Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning! Security threat detected... . Help requested please.


  • This topic is locked This topic is locked
9 replies to this topic

#1 Friar K

Friar K

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 25 February 2015 - 01:00 PM

My browsing is being interrupted by

1) a "you are infected" type webpage that won't close

2) a popup telling me to call a certain number as soon as possible for tech support

3) an audio message telling me to call the number

 

I contracted this virus a month or two ago and thought I had gotten rid of it by setting up a new user account and deleting the old. Not so.

 

I also know exactly how I got this virus. I downloaded it and installed it! I followed a search result for a free book, let's call it Introduction to Nutrition, for download as a pdf. The download turned out to be an executable called (for instance) Intro_to_Nutrition_free_download.exe.  I bit. After the fact, I figured out that this file name was custom tailored to my wishful gullibility. Once installed, it replaced the homepages on all three of my browsers and flooded every page I visited with ads and links to all sorts of bogus products. Even Wikipedia was affected. As above, I created a new user and deleted the old. That proved to be an incomplete solution. I no longer have the ads, but I still get the security warning phishing attacks.  

 

No need to berate for the naiveté which led me to install it, nor to reprimand for the amateurish attempts at correcting it. I got it.

 

Help would be appreciated. Thank you in advance.


Edited by Friar K, 25 February 2015 - 01:01 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:47 AM

Posted 25 February 2015 - 02:37 PM

Hello we do not want to beat you down, we are here for novice and advanced alike.. I would like you to add a log to this post though.
Please follow this Preparation Guide and add that log here in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Friar K

Friar K
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 26 February 2015 - 02:12 PM

Hi BoopMe,

The logs follow. I appreciate your help.

