Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple IE Instances. Page Click Generator.


  • This topic is locked This topic is locked
3 replies to this topic

#1 thekingof7

thekingof7

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 12 March 2015 - 05:07 PM

Greetings, I am running Windows 7 Professional. Recently I have noticed at least 7 IEXPLORE process running in the backround. Each process refers to a clickbait website and has not been told to run by myself. From digging around my APPDATA/Local folder I have noticed several odd folder which are "in use" or regenerate once deleted. I also noticed that something was hiding behind a fake vmware process. I have since removed my legitimate copy of vmware to ensure this is not legititmate behavior.

I have run Malwarebytes and Microsoft Security Essentials. Spyware found nothing.

Here is the log. Good luck and much appreciated if anyone can make anything from this.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by ASUS (administrator) on ASUS-PC on 12-03-2015 17:01:40
Running from C:\Users\ASUS\Downloads
Loaded Profiles: ASUS (Available profiles: ASUS)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\core\capiws.exe
(MagicISO, Inc.) C:\Program Files (x86)\MagicDisc\MagicDisc.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
() C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\core\ovpntray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
() C:\Users\ASUS\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Foxit Corporation) C:\Users\ASUS\AppData\Roaming\Foxit Software\Addon\Foxit Reader\FoxitReaderUpdater.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM\...\Policies\Explorer\Run: [1940980912] => C:\ProgramData\msmncer.exe [16896 2010-11-20] ( ())
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-4079408830-522228229-893750029-1000\...\Run: [GoogleUpdate] => C:\Users\ASUS\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe [14993508 2015-03-12] ()
HKU\S-1-5-21-4079408830-522228229-893750029-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
Startup: C:\Users\ASUS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [0WinSecurityProvider] -> {F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} => C:\ProgramData\Microsoft\Security\Client\SecurityProvider.dll ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-4079408830-522228229-893750029-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4079408830-522228229-893750029-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2014-12-02] (Microsoft Corporation)
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2015-01-14] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-01-14] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll [2014-11-15] (Microsoft Corporation)
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-02-05] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL [2015-01-13] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL [2015-01-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-05] (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2014-11-15] (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL [2014-11-15] (Microsoft Corporation)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{2B752E53-9E5C-4718-A9D2-BC0AFBDC3677}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{2F9AFDF7-CF04-4F3F-A7F7-18D47F311473}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{5D6083AD-7DC7-4383-AF45-D9F503206B67}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{87BB8AA1-A0E0-4BD1-B867-1E9513FE880E}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{AC90FE81-9C6C-41FD-89BD-EAC77651A4FA}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{B9A34A9F-60C1-4FBD-AC52-49C3A56848F1}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{C87CB375-E08B-4188-BFFA-8F36E0A6A31C}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\x878u65c.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-05] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-11-15] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-05] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2014-11-15] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL [2014-11-15] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin HKU\S-1-5-21-4079408830-522228229-893750029-1000: @acestream.net/acestreamplugin,version=3.0.0 -> C:\Users\ASUS\AppData\Roaming\ACEStream\player\npace_plugin.dll [2014-10-01] (Innovative Digital Technologies)
FF Extension: Adblock Plus - C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\x878u65c.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-30]
FF Extension: DownThemAll! - C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\x878u65c.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2014-09-27]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-11-20] (Advanced Micro Devices, Inc.) [File not signed]
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2711736 2015-01-14] (Microsoft Corporation)
R2 OpenVPNAccessClient; C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\core\capiws.exe [24064 2014-10-12] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 VMAuthdService; "C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe" [X]
S2 VMUSBArbService; "C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.3; C:\Program Files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [32808 2015-03-11] (http://libusb-win32.sourceforge.net) [File not signed]
S3 libusb0; C:\Windows\SysWOW64\drivers\libusb0.sys [28672 2007-03-20] (http://libusb-win32.sourceforge.net) [File not signed]
