Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio ads turn on at random times


  • This topic is locked This topic is locked
5 replies to this topic

#1 sickofMalware

sickofMalware

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 21 February 2015 - 11:14 AM

At random times I get audio on my computer for different ads.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-02-2015
Ran by Joe (administrator) on JOEWPC01 on 21-02-2015 10:07:58
Running from C:\Users\Joe\Downloads
Loaded Profiles: Joe (Available profiles: Joe)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10920552 2010-06-22] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-05-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101584 2014-04-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [HelpUninstaller.exe] => C:\Program Files (x86)\HelpUninstaller\HelpUninstaller.exe
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe Run
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-09-14] (Apple Inc.)
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-09-15] (Apple Inc.)
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566984 2014-04-25] (Safer-Networking Ltd.)
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [SpeedTray] => C:\Users\Joe\AppData\Roaming\SpeedTray\speedtray.exe [725518 2014-12-15] ()
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Policies\system: [DisableLockWorkstation] 0

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-828968764-1541117654-822748094-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-02-17] (SurfRight B.V.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738200 2014-04-25] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2081752 2014-04-25] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AX88772; C:\Windows\System32\DRIVERS\ax88772.sys [73216 2013-11-02] (ASIX Electronics Corp.) [File not signed]
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-21] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
R3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [11264 2009-07-24] (Primax Ltd)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2013-11-02] ()
S3 __FOX__UNI_DRIVER__; \??\C:\Users\Joe\AppData\Local\Temp\FoxG1Driver.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-21 10:07 - 2015-02-21 10:08 - 00009594 _____ () C:\Users\Joe\Downloads\FRST.txt
2015-02-21 10:07 - 2015-02-21 10:07 - 00000000 ____D () C:\FRST
2015-02-21 10:06 - 2015-02-21 10:06 - 02086912 _____ (Farbar) C:\Users\Joe\Downloads\FRST64.exe
2015-02-19 20:00 - 2015-02-21 09:58 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-19 19:41 - 2015-02-19 19:41 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-19 19:41 - 2015-02-19 19:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-19 19:41 - 2015-02-19 19:41 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-19 19:41 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-19 19:41 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-19 19:41 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-19 19:38 - 2015-02-19 19:41 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Joe\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-19 19:37 - 2015-02-19 19:37 - 02126848 _____ () C:\Users\Joe\Downloads\AdwCleaner.exe
2015-02-19 19:27 - 2015-02-19 19:27 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-02-19 19:26 - 2015-02-19 19:26 - 02347384 _____ (ESET) C:\Users\Joe\Downloads\esetsmartinstaller_enu.exe
2015-02-19 19:13 - 2015-02-21 09:54 - 00000000 ____D () C:\AdwCleaner
2015-02-15 13:08 - 2015-01-22 22:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-15 13:08 - 2015-01-22 22:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-15 13:08 - 2015-01-22 21:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-02-15 13:08 - 2015-01-22 21:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-02-13 17:49 - 2015-01-08 21:14 - 00950272 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll
2015-02-13 17:49 - 2015-01-08 21:14 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll
2015-02-13 17:49 - 2015-01-08 21:14 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll
2015-02-13 17:49 - 2015-01-08 20:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdi.dll
2015-02-13 17:39 - 2015-01-13 23:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-13 17:39 - 2015-01-13 23:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-02-13 17:39 - 2015-01-11 21:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-13 17:39 - 2015-01-11 21:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-13 17:39 - 2015-01-11 21:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-13 17:39 - 2015-01-11 20:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-13 17:39 - 2015-01-11 20:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-13 17:39 - 2015-01-11 20:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-13 17:39 - 2015-01-11 20:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-13 17:39 - 2015-01-11 20:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-13 17:39 - 2015-01-11 20:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-13 17:39 - 2015-01-11 20:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-13 17:39 - 2015-01-11 20:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-13 17:39 - 2015-01-11 20:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-13 17:39 - 2015-01-11 20:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-13 17:39 - 2015-01-11 20:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-02-13 17:39 - 2015-01-11 20:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-13 17:39 - 2015-01-11 20:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-02-13 17:39 - 2015-01-11 20:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-13 17:39 - 2015-01-11 20:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-13 17:39 - 2015-01-11 20:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-02-13 17:39 - 2015-01-11 20:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-13 17:39 - 2015-01-11 20:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-13 17:39 - 2015-01-11 20:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-02-13 17:39 - 2015-01-11 20:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-02-13 17:39 - 2015-01-11 20:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-02-13 17:39 - 2015-01-11 20:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-13 17:39 - 2015-01-11 20:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-02-13 17:39 - 2015-01-11 20:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-02-13 17:39 - 2015-01-11 19:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-02-13 17:39 - 2015-01-11 19:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-02-13 17:39 - 2015-01-11 19:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-02-13 17:39 - 2015-01-11 19:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-13 17:39 - 2015-01-11 19:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-13 17:39 - 2015-01-11 19:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-13 17:39 - 2015-01-11 19:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-13 17:39 - 2015-01-11 19:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-02-13 17:39 - 2015-01-11 19:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-13 17:39 - 2015-01-11 19:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-02-13 17:39 - 2015-01-11 19:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-02-13 17:39 - 2015-01-11 19:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-02-13 17:39 - 2015-01-11 19:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-02-13 17:39 - 2015-01-11 19:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-13 17:39 - 2015-01-11 19:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-02-13 17:39 - 2015-01-11 19:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-02-13 17:39 - 2015-01-11 19:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-02-13 17:39 - 2015-01-11 19:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-02-13 17:39 - 