Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

filestore72 info browser hijacker


  • This topic is locked This topic is locked
37 replies to this topic

#1 asleep

asleep

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 12 March 2015 - 05:52 PM

It appears I have the filestore72 info browser hijacker that I guess I got from a football forum using old vbulletin software...?

 

Searching Google for "texanstalk" and clicking on the top result redirected to a porn pic, now just to Filestore72.info/download.php?id=f3427f3f or similar page.

 

I have a screen capture jpg of the page: http://www.planet-9.com/attachments/website-info-feedback/29531d1365103075-file-info-hack-vin.jpg

 

A number of other members having same issue. I think it's just in Chrome, but I have IE & Firefox, too.

 

Thank you. :)

 

*********************************

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Todd (administrator) on TODD-M6700 on 12-03-2015 17:41:23
Running from C:\Users\Todd\Desktop
Loaded Profiles: Todd (Available profiles: Todd)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
() C:\Program Files (x86)\Client\ClientLauncher\nssm.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
() C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Joyent, Inc) C:\Program Files (x86)\Client\ClientLauncher\node.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Joyent, Inc) C:\Program Files (x86)\Client\ClientLauncher\node.exe
(Portrait Displays Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(O2Micro International) C:\Windows\System32\o2flash.exe
() C:\Windows\SysWOW64\srvany.exe
(O2Micro.) C:\Windows\SysWOW64\SDIOAssist.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [708952 2013-07-08] (Alps Electric Co., Ltd.)
HKLM\...\Run: [TdmNotify] => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [381296 2011-12-08] (Wave Systems Corp.)
HKLM\...\Run: [DFEPApplication] => C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [7077432 2012-08-15] (Dell Inc.)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2716960 2013-02-27] ()
HKLM\...\Run: [IntelPROSet] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [4791024 2013-07-17] (Intel® Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1703424 2013-08-16] (IDT, Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292088 2013-02-22] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284480 2012-05-30] (Intel Corporation)
HKLM-x32\...\Run: [DT DL2] => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [120400 2012-07-23] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [462974 2011-12-16] (Creative Technology Ltd)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-10-11] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [CaddieSyncConduit] => C:\Program Files (x86)\SkyGolf\CaddieSync Express\CaddieSyncExpress.exe
HKLM-x32\...\Run: [agentAutoStart] => C:\Program Files (x86)\Client\ClientLauncher\node.exe [5797224 2014-10-07] (Joyent, Inc)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-3742083271-2325492446-2510752143-1000\...\Run: [SP TimeSync] => C:\Program Files\SP TimeSync 2.4\SP TimeSync.exe [116224 2010-02-07] ()
Lsa: [Authentication Packages] msv1_0 wvauth
Lsa: [Notification Packages] scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SP TimeSync.exe - Shortcut.lnk
ShortcutTarget: SP TimeSync.exe - Shortcut.lnk -> C:\Program Files\SP TimeSync 2.4\SP TimeSync.exe ()
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3742083271-2325492446-2510752143-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3742083271-2325492446-2510752143-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.golfwrx.com/forums/
HKU\S-1-5-21-3742083271-2325492446-2510752143-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13-comm.msn.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-08-23] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-08-23] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
Tcpip\Parameters: [DhcpNameServer] 10.1.10.1
 