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-02-2015 01
Ran by Karulus (administrator) on KARULUS on 26-02-2015 14:00:50
Running from C:\Users\Karulus\Desktop
Loaded Profiles: UpdatusUser & Karulus (Available profiles: UpdatusUser & Karulus)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(Aventail Corporation) C:\Windows\System32\ngvpnmgr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(HP) C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Dropbox, Inc.) C:\Users\Karulus\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(NEC Electronics Corporation) C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(NeoAccel, Inc.) C:\Windows\SysWOW64\NeoSrv.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
() C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Horizon View Client\wsnm\wsnm.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_305_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NVRaidService] => C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe [291944 2010-04-09] (NVIDIA Corporation)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [EfficientNotesFree] => [X]
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [106496 2009-10-21] (NEC Electronics Corporation)
HKLM-x32\...\Run: [AdobeCS4ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2012-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-12] (Logitech Inc.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\Karulus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Karulus\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Karulus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Karulus\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-764693056-2444684231-2589218162-1006\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?gws_rd=ssl
HKU\S-1-5-21-764693056-2444684231-2589218162-1006\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-764693056-2444684231-2589218162-1006\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://cronometer.com/#trends
https://athenanet.athenahealth.com/1/1/login.esp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-764693056-2444684231-2589218162-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-764693056-2444684231-2589218162-1006 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-764693056-2444684231-2589218162-1006 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM {3330F262-2C25-44C5-9D0E-CD11E45B06F3} https://my.columbusregional.com/go/crhsswcswr01.columbusregional.com~ssl/cabs/swr-X64.cab
DPF: HKLM-x32 {3330F262-2C25-44C5-9D0E-CD11E45B06F3} https://crhsswcswr01.columbusregional.com/cabs/swr.cab
DPF: HKLM-x32 {37BEFE03-C1D7-4154-BC83-65402FC4EF08} https://athenanet.athenahealth.com/static_20131119/InkOverlay.CAB
DPF: HKLM-x32 {832B4EED-7115-41CB-9A87-993F5C1545E4} https://athenanet.athenahealth.com/static_20131008/LibCheck.CAB
DPF: HKLM-x32 {E705A591-DA3C-4228-B0D5-A356DBA42FBF} http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.76.84.102 75.76.84.103
Tcpip\..\Interfaces\{F6DEE9A1-3D73-472C-9289-2BA58F1625CF}: [NameServer] 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\Karulus\AppData\Roaming\Mozilla\Firefox\Profiles\7y2sg0w2.default
FF DefaultSearchEngine: Google
FF Homepage: https://translate.google.com/|hxxp://es.forvo.com/|hxxp://www.verbix.com/|hxxp://www.spanishdict.com/|hxxp://www.larousse.com/en/dictionaries/french-english/godiche/37348|hxxp://www.cnrtl.fr/definition/|hxxp://www.almaany.com/home.php|hxxp://www.wordreference.com/aren/
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.11.2 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR StartupUrls: Default -> "https://www.edx.org/", "https://www.coursera.org/", "hxxp://www.italki.com/", "https://www.auanet.org/login/?refer=/education/ju.cfm?", "https://expertconsult.inkling.com/read/", "https://play.spotify.com/discover"
CHR Profile: C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-24]
CHR Extension: (Google Docs) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-24]
CHR Extension: (Google Drive) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-24]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-24]
CHR Extension: (YouTube) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-24]
CHR Extension: (Google Search) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-24]
CHR Extension: (Google Sheets) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-24]
CHR Extension: (Google Wallet) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-24]
CHR Extension: (Gmail) - C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-24]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-02-14] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-23] (Creative Technology Ltd) [File not signed]
R2 HPM1210RcvFaxSrvc; C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [361888 2012-07-25] (HP)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R2 NgVpnMgr; C:\Windows\system32\ngvpnmgr.exe [436296 2010-02-02] (Aventail Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [60416 2009-06-22] (Hewlett-Packard) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SSL VPN-Plus Service; C:\Windows\SysWOW64\NeoSrv.exe [136760 2008-09-18] (NeoAccel, Inc.) [File not signed]
R2 vmware-view-usbd; C:\Program Files (x86)\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe [1148120 2014-06-06] (VMware, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 wsnm; C:\Program Files (x86)\VMware\VMware Horizon View Client\wsnm\wsnm.exe [528600 2014-06-09] (VMware, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 HP1210FAX; C:\Windows\System32\Drivers\HPM1210FAX.sys [16896 2012-11-07] ()
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-17] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2012-12-24] (Marvell Semiconductor, Inc.)
R3 NeoAccel; C:\Windows\System32\DRIVERS\NeoAccel.sys [551448 2008-09-18] (NeoAccel, Inc.) [File not signed]
S3 NgFilter; C:\Windows\System32\DRIVERS\ngfilter.sys [25672 2010-02-02] (Aventail Corporation)
R3 NgLog; C:\Windows\System32\DRIVERS\nglog.sys [31304 2010-02-02] (Aventail Corporation)
R3 NgVpn; C:\Windows\System32\DRIVERS\ngvpn.sys [102984 2010-02-02] (Aventail Corporation)
R3 NgWfp; C:\Windows\System32\DRIVERS\ngwfp.sys [28744 2010-02-02] (Aventail Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-26 14:00 - 2015-02-26 14:01 - 00022436 _____ () C:\Users\Karulus\Desktop\FRST.txt
2015-02-26 14:00 - 2015-02-26 14:00 - 00000000 ____D () C:\Users\Karulus\Desktop\FRST-OlderVersion
2015-02-25 13:14 - 2015-02-25 13:14 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{8AE0DB98-CC26-4ACE-95A5-7B678A45B390}
2015-02-24 10:11 - 2015-02-24 10:12 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{95024D87-AB35-4204-979D-4C0A839B2CAA}
2015-02-20 16:23 - 2015-02-20 16:23 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{939926DD-27F8-4284-8E23-9DCA26B3AD03}
2015-02-19 16:58 - 2015-02-19 16:58 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{543DF896-CA85-4286-9931-4036B57BACAC}
2015-02-18 09:39 - 2015-02-18 09:39 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{1E7EE525-5FFB-43E4-8FA4-E648454131A0}
2015-02-17 13:14 - 2015-02-17 13:22 - 00000000 ____D () C:\AdwCleaner
2015-02-16 17:40 - 2015-02-16 17:40 - 00000000 ____D () C:\Users\Karulus\Documents\OneNote Notebooks
2015-02-11 10:25 - 2015-02-11 10:25 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{E66BC0E7-A26F-45E5-AC5E-EBD55C90ECA5}
2015-02-10 15:17 - 2015-02-26 14:00 - 02087936 _____ (Farbar) C:\Users\Karulus\Desktop\FRST64.exe
2015-02-10 15:14 - 2015-02-26 14:00 - 00000000 ____D () C:\FRST
2015-02-10 15:12 - 2015-02-10 15:12 - 00007648 _____ () C:\Users\Karulus\AppData\Local\Resmon.ResmonCfg
2015-02-10 14:49 - 2015-02-10 14:49 - 00000372 _____ () C:\Windows\PFRO.log
2015-02-10 14:23 - 2015-02-17 12:51 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-10 14:23 - 2015-02-10 14:23 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-10 14:23 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-10 14:23 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-10 14:23 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-10 10:14 - 2015-02-10 10:14 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{B40A2831-775B-4F94-89ED-C4FF527F1AB2}
2015-02-05 13:40 - 2015-02-05 13:40 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{2FE6FF74-DE28-4F61-8B0A-95E1DC21BF59}
2015-02-04 10:27 - 2015-02-04 10:27 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{43EDA6F5-F5F3-4AD2-A23D-408F9B42FF06}
2015-02-03 12:31 - 2015-02-03 12:31 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{76CBFB49-706E-4A8A-A836-F8F7197C22D5}
2015-01-30 10:08 - 2015-01-30 10:08 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{AFFAEE79-82AE-4017-BBB4-AE02D58F183E}
2015-01-29 14:27 - 2015-01-29 14:27 - 00000000 ____D () C:\Users\Karulus\Documents\EfficientPIM Backup
2015-01-29 09:04 - 2015-01-29 10:35 - 00000000 ____D () C:\Users\Karulus\AppData\Roaming\Jarte
2015-01-29 09:04 - 2015-01-29 09:04 - 00000000 ____D () C:\Program Files (x86)\Jarte
2015-01-29 08:56 - 2015-01-29 08:57 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{67B12253-2BA1-4750-A07A-B9DB2255D1EF}
2015-01-29 08:56 - 2015-01-29 08:57 - 00000000 ____D () C:\Users\Karulus\AppData\Local\{2D65BC4D-2C89-4051-AE03-AF6A3FC31853}
2015-01-28 12:12 - 2015-01-28 12:12 - 00000000 ____D () C:\Users\Karulus\AppData\Roaming\NVIDIA
2015-01-28 08:48 - 2015-02-26 13:24 - 00001568 _____ () C:\Windows\setupact.log
2015-01-28 08:48 - 2015-01-28 08:48 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-27 16:26 - 2015-01-27 16:26 - 00000000 ____D () C:\Users\Karulus\.xy
2015-01-27 16:26 - 2015-01-27 16:26 - 00000000 ____D () C:\Users\Karulus\.spyder2
2015-01-27 16:26 - 2015-01-27 16:26 - 00000000 ____D () C:\Users\Karulus\.matplotlib