R3 tapoas; C:\Windows\System32\DRIVERS\tapoas.sys [27136 2014-10-12] (The OpenVPN Project)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2014-07-28] (Apple, Inc.) [File not signed]
R3 vmkbd2; C:\Windows\system32\drivers\VMkbd.sys [33496 2014-10-29] (VMware, Inc.)
R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [32472 2014-10-29] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)
S2 APXACC; system32\DRIVERS\appexDrv.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz138; \??\C:\Users\ASUS\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
S0 MpFilter; system32\DRIVERS\MpFilter.sys [X]
S3 PORTIO; \??\C:\Users\ASUS\Downloads\DosFlash64\portio64.sys [X]
S1 rrjezdzr; \??\C:\Windows\system32\drivers\rrjezdzr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 16:48 - 2015-03-12 16:48 - 00000000 ____D () C:\Users\ASUS\Downloads\FRST-OlderVersion
2015-03-12 16:07 - 2015-03-12 16:07 - 00000664 ____H () C:\ProgramData\@system.temp
2015-03-12 16:07 - 2015-03-12 16:07 - 00000400 ____H () C:\ProgramData\@system3.att
2015-03-12 15:27 - 2015-03-12 15:32 - 00000000 ____D () C:\Program Files\Unlocker
2015-03-12 15:27 - 2015-03-12 15:27 - 01078591 _____ () C:\Users\ASUS\Downloads\Unlocker1.9.2.exe
2015-03-12 15:27 - 2015-03-12 15:27 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2015-03-12 06:37 - 2015-03-12 06:37 - 00000480 ____H () C:\Users\ASUS\AppData\Roaming\麽鎒駓覜
2015-03-12 06:37 - 2015-03-12 06:37 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\FrameworkUpdate
2015-03-11 00:06 - 2007-03-20 11:33 - 00028672 _____ (http://libusb-win32.sourceforge.net) C:\Windows\SysWOW64\Drivers\libusb0.sys
2015-03-10 23:58 - 2015-03-11 00:01 - 00000652 _____ () C:\Users\ASUS\Downloads\umbrella.log
2015-03-10 23:58 - 2015-03-11 00:01 - 00000327 _____ () C:\Users\ASUS\umbrella0.log
2015-03-10 23:58 - 2015-03-11 00:01 - 00000201 _____ () C:\Windows\system32\Drivers\etc\hosts.umbrella
2015-03-10 23:58 - 2015-03-10 23:58 - 00000000 ____D () C:\Users\ASUS\.shsh
2015-03-10 23:57 - 2015-03-10 23:57 - 03618816 _____ () C:\Users\ASUS\Downloads\tinyumbrella-7.12.00.exe
2015-03-10 17:22 - 2015-03-10 17:22 - 00001159 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-03-10 17:22 - 2015-03-10 17:22 - 00001147 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-03-10 17:22 - 2015-03-10 17:22 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-03-10 17:21 - 2015-03-10 17:21 - 00002770 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-03-10 17:21 - 2015-03-10 17:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-03-10 17:21 - 2015-03-10 17:21 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-10 17:20 - 2015-03-10 17:21 - 05325696 _____ (Piriform Ltd) C:\Users\ASUS\Downloads\ccsetup503.exe
2015-03-10 17:17 - 2015-03-10 17:20 - 00243368 _____ () C:\Users\ASUS\Downloads\Firefox Setup Stub 36.0.1.exe
2015-03-10 17:13 - 2015-03-10 17:13 - 00020353 _____ () C:\Users\ASUS\Documents\bookmarks-2015-03-10.json
2015-03-09 13:00 - 2015-03-09 13:00 - 00000837 _____ () C:\Users\ASUS\Desktop\JRT.txt
2015-03-09 12:49 - 2015-03-09 12:50 - 00000000 ____D () C:\AdwCleaner
2015-03-09 12:48 - 2015-03-09 12:49 - 01388333 _____ (Thisisu) C:\Users\ASUS\Downloads\JRT.exe
2015-03-09 12:48 - 2015-03-09 12:48 - 02126848 _____ () C:\Users\ASUS\Downloads\AdwCleaner.exe
2015-03-03 21:00 - 2015-03-03 21:03 - 00000000 ____D () C:\Users\ASUS\Desktop\Terry
2015-03-03 20:47 - 2015-03-03 20:47 - 00015933 _____ () C:\ComboFix.txt
2015-03-03 20:35 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-03-03 20:35 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-03-03 20:35 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-03-03 20:35 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-03-03 20:35 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-03-03 20:35 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2015-03-03 20:35 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2015-03-03 20:35 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2015-03-03 20:34 - 2015-03-03 20:47 - 00000000 ____D () C:\Qoobox
2015-03-03 20:34 - 2015-03-03 20:45 - 00000000 ____D () C:\Windows\erdnt
2015-03-03 20:11 - 2015-03-03 20:12 - 05612482 ____R (Swearware) C:\Users\ASUS\Downloads\ComboFix.exe
2015-03-03 19:48 - 2015-03-03 19:50 - 00031527 _____ () C:\Users\ASUS\Downloads\Addition.txt
2015-03-03 19:48 - 2015-03-03 19:49 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\ASUS\Downloads\tdsskiller.exe
2015-03-03 19:45 - 2015-03-12 17:01 - 00014200 _____ () C:\Users\ASUS\Downloads\FRST.txt
2015-03-03 19:45 - 2015-03-12 17:01 - 00000000 ____D () C:\FRST
2015-03-03 19:45 - 2015-03-03 19:45 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-03-03 19:44 - 2015-03-12 16:48 - 02095616 _____ (Farbar) C:\Users\ASUS\Downloads\FRST64.exe
2015-03-03 19:42 - 2015-03-12 03:36 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-03-03 19:38 - 2015-03-03 19:39 - 14160536 _____ (Microsoft Corporation) C:\Users\ASUS\Downloads\mseinstall.exe
2015-03-02 20:23 - 2015-03-02 21:02 - 1086779545 _____ () C:\Users\ASUS\Downloads\MacOSXUpdCombo10.6.8.dmg
2015-03-02 13:00 - 2015-03-02 13:00 - 00000000 ____D () C:\Windows\pss
2015-02-28 23:42 - 2015-02-28 23:42 - 00006148 ____H () C:\Users\Public\.DS_Store
2015-02-25 00:21 - 2015-02-25 00:21 - 00000000 ____D () C:\Users\ASUS\.android
2015-02-24 23:50 - 2015-02-24 23:38 - 00000066 _____ () C:\Users\ASUS\Documents\site.txt