FireFox:
========
FF ProfilePath: C:\Users\Todd\AppData\Roaming\Mozilla\Firefox\Profiles\7l3vo787.default
FF Homepage: hxxp://www.golfwrx.com/forums/|about:home
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-08-23] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-08-23] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-11-13] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-11-13] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-02-27] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-02-27] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-3742083271-2325492446-2510752143-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Todd\AppData\Local\Citrix\Plugins\94\npappdetector.dll [2013-02-23] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPCltInst11.dll [2014-04-15] (BroadSoft, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPCltInst121.dll [2014-06-27] (BroadSoft, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\NPCltInst121.dll [2014-06-27] (BroadSoft, Inc.)
FF Extension: Flashblock - C:\Users\Todd\AppData\Roaming\Mozilla\Firefox\Profiles\7l3vo787.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2014-12-12]
FF Extension: iMacros for Firefox - C:\Users\Todd\AppData\Roaming\Mozilla\Firefox\Profiles\7l3vo787.default\Extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} [2015-02-22]
FF Extension: Element Hiding Helper for Adblock Plus - C:\Users\Todd\AppData\Roaming\Mozilla\Firefox\Profiles\7l3vo787.default\Extensions\elemhidehelper@adblockplus.org.xpi [2013-07-27]
FF Extension: Facebook Disconnect - C:\Users\Todd\AppData\Roaming\Mozilla\Firefox\Profiles\7l3vo787.default\Extensions\facebook@disconnect.me.xpi [2015-02-18]
FF Extension: Adblock Plus - C:\Users\Todd\AppData\Roaming\Mozilla\Firefox\Profiles\7l3vo787.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-02-05]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://my.yahoo.com/
CHR StartupUrls: Default -> "hxxp://my.yahoo.com/"
CHR Profile: C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-01-03]
CHR Extension: (Google Drive) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-01-03]
CHR Extension: (YouTube) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-01-03]
CHR Extension: (Adblock Plus) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-04-05]
CHR Extension: (µBlock) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2014-10-13]
CHR Extension: (Google Search) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-01-03]
CHR Extension: (TimelineRemove) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnedfaenfnkikficknkklbdedlecmpgc [2013-01-03]
CHR Extension: (Facebook Disconnect) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpepffjfmamnambagiibghpglaidiec [2013-01-03]
CHR Extension: (AdBlock) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2013-01-03]
CHR Extension: (G Disconnect) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\kglfocodeikakacbeoajjhnplhlaoook [2013-05-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Twitter Disconnect) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\mepbfdngnnnpcnnijhibnejcogmidpig [2013-05-19]
CHR Extension: (Google Wallet) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]
CHR Extension: (Page Monitor) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd [2013-01-03]
CHR Extension: (Gmail) - C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-01-03]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ClientLauncher; C:\Program Files (x86)\Client\ClientLauncher\nssm.exe [215552 2014-10-07] () [File not signed]
R2 DFEPService; c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2280504 2012-08-15] (Dell Inc.)
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [136784 2012-07-23] (Portrait Displays, Inc.)