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-26 13:36 - 2012-02-13 14:07 - 02001416 _____ () C:\Windows\WindowsUpdate.log
2015-02-26 13:31 - 2009-07-13 23:45 - 00021888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-26 13:31 - 2009-07-13 23:45 - 00021888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-26 13:24 - 2015-01-26 08:51 - 00000000 ___RD () C:\Users\Karulus\Dropbox
2015-02-26 13:24 - 2015-01-26 08:47 - 00000000 ____D () C:\Users\Karulus\AppData\Roaming\Dropbox
2015-02-26 13:24 - 2013-08-04 10:15 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-26 13:24 - 2012-02-13 11:50 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-26 13:24 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-25 14:09 - 2013-09-27 12:40 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-25 14:05 - 2013-08-04 10:15 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-25 14:05 - 2012-03-01 20:52 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-764693056-2444684231-2589218162-1001UA.job
2015-02-25 14:05 - 2012-03-01 20:52 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-764693056-2444684231-2589218162-1001Core.job
2015-02-25 13:11 - 2015-01-24 10:53 - 00000000 ____D () C:\Users\Karulus\Documents\EfficientPIM AutoBackup
2015-02-24 18:15 - 2015-01-26 09:03 - 00000000 ____D () C:\Users\Karulus\AppData\Roaming\.anki
2015-02-17 12:48 - 2015-01-23 17:55 - 00000000 ___RD () C:\Users\Karulus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-17 12:48 - 2009-07-13 22:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-16 18:03 - 2013-04-30 11:54 - 00000000 ____D () C:\Ztemp
2015-02-16 17:40 - 2012-02-18 16:02 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Office
2015-02-16 17:39 - 2012-02-18 16:02 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet
2015-02-13 14:12 - 2015-01-26 08:51 - 00001022 _____ () C:\Users\Karulus\Desktop\Dropbox.lnk
2015-02-05 13:09 - 2013-09-27 12:40 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-05 13:09 - 2012-07-24 12:05 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-05 13:09 - 2012-02-21 00:55 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-29 14:28 - 2015-01-24 10:52 - 00000000 ____D () C:\Users\Karulus\AppData\Roaming\Efficient Notes Free
2015-01-29 09:54 - 2015-01-26 09:12 - 00000000 ____D () C:\Users\Karulus\AppData\Roaming\Windows Live Writer
2015-01-29 08:56 - 2015-01-26 09:13 - 00000000 ____D () C:\Users\Karulus\AppData\Local\Windows Live
2015-01-28 12:12 - 2015-01-24 10:38 - 00000000 ____D () C:\Users\Karulus\AppData\Roaming\Adobe
2015-01-28 12:12 - 2015-01-24 10:38 - 00000000 ____D () C:\Users\Karulus\AppData\Local\Adobe
2015-01-27 16:26 - 2015-01-23 17:55 - 00000000 ____D () C:\Users\Karulus
2015-01-27 15:34 - 2015-01-24 10:37 - 00000000 ____D () C:\Users\Karulus\AppData\Local\VirtualStore

==================== Files in the root of some directories =======

2015-02-10 15:12 - 2015-02-10 15:12 - 0007648 _____ () C:\Users\Karulus\AppData\Local\Resmon.ResmonCfg