2015-01-11 19:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-13 17:39 - 2015-01-11 19:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-13 17:39 - 2015-01-11 19:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-02-13 17:39 - 2015-01-11 18:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-02-13 17:39 - 2015-01-11 18:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-02-11 18:54 - 2015-01-15 02:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-11 18:54 - 2015-01-15 02:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-11 18:54 - 2015-01-15 02:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-11 18:54 - 2015-01-15 02:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-11 18:54 - 2015-01-15 02:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-11 18:54 - 2015-01-15 02:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-11 18:54 - 2015-01-15 02:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-11 18:54 - 2015-01-15 02:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-11 18:54 - 2015-01-15 02:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-11 18:54 - 2015-01-15 02:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-11 18:54 - 2015-01-15 02:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-11 18:54 - 2015-01-15 01:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-02-11 18:54 - 2015-01-15 01:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-02-11 18:54 - 2015-01-15 01:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-02-11 18:54 - 2015-01-15 01:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-02-11 18:54 - 2015-01-15 01:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-02-11 18:54 - 2015-01-15 01:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-02-11 18:54 - 2015-01-14 22:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-11 18:54 - 2015-01-10 00:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-11 18:54 - 2015-01-10 00:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-11 18:54 - 2015-01-10 00:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-11 18:54 - 2015-01-10 00:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-11 18:54 - 2015-01-10 00:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-11 18:54 - 2015-01-10 00:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-11 18:54 - 2015-01-10 00:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-11 18:54 - 2015-01-10 00:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-02-11 18:54 - 2015-01-10 00:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-02-11 18:54 - 2015-01-10 00:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-02-11 18:54 - 2015-01-10 00:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-02-11 18:54 - 2015-01-10 00:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-02-11 18:54 - 2015-01-10 00:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-02-11 18:54 - 2015-01-10 00:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-02-11 18:48 - 2015-01-12 21:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-11 18:48 - 2015-01-12 20:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-02-11 18:47 - 2014-12-11 23:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-02-11 18:47 - 2014-12-11 23:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-02-11 18:45 - 2014-11-25 21:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-11 18:45 - 2014-11-25 21:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-02-11 18:44 - 2015-01-14 00:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-11 18:44 - 2015-01-14 00:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-02-11 18:44 - 2015-01-14 00:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-02-11 18:44 - 2015-01-14 00:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-02-11 18:44 - 2015-01-13 23:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-02-11 18:44 - 2015-01-13 23:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-02-11 18:44 - 2015-01-13 23:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-02-11 18:44 - 2014-12-07 21:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-11 18:44 - 2014-12-07 20:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-02-10 19:49 - 2015-01-08 20:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-01 12:21 - 2015-02-01 12:21 - 00022326 _____ () C:\Users\Joe\Documents\HitmanPro_20150201_1221.log
2015-02-01 12:19 - 2015-02-01 12:19 - 00001893 _____ () C:\Users\Public\Desktop\HitmanPro.lnk
2015-02-01 12:19 - 2015-02-01 12:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-02-01 12:19 - 2015-02-01 12:19 - 00000000 ____D () C:\Program Files\HitmanPro
2015-02-01 12:18 - 2015-02-01 12:21 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-02-01 12:17 - 2015-02-01 12:18 - 11225840 _____ (SurfRight B.V.) C:\Users\Joe\Downloads\HitmanPro_x64.exe
2015-01-31 06:54 - 2015-01-31 06:54 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-31 06:50 - 2015-01-31 06:53 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Joe\Downloads\mbam-setup-2.0.4.1028 (1).exe
2015-01-31 06:49 - 2015-01-31 06:49 - 00321848 _____ (Malwarebytes Corporation) C:\Users\Joe\Downloads\mbam-clean-2.1.1.1001.exe
2015-01-31 06:38 - 2015-01-31 06:38 - 00000000 ____D () C:\Rbackup
2015-01-31 06:31 - 2015-01-31 06:31 - 00000042 _____ () C:\Windows\SysWOW64\AK083E209605E394C.lie
2015-01-25 06:40 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-25 06:40 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-25 06:40 - 2014-12-11 11:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-25 06:40 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-25 06:40 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-25 06:40 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-25 06:39 - 2015-01-25 06:39 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-21 09:23 - 2009-07-13 22:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-21 09:23 - 2009-07-13 22:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-21 09:22 - 2009-07-13 23:13 - 00781790 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-21 09:19 - 2013-11-02 11:14 - 01976330 _____ () C:\Windows\WindowsUpdate.log
2015-02-21 09:16 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-21 09:16 - 2009-07-13 22:51 - 00042096 _____ () C:\Windows\setupact.log
2015-02-19 20:12 - 2013-11-02 17:27 - 00131532 _____ () C:\Windows\PFRO.log
2015-02-14 12:00 - 2014-04-29 19:21 - 00000000 ____D () C:\Program Files (x86)\Google
2015-02-14 12:00 - 2014-04-29 19:20 - 00000000 ____D () C:\Users\Joe\AppData\Local\Google
2015-02-14 10:03 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\rescache
2015-02-14 09:35 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\tracing
2015-02-13 17:36 - 2009-07-13 22:45 - 00416624 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-11 19:14 - 2013-11-10 06:27 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-11 19:13 - 2013-11-02 16:56 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-02-11 19:13 - 2013-11-02 16:56 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-02-11 19:13 - 2013-11-02 16:56 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-02-11 19:13 - 2013-11-02 16:56 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2015-02-11 18:46 - 2009-07-13 20:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-10 19:50 - 2013-11-06 17:29 - 00000000 ____D () C:\Windows\system32\MRT
2015-02-10 19:49 - 2013-11-06 17:29 - 116773704 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-31 05:37 - 2014-12-05 16:38 - 00073728 _____ () C:\Windows\SysWOW64\tasks.dll
2015-01-25 08:31 - 2014-12-06 08:22 - 00128210 _____ () C:\Windows\wininit.ini
2015-01-25 08:07 - 2014-05-06 18:57 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-01-25 06:36 - 2014-05-06 18:57 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-01-25 06:36 - 2013-11-02 11:14 - 00000000 ____D () C:\Users\Joe
2015-01-25 06:36 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\registration
2015-01-25 06:36 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\AppCompat