R2 EmbassyService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [218504 2012-01-17] ()
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-11-13] (Intel Corporation)
S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-07-17] ()
R2 O2FLASH; C:\Windows\system32\o2flash.exe [244328 2011-11-16] (O2Micro International)
R2 O2SDIOAssist; c:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] () [File not signed]
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1637888 2011-10-08] () [File not signed]
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1679872 2012-01-05] (Wave Systems Corp.) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WvPCR; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [198144 2012-01-16] (Wave Systems Corp.) [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3377904 2013-07-17] (Intel® Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [165688 2014-10-11] (Broadcom Corporation.)
S3 Logi_Headset_DFU; C:\Windows\System32\Drivers\lhusbdfuamd64.sys [44136 2014-04-18] (CSR plc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-11-13] (Intel Corporation)
S3 SkyhawkeUSBLan; C:\Windows\System32\DRIVERS\btblan.sys [47600 2010-04-15] (Belcarra Technologies)
R3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_ACCEL.sys [89312 2013-03-27] (STMicroelectronics)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-12 17:41 - 2015-03-12 17:42 - 00020590 _____ () C:\Users\Todd\Desktop\FRST.txt
2015-03-12 17:40 - 2015-03-12 17:41 - 00000000 ____D () C:\FRST
2015-03-12 17:38 - 2015-03-12 17:38 - 02095616 _____ (Farbar) C:\Users\Todd\Desktop\FRST64.exe
2015-03-12 16:42 - 2015-03-12 16:42 - 00000000 ____D () C:\Users\Todd\AppData\Local\{49E8BB8A-EAA3-477A-B4F1-B76E7ECAC4DC}
2015-03-12 04:41 - 2015-03-12 04:41 - 00000000 ____D () C:\Users\Todd\AppData\Local\{CCD31428-A5F1-49E1-9FF1-6F6F993F1119}
2015-03-11 16:40 - 2015-03-11 16:40 - 00000000 ____D () C:\Users\Todd\AppData\Local\{7DC27BF9-36B0-45F0-B36B-2479A58EF11C}
2015-03-11 04:39 - 2015-03-11 04:39 - 00000000 ____D () C:\Users\Todd\AppData\Local\{0EC7A259-6CF4-4B25-8BF0-1308BA4DA3FB}
2015-03-10 16:38 - 2015-03-10 16:38 - 00000000 ____D () C:\Users\Todd\AppData\Local\{A6695624-8824-4FCF-8378-4574DD687494}
2015-03-10 04:37 - 2015-03-10 04:37 - 00000000 ____D () C:\Users\Todd\AppData\Local\{01DD03F8-C365-47DE-8B9D-0FAABF759B16}
2015-03-09 16:36 - 2015-03-09 16:36 - 00000000 ____D () C:\Users\Todd\AppData\Local\{40EB2910-219A-475D-819C-80B24D2E5368}
2015-03-09 04:35 - 2015-03-09 04:36 - 00000000 ____D () C:\Users\Todd\AppData\Local\{BCA47D21-63B5-4B40-AB81-83D93E93C0DC}
2015-03-08 19:40 - 2015-03-08 19:40 - 00000091 _____ () C:\Users\Todd\Desktop\Hypnosis.txt
2015-03-08 16:34 - 2015-03-08 16:35 - 00000000 ____D () C:\Users\Todd\AppData\Local\{A389EA4B-C7A9-41A3-9556-E8DBDF21E8EF}
2015-03-08 04:33 - 2015-03-08 04:34 - 00000000 ____D () C:\Users\Todd\AppData\Local\{7ADF8422-2E1D-498A-A8D5-FDD492A4C28F}
2015-03-07 16:33 - 2015-03-07 16:33 - 00000000 ____D () C:\Users\Todd\AppData\Local\{6A050DCC-BD6F-4555-AF22-B2107BD30ECE}
2015-03-07 04:32 - 2015-03-07 04:33 - 00000000 ____D () C:\Users\Todd\AppData\Local\{5D33FCB3-06A4-4880-989E-046ACBFBD7DD}
2015-03-06 23:54 - 2015-03-06 23:54 - 06220854 _____ () C:\Users\Todd\Desktop\SPARQ.bmp
2015-03-06 16:31 - 2015-03-06 16:32 - 00000000 ____D () C:\Users\Todd\AppData\Local\{7B7E0E0D-5203-44F3-83DE-CDA6CFF95276}
2015-03-06 04:31 - 2015-03-06 04:31 - 00000000 ____D () C:\Users\Todd\AppData\Local\{E44761B2-D58A-4097-A266-EC7EA3ED5755}
2015-03-05 16:30 - 2015-03-05 16:31 - 00000000 ____D () C:\Users\Todd\AppData\Local\{8AD7701F-5E01-4955-B7E2-D0AE9CD4DE85}