Some content of TEMP:
====================
C:\Users\Karulus\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcwwaaa.dll
C:\Users\Karulus\AppData\Local\Temp\Quarantine.exe
C:\Users\Karulus\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-23 13:45

==================== End Of Log ============================

Attached Files


Edited by Friar K, 26 February 2015 - 02:15 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 02 March 2015 - 10:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [EfficientNotesFree] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-764693056-2444684231-2589218162-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
Toolbar: HKU\S-1-5-21-764693056-2444684231-2589218162-1006 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
AlternateDataStreams: C:\Users\Karulus\Favorites:com.dropbox.attributes
C:\Users\Karulus\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcwwaaa.dll

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is the computer running now?

#5 Friar K

Friar K
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 03 March 2015 - 02:15 PM

Hi, nasdaq. Thank you for your help.

 

FixLog.txt from FRST64.exe:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-03-2015
Ran by Karulus at 2015-03-03 13:08:14 Run:1
Running from C:\Users\Karulus\Desktop
Loaded Profiles: UpdatusUser & Karulus (Available profiles: UpdatusUser & Karulus)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [EfficientNotesFree] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-764693056-2444684231-2589218162-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
Toolbar: HKU\S-1-5-21-764693056-2444684231-2589218162-1006 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
AlternateDataStreams: C:\Users\Karulus\Favorites:com.dropbox.attributes
C:\Users\Karulus\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcwwaaa.dll

End
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\EfficientNotesFree => value deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-764693056-2444684231-2589218162-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
HKU\S-1-5-21-764693056-2444684231-2589218162-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
lmimirr => Service deleted successfully.
VGPU => Service deleted successfully.
C:\Users\Karulus\Favorites => ":com.dropbox.attributes" ADS removed successfully.
"C:\Users\Karulus\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcwwaaa.dll" => File/Directory not found.

The system needed a reboot.

==== End of Fixlog 13:08:15 ====

 

 

AdwCleaner Log:

 

# AdwCleaner v4.111 - Logfile created 03/03/2015 at 13:54:27
# Updated 18/02/2015 by Xplode
# Database : 2015-03-02.3 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Karulus - KARULUS
# Running from : C:\Users\Karulus\Desktop\adwcleaner_4.111.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

[x] Not Deleted : C:\Program Files (x86)\GreenTree Applications

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7854F00C-DC77-477E-A10E-603F48442D3B}

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.16720

-\\ Mozilla Firefox v34.0.5 (x86 en-US)

-\\ Google Chrome v40.0.2214.115

[C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Karulus\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2284 bytes] - [17/02/2015 13:14:37]
AdwCleaner[R1].txt - [1505 bytes] - [03/03/2015 13:48:18]
AdwCleaner[S0].txt - [2387 bytes] - [17/02/2015 13:22:28]
AdwCleaner[S1].txt - [1445 bytes] - [03/03/2015 13:54:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1504  bytes] ##########

 

 

N. B. - The program that I chose not to delete at C:\Program Files (x86)\GreenTree Applications is ytd.exe (Youtube Downloader) originally acquired from Cnet's Download.com.  It has been on my computer since 9/3/2013. 

 

My computer seems to be running fine immediately after this intervention. However, it ran fine for 2-3 weeks after my original attempt to rid myself of the problem by creating a new user account and deleting the old. When the problem recurred, it was only interrupting my browsing now and then. I don't do a lot of web surfing so I think that only time will tell whether the problem is indeed gone.

 

Cordially,

 

Friar K



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 04 March 2015 - 08:19 AM

One last scan.

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#7 Friar K

Friar K
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 04 March 2015 - 11:03 AM

checkup.txt

Results of screen317's Security Check version 0.99.97 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Python 2.7 - spyder 2.1.11
 Spybot - Search & Destroy
 Java 2 Runtime Environment Standard Edition v1.3.1
 Java 7 Update 15 
 Java 2 Runtime Environment, SE v1.4.2_19
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31 
 Mozilla Firefox 34.0.5 Firefox out of Date! 
 Google Chrome (40.0.2214.115)
 Google Chrome (40.0.2214.91)
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 04 March 2015 - 02:25 PM

Using the Add/Remove Programs applet delete these old versions of Java.

Java 2 Runtime Environment Standard Edition v1.3.1
Java 7 Update 15
Java 2 Runtime Environment, SE v1.4.2_19


===

if all is well.

to learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 Friar K

Friar K
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 07 March 2015 - 10:26 AM

Hi nasdaq, 

 

Sorry to be so slow getting back to you. I have uninstalled the components listed above. My computer seems to be running fine. Time will tell. Thank you again for your help.

 

Cordially



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 07 March 2015 - 01:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users