2015-02-24 23:15 - 2015-02-24 23:16 - 06059248 _____ (Oxygen Software ) C:\Users\ASUS\Downloads\OxyPlistViewer_Setup.exe
2015-02-24 23:12 - 2015-03-02 23:26 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2015-02-24 23:01 - 2015-02-25 00:14 - 181526747 _____ () C:\Users\ASUS\Downloads\Forensic_Suite_2014_6.4.0.67.rar
2015-02-24 22:28 - 2015-02-24 22:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iSkysoft
2015-02-24 22:28 - 2015-02-24 22:32 - 00000000 ____D () C:\Program Files (x86)\iSkysoft
2015-02-24 22:28 - 2015-02-24 22:28 - 00000000 ____D () C:\ProgramData\Wondershare
2015-02-24 22:03 - 2015-02-24 22:03 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\WinRAR
2015-02-24 22:03 - 2015-02-24 22:03 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-02-24 22:03 - 2015-02-24 22:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-02-24 22:03 - 2015-02-24 22:03 - 00000000 ____D () C:\Program Files\WinRAR
2015-02-24 21:31 - 2015-02-24 21:31 - 00000000 __SHD () C:\Users\ASUS\AppData\Local\EmieBrowserModeList
2015-02-24 21:20 - 2015-02-24 21:20 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\iMobie
2015-02-24 20:13 - 2012-01-26 17:26 - 00000189 _____ () C:\disabled.fix
2015-02-24 20:12 - 2015-02-24 20:12 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\redsn0w
2015-02-24 15:03 - 2015-03-07 13:44 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox.bak
2015-02-17 04:39 - 2015-02-17 04:39 - 00000360 _____ () C:\Users\ASUS\openvpn-connect.json
2015-02-17 04:38 - 2015-03-12 03:45 - 00012960 _____ () C:\Users\ASUS\ovpntray.log
2015-02-17 04:38 - 2015-02-17 04:38 - 00001371 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN Connect.lnk
2015-02-17 04:38 - 2015-02-17 04:38 - 00001359 _____ () C:\Users\Public\Desktop\OpenVPN Connect.lnk
2015-02-17 04:37 - 2015-02-17 04:37 - 00000000 ____D () C:\Program Files (x86)\OpenVPN Technologies
2015-02-10 18:09 - 2015-03-09 13:18 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-10 18:09 - 2015-02-10 18:09 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-10 18:09 - 2015-02-10 18:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-10 18:09 - 2015-02-10 18:09 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-10 18:09 - 2015-02-10 18:09 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-10 18:09 - 2014-11-21 07:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-10 18:09 - 2014-11-21 07:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-10 18:09 - 2014-11-21 07:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-10 18:08 - 2015-02-10 18:08 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\ASUS\Downloads\mbam-setup-2.0.4.1028.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 17:00 - 2009-07-13 23:45 - 00025616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-12 17:00 - 2009-07-13 23:45 - 00025616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-12 16:45 - 2014-08-30 18:32 - 01686928 _____ () C:\Windows\WindowsUpdate.log
2015-03-12 16:34 - 2014-09-08 22:20 - 00000384 _____ () C:\Windows\Tasks\WpsNotifyTask_ASUS.job
2015-03-12 16:21 - 2014-09-08 22:20 - 00000384 _____ () C:\Windows\Tasks\WpsUpdateTask_ASUS.job
2015-03-12 16:17 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-12 04:53 - 2014-09-14 15:49 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\vlc
2015-03-12 03:48 - 2009-07-14 00:13 - 00786022 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-12 03:44 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-12 03:44 - 2009-07-13 23:51 - 00030979 _____ () C:\Windows\setupact.log
2015-03-12 03:36 - 2009-07-14 00:08 - 00023158 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-11 13:40 - 2014-08-30 14:35 - 00065536 _____ () C:\Windows\system32\spu_storage.bin
2015-03-11 11:37 - 2014-08-30 22:25 - 00035386 _____ () C:\Windows\PFRO.log
2015-03-11 11:37 - 2014-08-30 11:50 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-03-11 00:05 - 2014-09-06 16:13 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\tixati
2015-03-11 00:02 - 2009-03-18 23:18 - 00044584 _____ (http://libusb-win32.sourceforge.net) C:\Windows\SysWOW64\libusb0.dll
2015-03-11 00:02 - 2009-03-18 23:18 - 00032808 _____ (http://libusb-win32.sourceforge.net) C:\Windows\system32\Drivers\libusb0.sys
2015-03-11 00:01 - 2014-08-30 18:40 - 00000000 ____D () C:\Users\ASUS
2015-03-10 21:38 - 2014-09-11 22:15 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-03-10 17:24 - 2015-01-29 21:59 - 00000000 ____D () C:\Program Files (x86)\SABnzbd
2015-03-03 20:44 - 2009-07-13 21:34 - 00000215 _____ () C:\Windows\system.ini
2015-03-03 08:17 - 2014-08-30 11:57 - 00295552 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-28 18:15 - 2014-12-22 23:37 - 00000000 ____D () C:\Program Files (x86)\Raptr
2015-02-27 22:39 - 2014-08-31 17:36 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\Audacity
2015-02-24 20:54 - 2014-11-08 22:29 - 00000000 ____D () C:\Program Files (x86)\JDownloader
2015-02-24 20:46 - 2014-11-15 23:23 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2015-02-24 20:31 - 2014-10-19 22:20 - 00000600 _____ () C:\Users\ASUS\AppData\Local\PUTTY.RND
2015-02-22 16:50 - 2014-10-13 02:26 - 00000000 ____D () C:\Users\ASUS\AppData\Roaming\Vso
2015-02-22 15:29 - 2014-10-13 02:27 - 00000000 ____D () C:\Users\ASUS\Documents\ConvertXToDVD
2015-02-19 12:46 - 2015-02-08 19:30 - 00000153 _____ () C:\Users\ASUS\Desktop\New Text Document.txt
2015-02-17 04:15 - 2014-08-30 12:25 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-02-11 18:45 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Vss