2015-03-05 04:30 - 2015-03-05 04:30 - 00000000 ____D () C:\Users\Todd\AppData\Local\{CF5843A0-F64A-4A98-882B-1667A6663AFD}
2015-03-04 16:29 - 2015-03-04 16:29 - 00000000 ____D () C:\Users\Todd\AppData\Local\{6C658FCA-3CF8-42B7-8516-886E5BDB1A41}
2015-03-04 04:28 - 2015-03-04 04:29 - 00000000 ____D () C:\Users\Todd\AppData\Local\{73BE408F-41F7-4BB2-AA21-2CBD1DF97DE5}
2015-03-03 16:28 - 2015-03-03 16:28 - 00000000 ____D () C:\Users\Todd\AppData\Local\{1666B0BE-F20E-46FF-8E33-50B839B165A7}
2015-03-03 04:27 - 2015-03-03 04:27 - 00000000 ____D () C:\Users\Todd\AppData\Local\{CC6CB12A-8EC2-4600-8D0B-1AE85B3804AB}
2015-03-02 16:26 - 2015-03-02 16:27 - 00000000 ____D () C:\Users\Todd\AppData\Local\{C96D7FBC-695E-4E32-B0DD-C89B9152BEDE}
2015-03-02 04:26 - 2015-03-02 04:26 - 00000000 ____D () C:\Users\Todd\AppData\Local\{DC945D8F-0784-4D59-91A5-1A45A9E37405}
2015-03-01 16:25 - 2015-03-01 16:26 - 00000000 ____D () C:\Users\Todd\AppData\Local\{C7D9F62C-9A37-4D53-B75F-15C0299AE12B}
2015-03-01 04:24 - 2015-03-01 04:25 - 00000000 ____D () C:\Users\Todd\AppData\Local\{677702CE-1A75-4BA2-986A-CDCB03DBA30B}
2015-02-28 16:24 - 2015-02-28 16:24 - 00000000 ____D () C:\Users\Todd\AppData\Local\{8B11CB72-88B0-45E7-A6A1-FB440FE371EE}
2015-02-28 04:24 - 2015-02-28 04:24 - 00000000 ____D () C:\Users\Todd\AppData\Local\{774007DC-CAD9-43D1-94DB-1979D1316CDB}
2015-02-27 16:23 - 2015-02-27 16:23 - 00000000 ____D () C:\Users\Todd\AppData\Local\{C8EE7E6D-0DF3-4318-A820-814733BE782F}
2015-02-27 04:23 - 2015-02-27 04:23 - 00000000 ____D () C:\Users\Todd\AppData\Local\{33347F5A-6B76-43AD-B768-171310B53F89}
2015-02-26 16:22 - 2015-02-26 16:23 - 00000000 ____D () C:\Users\Todd\AppData\Local\{69B0432B-7496-4FB6-91E1-C6A4D1BF6856}
2015-02-26 13:55 - 2015-02-26 13:55 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-26 04:22 - 2015-02-26 04:22 - 00000000 ____D () C:\Users\Todd\AppData\Local\{D1F5FB01-7825-421F-9116-64B7EF264665}
2015-02-25 16:21 - 2015-02-25 16:22 - 00000000 ____D () C:\Users\Todd\AppData\Local\{5F19A7C6-3C88-48E8-8795-BD2AD1E36448}
2015-02-25 04:21 - 2015-02-25 04:21 - 00000000 ____D () C:\Users\Todd\AppData\Local\{FF6C401F-C5B5-45A0-B5ED-5E498868E427}
2015-02-24 18:27 - 2015-02-24 18:27 - 00000558 _____ () C:\Users\Todd\Desktop\Frankie Smith.txt
2015-02-24 16:20 - 2015-02-24 16:20 - 00000000 ____D () C:\Users\Todd\AppData\Local\{C40AFEAE-542A-40DC-ADBB-8AE41F9E61F0}
2015-02-24 04:20 - 2015-02-24 04:20 - 00000000 ____D () C:\Users\Todd\AppData\Local\{BEF11278-0DC0-4A8A-88B9-1700F263DACC}
2015-02-23 16:19 - 2015-02-23 16:19 - 00000000 ____D () C:\Users\Todd\AppData\Local\{60457D03-2413-4C49-8CF8-824A964A1ABD}
2015-02-23 04:18 - 2015-02-23 04:18 - 00000000 ____D () C:\Users\Todd\AppData\Local\{218144F0-A137-4DB2-BC98-7054ADFAFFAA}
2015-02-22 16:17 - 2015-02-22 16:18 - 00000000 ____D () C:\Users\Todd\AppData\Local\{34AB1FC9-4934-4623-B98A-A324E2C49808}
2015-02-22 04:16 - 2015-02-22 04:17 - 00000000 ____D () C:\Users\Todd\AppData\Local\{745257FD-2621-4725-9BD6-BF336275490A}
2015-02-21 16:16 - 2015-02-21 16:16 - 00000000 ____D () C:\Users\Todd\AppData\Local\{CDA3F9CC-A857-4DA3-A245-50AFEE9FC670}
2015-02-21 04:16 - 2015-02-21 04:16 - 00000000 ____D () C:\Users\Todd\AppData\Local\{A26B01F4-8D0C-4561-B349-1E15F9111270}
2015-02-20 16:16 - 2015-02-20 16:16 - 00000000 ____D () C:\Users\Todd\AppData\Local\{7CF73F2C-4A6A-40AC-B77C-C51F8C1C990A}
2015-02-20 04:15 - 2015-02-20 04:16 - 00000000 ____D () C:\Users\Todd\AppData\Local\{B9BE7390-D572-4E98-9245-DF647CC496F3}
2015-02-19 16:15 - 2015-02-19 16:15 - 00000000 ____D () C:\Users\Todd\AppData\Local\{C9873558-5708-4E3F-B080-E2C2F830BCE6}
2015-02-19 04:14 - 2015-02-19 04:15 - 00000000 ____D () C:\Users\Todd\AppData\Local\{9ED87DC4-EACE-48C7-BCE8-4C1BDD9D1B06}
