E24A8E247EA0} - \ShopperProJSUpd No Task File <==== ATTENTION Task: {D1C97871-0807-43BD-819B-E1BE84F11226} - \TidyNetwork Update No Task File <==== ATTENTION Task: {8060452E-4086-4342-B357-47393ED94B7A} - \SPDriver No Task File <==== ATTENTION Task: {5AB63804-1180-4E59-8EED-7E20E097F6FE} - \BrowserSafeguard Update Task No Task File <==== ATTENTION Task: {39E8AB2F-86C0-4BBC-9FEB-695FF0C632CB} - System32\Tasks\LaunchApp => C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe <==== ATTENTION Task: {01E9D17F-EDF7-4875-B286-B9E5CEB4C51C} - \Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 No Task File <==== ATTENTION C:\Windows\System32\kckgxw.dll AlternateDataStreams: C:\ProgramData\TEMP:373E1720 AlternateDataStreams: C:\ProgramData\TEMP:D346F792 C:\Program Files (x86)\BlockAndSurf-soft End
*****************
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\start CloseProcesses: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks! GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=adk_14_18&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0F0C0EtByBtB0D0B0BtN0D0Tzu0SzzzyzytN1L2XzutBtFtBtCtFyEtFtCtN1L1Czu1T1Q1J1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StD0C0AtCyDyB0AyDtG0BtAtDyBtGtB0FzzyCtG0C0E0F0CtGtDtC0BtCtC0FyD0ByCyC0Fzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCtDtD0BtCzz0DtCtG0EyBtB0FtGyB0CtD0DtG0FzzzztAtGyB0FtDtAyE0EtAyB0C0AyDtB2Q&cr=284165636&ir= BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File Toolbar: HKLM - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} - No File Toolbar: HKLM-x32 - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} - No File Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\Firefox\Extensions: [{8E3C10E3-9B89-B515-883F-0A45FF62B29F}] - C:\Program Files (x86)\BlockAndSurf-soft\161.xpi S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] Task: {F832FD77-7DC7-4B09-A049-4E36193E1CFC} - \ShopperPro No Task File <==== ATTENTION Task: {B0158B93-1AA4-4817-9B6F-E24A8E247EA0} - \ShopperProJSUpd No Task File <==== ATTENTION Task: {D1C97871-0807-43BD-819B-E1BE84F11226} - \TidyNetwork Update No Task File <==== ATTENTION Task: {8060452E-4086-4342-B357-47393ED94B7A} - \SPDriver No Task File <==== ATTENTION Task: {5AB63804-1180-4E59-8EED-7E20E097F6FE} - \BrowserSafeguard Update Task No Task File <==== ATTENTION Task: {39E8AB2F-86C0-4BBC-9FEB-695FF0C632CB} - System32\Tasks\LaunchApp => C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe <==== ATTENTION Task: {01E9D17F-EDF7-4875-B286-B9E5CEB4C51C} => Value not found.
 
==== End of Fixlog 18:31:06 ====
 
# AdwCleaner v4.111 - Logfile created 18/02/2015 at 18:33:57
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Local]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Robert W. Stone - DELL-1
# Running from : C:\Users\Robert W. Stone\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\b653ad6da9de5166
Folder Deleted : C:\Program Files (x86)\EnhanceTronic
Folder Deleted : C:\Windows\Installer\{813BA625-B0FA-48D8-9B75-59759C88C219}
Folder Deleted : C:\Program Files\003
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Users\Robert W. Stone\AppData\LocalLow\IminentToolbar
Folder Deleted : C:\Users\Robert W. Stone\AppData\Roaming\Activeris
Folder Deleted : C:\Users\Robert W. Stone\Documents\Mobogenie
Folder Deleted : C:\Users\Robert W. Stone\Documents\PC Health Kit
File Deleted : C:\Windows\System32\drivers\wStLib64.sys
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Windows\System32\SecureAssist64.dll
File Deleted : C:\Users\Robert W. Stone\daemonprocess.txt
File Deleted : C:\Users\Robert W. Stone\AppData\Roaming\aps.uninstall.scan.results
 