==================== Files in the root of some directories =======

2015-03-12 06:37 - 2015-03-12 06:37 - 0000480 ____H () C:\Users\ASUS\AppData\Roaming\麽鎒駓覜
2014-10-19 22:20 - 2015-02-24 20:31 - 0000600 _____ () C:\Users\ASUS\AppData\Local\PUTTY.RND
2015-03-12 16:07 - 2015-03-12 16:07 - 0000664 ____H () C:\ProgramData\@system.temp
2015-03-12 16:07 - 2015-03-12 16:07 - 0000400 ____H () C:\ProgramData\@system3.att
2014-08-30 18:39 - 2010-11-20 07:17 - 0016896 ___SH () C:\ProgramData\msmncer.exe

Files to move or delete:
====================
C:\ProgramData\msmncer.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-05 01:00

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 thekingof7

thekingof7
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 13 March 2015 - 10:52 PM

Errrrr hello?



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 16 March 2015 - 07:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKLM\...\Policies\Explorer\Run: [1940980912] => C:\ProgramData\msmncer.exe [16896 2010-11-20] ( ())
HKU\S-1-5-21-4079408830-522228229-893750029-1000\...\Run: [GoogleUpdate] => C:\Users\ASUS\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe [14993508 2015-03-12] ()
ShellIconOverlayIdentifiers: [0WinSecurityProvider] -> {F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} => C:\ProgramData\Microsoft\Security\Client\SecurityProvider.dll ()
HKU\S-1-5-21-4079408830-522228229-893750029-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S2 VMAuthdService; "C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe" [X]
S2 VMUSBArbService; "C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe" [X]
S2 APXACC; system32\DRIVERS\appexDrv.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz138; \??\C:\Users\ASUS\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
S0 MpFilter; system32\DRIVERS\MpFilter.sys [X]
S3 PORTIO; \??\C:\Users\ASUS\Downloads\DosFlash64\portio64.sys [X]
S1 rrjezdzr; \??\C:\Windows\system32\drivers\rrjezdzr.sys [X]
C:\Users\ASUS\AppData\Roaming\FrameworkUpdate
C:\ProgramData\Microsoft\Security\Client\SecurityProvider.dll
AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 PM

Posted 21 March 2015 - 08:36 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users