2015-02-18 16:13 - 2015-02-18 16:14 - 00000000 ____D () C:\Users\Todd\AppData\Local\{28793833-8A7C-4D79-9CFD-830106581540}
2015-02-18 04:13 - 2015-02-18 04:13 - 00000000 ____D () C:\Users\Todd\AppData\Local\{E69D4BBA-A2A9-4947-BB27-A0F162AE032E}
2015-02-17 16:12 - 2015-02-17 16:12 - 00000000 ____D () C:\Users\Todd\AppData\Local\{BAB3300A-2453-4B64-A8A3-0C158E6C2964}
2015-02-17 04:11 - 2015-02-17 04:11 - 00000000 ____D () C:\Users\Todd\AppData\Local\{2C30810C-276A-4E67-84DD-25F4AAA32030}
2015-02-16 16:10 - 2015-02-16 16:10 - 00000000 ____D () C:\Users\Todd\AppData\Local\{DC272975-5B74-4A3C-8CD7-79A8316737F4}
2015-02-16 04:10 - 2015-02-16 04:10 - 00000000 ____D () C:\Users\Todd\AppData\Local\{148A9947-BFC3-4815-ABEB-DBC67BC22DAB}
2015-02-15 16:09 - 2015-02-15 16:09 - 00000000 ____D () C:\Users\Todd\AppData\Local\{0C4D2108-C5E3-49E6-AF19-2E568DA5E407}
2015-02-15 04:08 - 2015-02-15 04:08 - 00000000 ____D () C:\Users\Todd\AppData\Local\{62054E06-57D9-4B22-B1A3-CFE2751C2D21}
2015-02-14 16:08 - 2015-02-14 16:08 - 00000000 ____D () C:\Users\Todd\AppData\Local\{2C59E179-CE68-4D7D-969C-559B2C35A83B}
2015-02-14 04:07 - 2015-02-14 04:08 - 00000000 ____D () C:\Users\Todd\AppData\Local\{C6882141-77F9-417A-A0AB-5B3712E8062D}
2015-02-13 16:06 - 2015-02-13 16:07 - 00000000 ____D () C:\Users\Todd\AppData\Local\{6768139E-FF61-4EBC-8A67-3A9835A8FCFD}
2015-02-13 04:05 - 2015-02-13 04:06 - 00000000 ____D () C:\Users\Todd\AppData\Local\{5417684B-3EF0-4FC6-95DA-94E6547BD4F2}
2015-02-12 16:05 - 2015-02-12 16:05 - 00000000 ____D () C:\Users\Todd\AppData\Local\{149E753E-110E-434B-B599-185C97DECF3E}
2015-02-12 04:04 - 2015-02-12 04:04 - 00000000 ____D () C:\Users\Todd\AppData\Local\{5A4B536D-214D-415D-A779-C8ED7B15B62C}
2015-02-11 16:03 - 2015-02-11 16:04 - 00000000 ____D () C:\Users\Todd\AppData\Local\{DBCA4CE8-7712-43C8-B984-3C427863A0E3}
2015-02-11 04:02 - 2015-02-11 04:03 - 00000000 ____D () C:\Users\Todd\AppData\Local\{64A3BEAB-B8D0-409C-88AA-953E7E0AE8D7}
2015-02-10 16:02 - 2015-02-10 16:02 - 00000000 ____D () C:\Users\Todd\AppData\Local\{6FF4BB16-316C-4F7D-85EA-0F4C3BEA1CF6}
2015-02-10 04:01 - 2015-02-10 04:02 - 00000000 ____D () C:\Users\Todd\AppData\Local\{4A2BD0C6-BA66-47DF-8125-C39AA8ACC7D6}
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-12 17:40 - 2012-12-26 04:28 - 01217849 _____ () C:\Windows\WindowsUpdate.log
2015-03-12 16:53 - 2013-01-03 16:10 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-11 17:53 - 2013-01-03 16:10 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-10 21:29 - 2015-01-04 14:09 - 00000000 ____D () C:\Users\Todd\Desktop\Avatars
2015-03-10 21:29 - 2014-05-18 14:13 - 00000000 ____D () C:\Users\Todd\Desktop\Football
2015-03-10 21:18 - 2009-07-13 23:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-10 21:18 - 2009-07-13 23:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-08 19:53 - 2009-07-14 00:13 - 00778834 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-08 19:48 - 2013-02-07 14:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-03-08 19:48 - 2012-12-26 04:48 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-03-08 19:48 - 2010-11-20 22:47 - 00073800 _____ () C:\Windows\PFRO.log
2015-03-08 19:48 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-08 19:48 - 2009-07-13 23:51 - 00049527 _____ () C:\Windows\setupact.log
2015-02-24 04:17 - 2010-11-20 22:27 - 00295552 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2013-06-20 18:42 - 2013-09-01 14:25 - 0000320 _____ () C:\Users\Todd\AppData\Roaming\SEC2454685.trad
2013-04-23 14:49 - 2013-04-23 14:49 - 0000320 _____ () C:\Users\Todd\AppData\Roaming\SEC429706.trad
2014-10-13 21:23 - 2014-12-14 18:12 - 0003584 _____ () C:\Users\Todd\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-05 01:41
 