***** [ Scheduled tasks ] *****
 
Task Deleted : BrowserSafeguard Update Task
Task Deleted : LaunchApp
Task Deleted : Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2
Task Deleted : ShopperPro
Task Deleted : ShopperProJSUpd
Task Deleted : SPDriver
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ShopperPro.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{FCF8BFD3-39B8-4370-B464-EC2AAACD97CF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EC77D09-02CB-4E1F-E3C4-FB141B2610B3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0BD19251-4B4B-4B94-AB16-617106245BB7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3281114F-BCAB-45E3-80D9-A6CD64D4E636}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{44533FCB-F9FB-436A-8B6B-CF637B2D465A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{44B29DDD-CF7A-454A-A275-A322A398D93F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A4DE94DB-DF03-45A3-8A5D-D1B7464B242D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{AA0F50A8-2618-4AE4-A779-9F7378555A8F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B2DB115C-8278-4947-9A07-57B53D1C4215}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B97FC455-DB33-431D-84DB-6F1514110BD5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C67281E0-78F5-4E49-9FAE-4B1B2ADAF17B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E72E9312-0367-4216-BFC7-21485FA8390B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F6CCB6C9-127E-44AE-8552-B94356F39FFE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FFD25630-2734-4AE9-88E6-21BF6525F3FE}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC865B26-C31D-4D23-B17B-96548EEF03F6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKCU\Software\AnyProtect
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\Tutorials
Key Deleted : HKCU\Software\usyndication.com
Key Deleted : HKCU\Software\ContentExplorer
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Object Browser
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\CompeteInc
Key Deleted : HKLM\SOFTWARE\Taronja
Key Deleted : [x64] HKLM\SOFTWARE\YTDownloader
Key Deleted : [x64] HKLM\SOFTWARE\System Optimizer Pro
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\526AB318AF0B8D84B9579557C9882C91
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\526AB318AF0B8D84B9579557C9882C91
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\216F88E93A00F2B5494EDDCFD502D42E
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32DA746012E6D4F488AAD113D6FA4A44
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6B417119DEEF2AE52B41C910B4B269FA
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\82306010F2A8A02519C2D6D1A4B48415
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF767AE36C8829547ACD71A4249A42B9
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E9A2A2663AD8ED75E83332ACA3689A31
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FDCBFFB76F9A2B15D9A475A10FA793A6
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\526AB318AF0B8D84B9579557C9882C91
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17631
 
 
-\\ Google Chrome v40.0.2214.111
 
[C:\Users\Robert W. Stone\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Robert W. Stone\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Robert W. Stone\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=cmi_14_11_ie&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0F0C0EtByBtB0D0B0BtN0D0Tzu0SzztDtCtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyD0AtAzytCtAzzyEtG0FtB0BtAtGtDtDzy0FtGtB0EtC0FtGtAyD0Azz0C0DtA0B0ByB0FyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCtDtD0BtCzz0DtCtG0EyBtB0FtGyB0CtD0DtG0FzzzztAtGyB0FtDtAyE0EtAyB0C0AyDtB2Q&cr=1432851214&ir=
 
*************************
 
AdwCleaner[R0].txt - [9081 bytes] - [18/02/2015 18:32:05]
AdwCleaner[S0].txt - [8732 bytes] - [18/02/2015 18:33:57]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8791  bytes] ##########
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-02-2015 01
Ran by Robert W. Stone at 2015-02-18 19:48:33 Run:2
Running from C:\Users\Robert W. Stone\Desktop
Loaded Profiles: Robert W. Stone (Available profiles: Robert W. Stone)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKLM - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} -  No File
Toolbar: HKLM-x32 - No Name - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} -  No File
Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
Toolbar: HKU\S-1-5-21-3276769357-4003064666-2680311057-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\...\Firefox\Extensions: [{8E3C10E3-9B89-B515-883F-0A45FF62B29F}] - C:\Program Files (x86)\BlockAndSurf-soft\161.xpi
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {F832FD77-7DC7-4B09-A049-4E36193E1CFC} - \ShopperPro No Task File <==== ATTENTION
Task: {B0158B93-1AA4-4817-9B6F-E24A8E247EA0} - \ShopperProJSUpd No Task File <==== ATTENTION
Task: {D1C97871-0807-43BD-819B-E1BE84F11226} - \TidyNetwork Update No Task File <==== ATTENTION
Task: {8060452E-4086-4342-B357-47393ED94B7A} - \SPDriver No Task File <==== ATTENTION
Task: {5AB63804-1180-4E59-8EED-7E20E097F6FE} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
Task: {39E8AB2F-86C0-4BBC-9FEB-695FF0C632CB} - System32\Tasks\LaunchApp => C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe <==== ATTENTION
Task: {01E9D17F-EDF7-4875-B286-B9E5CEB4C51C} - \Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 No Task File <==== ATTENTION
C:\Windows\System32\kckgxw.dll
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:D346F792
C:\Program Files (x86)\BlockAndSurf-soft
 