==================== Files in the root of some directories =======

2013-11-16 10:57 - 2013-11-16 10:57 - 0007598 _____ () C:\Users\Joe\AppData\Local\Resmon.ResmonCfg

Some content of TEMP:
====================
C:\Users\Joe\AppData\Local\Temp\Quarantine.exe
C:\Users\Joe\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-14 09:56

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 AM

Posted 26 February 2015 - 09:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [SpeedTray] => C:\Users\Joe\AppData\Roaming\SpeedTray\speedtray.exe [725518 2014-12-15] ()
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 __FOX__UNI_DRIVER__; \??\C:\Users\Joe\AppData\Local\Temp\FoxG1Driver.sys [X]
Task: {1F4BCB8A-0740-47AA-844D-F4FE32977D53} - \GPUP No Task File <==== ATTENTION
C:\Users\Joe\AppData\Roaming\SpeedTray

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Clean your Java cache.
https://www.java.com/en/download/help/plugin_cache.xml

===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

How is the computer running now?

#3 sickofMalware

sickofMalware
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 27 February 2015 - 08:58 PM

 
nasdaq,
 
I have not heard any ads as I was performing all these scans.  Normally I would have by now.  
 
Thank you for the fast response,
 
 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Joe at 2015-02-27 19:38:59 Run:1
Running from C:\Users\Joe\Downloads
Loaded Profiles: Joe (Available profiles: Joe)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-828968764-1541117654-822748094-1000\...\Run: [SpeedTray] => C:\Users\Joe\AppData\Roaming\SpeedTray\speedtray.exe [725518 2014-12-15] ()
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 __FOX__UNI_DRIVER__; \??\C:\Users\Joe\AppData\Local\Temp\FoxG1Driver.sys [X]
Task: {1F4BCB8A-0740-47AA-844D-F4FE32977D53} - \GPUP No Task File <==== ATTENTION
C:\Users\Joe\AppData\Roaming\SpeedTray
 
End
*****************
 
Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => Key deleted successfully.
HKU\S-1-5-21-828968764-1541117654-822748094-1000\Software\Microsoft\Windows\CurrentVersion\Run\\SpeedTray => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
__FOX__UNI_DRIVER__ => Service deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1F4BCB8A-0740-47AA-844D-F4FE32977D53}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1F4BCB8A-0740-47AA-844D-F4FE32977D53}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GPUP" => Key deleted successfully.
C:\Users\Joe\AppData\Roaming\SpeedTray => Moved successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 19:38:59 ====
 
 
Checkup.txt
 
Results of screen317's Security Check version 0.99.97  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
  Java 64-bit 8 Update 31  
 Adobe Reader XI  
 Google Chrome (40.0.2214.115) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Spybot Teatimer.exe is disabled! 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 7% 
````````````````````End of Log`````````````````````` 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 AM

Posted 28 February 2015 - 09:59 AM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 sickofMalware

sickofMalware
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 February 2015 - 02:03 PM

All is well

 

Thank you 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 AM

Posted 01 March 2015 - 08:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users