End
*****************
 
Processes closed successfully.
"HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.
"HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} => Value not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. 
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC865B26-C31D-4D23-B17B-96548EEF03F6} => Key not found. 
HKCR\CLSID\{CC865B26-C31D-4D23-B17B-96548EEF03F6} => Key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}" => Key deleted successfully.
"HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A2A31FE0-CB70-409D-B4CC-40DCDF880732} => value deleted successfully.
HKCR\CLSID\{A2A31FE0-CB70-409D-B4CC-40DCDF880732} => Key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{A2A31FE0-CB70-409D-B4CC-40DCDF880732} => value deleted successfully.
HKCR\Wow6432Node\CLSID\{A2A31FE0-CB70-409D-B4CC-40DCDF880732} => Key not found. 
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} => value deleted successfully.
HKCR\CLSID\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} => Key not found. 
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
HKU\S-1-5-21-3276769357-4003064666-2680311057-1000\Software\Mozilla\Firefox\Extensions\\{8E3C10E3-9B89-B515-883F-0A45FF62B29F} => value deleted successfully.
IntcAzAudAddService => Service deleted successfully.
Synth3dVsc => Service deleted successfully.
tsusbhub => Service deleted successfully.
VGPU => Service deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F832FD77-7DC7-4B09-A049-4E36193E1CFC} => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ShopperPro => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0158B93-1AA4-4817-9B6F-E24A8E247EA0} => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ShopperProJSUpd => Key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D1C97871-0807-43BD-819B-E1BE84F11226}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D1C97871-0807-43BD-819B-E1BE84F11226}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TidyNetwork Update" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8060452E-4086-4342-B357-47393ED94B7A} => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SPDriver => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5AB63804-1180-4E59-8EED-7E20E097F6FE} => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BrowserSafeguard Update Task => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{39E8AB2F-86C0-4BBC-9FEB-695FF0C632CB} => Key not found. 
C:\Windows\System32\Tasks\LaunchApp not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchApp => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{01E9D17F-EDF7-4875-B286-B9E5CEB4C51C} => Key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 => Key not found. 
C:\Windows\System32\kckgxw.dll => Moved successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
C:\ProgramData\TEMP => ":D346F792" ADS removed successfully.
"C:\Program Files (x86)\BlockAndSurf-soft" => File/Directory not found.
 
 
The system needed a reboot. 
 
==== End of Fixlog 19:48:35 ====
# AdwCleaner v4.111 - Logfile created 18/02/2015 at 19:56:14
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Robert W. Stone - DELL-1
# Running from : C:\Users\Robert W. Stone\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17631
 
 
-\\ Google Chrome v40.0.2214.111
 
 
*************************
 
AdwCleaner[R0].txt - [9081 bytes] - [18/02/2015 18:32:05]
AdwCleaner[R1].txt - [961 bytes] - [18/02/2015 19:54:26]
AdwCleaner[S0].txt - [8987 bytes] - [18/02/2015 18:33:57]
AdwCleaner[S1].txt - [891 bytes] - [18/02/2015 19:56:14]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [949  bytes] ##########
 
 
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 19 February 2015 - 09:15 AM

Looking good.

One last check.

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

#5 gavtek303

gavtek303
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 19 February 2015 - 01:25 PM

Here you go.  I just updated Google Chrome, btw.  Thanks!!

 

 Results of screen317's Security Check version 0.99.96  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
  Java 64-bit 8 Update 31  
 Adobe Reader XI  
 Google Chrome 33.0.1750.154 Google Chrome out of date!  
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast ng vbox\AvastVBoxSVC.exe 
 AVAST Software Avast avastui.exe  
 AVAST Software Avast ng ngservice.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 4% 
````````````````````End of Log`````````````````````` 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 19 February 2015 - 02:06 PM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 gavtek303

gavtek303
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 19 February 2015 - 02:14 PM

I had time to do various local and network activities for about 30 mins. No problems whatsoever. Thanks a ton for the guidance. :)

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 20 February 2015 - 08:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users