 

==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 16 March 2015 - 07:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKU\S-1-5-21-3742083271-2325492446-2510752143-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===


Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

How is the computer running now?

#3 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 16 March 2015 - 11:58 AM

Thanks...

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Todd at 2015-03-16 11:35:12 Run:1
Running from C:\Users\Todd\Desktop
Loaded Profiles: Todd (Available profiles: Todd)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
HKU\S-1-5-21-3742083271-2325492446-2510752143-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
End
*****************
 
Processes closed successfully.
"HKU\S-1-5-21-3742083271-2325492446-2510752143-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 11:35:12 ====
 
With AdwCleaner, when I clicked "Clean" and it went to restart I got a Windows Error message popup that said something to the effect of "Cannot address 08xxxxxxxx".... it was brief, then computer restarted. Now sure if a problem or not?
 
Here's the log file:
 
# AdwCleaner v4.112 - Logfile created 16/03/2015 at 11:43:02
# Updated 09/03/2015 by Xplode
# Database : 2015-03-15.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Todd - TODD-M6700
# Running from : C:\Users\Todd\Desktop\adwcleaner_4.112.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage-journal
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.zabasearch.com_0.localstorage
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.zabasearch.com_0.localstorage-journal
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.metrolyrics.com_0.localstorage
File Deleted : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.metrolyrics.com_0.localstorage-journal
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16599
 
 
-\\ Mozilla Firefox v36.0 (x86 en-US)
 
 
-\\ Google Chrome v41.0.2272.89
 
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://blekko.com/ws/+{searchTerms}
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://blekko.com/ws/+{searchTerms}
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/tracking?d_ch=en_US_engadget&q={searchTerms}&s_it=search_addon
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.stubhub.com/search/doSearch?searchStr={searchTerms}&pageNumber=1&resultsPerPage=50&searchMode=event&start=0&rows=50&geo_exp=1
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://news.ask.com/news?q={searchTerms}&o=2442&qsrc=2443&dbst=1
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.chrono24.com/en/search/index.htm?query={searchTerms}&suchen=Search&dosearch=true&searchexplain=1&resultview=list
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [3821 bytes] - [16/03/2015 11:40:33]
AdwCleaner[S0].txt - [3751 bytes] - [16/03/2015 11:43:02]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3810  bytes] ##########
 
I reset Chrome. Not sure what that does?
 
Thanks. 

 



#4 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 16 March 2015 - 12:24 PM

I searched for "texanstalk" again in Google and was redirected after clicking on the "forums" link from the search results page...

 

Here's a screen capture: 

 

Attached File  Filestore.gif   64.09KB   0 downloads

 

I have a larger/more legible size but am limited to this size by uploader.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 16 March 2015 - 01:16 PM


If you are using chrome execute this.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Reinstall Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

#6 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 16 March 2015 - 01:29 PM

Should I delete browsing data?

There's a check box there.

Edited by asleep, 16 March 2015 - 01:30 PM.


#7 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 16 March 2015 - 01:37 PM

I uninstalled and re-installed Chrome.

 

All of my bookmarks and browsing data remained. (I saved the files but did not have to import anything.)



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 17 March 2015 - 07:12 AM

Is the computer running OK now?

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 17 March 2015 - 10:14 AM

Is the computer running OK now?

 

 

No, still have the same problem. 

 

Google search: 

 

Attached File  GSearch.gif   52.98KB   0 downloads

 

Click on "forum" redirects to this:

 

Attached File  FS72.gif   73.5KB   0 downloads



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 17 March 2015 - 12:45 PM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#11 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 17 March 2015 - 12:56 PM

Done, thanks...
 
 
RogueKiller V10.5.5.0 [Mar 16 2015] by Adlice 
 
Software
Website : 
 
 
Operating System : Windows 7 (6.1.7601 Service Pack 
 
1) 64 bits version
Started in : Normal mode
User : Todd [Administrator]
Started from : C:\Users\Todd\Desktop\RogueKiller.exe
Mode : Delete -- Date : 03/17/2015  12:54:58
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 24 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3742083271-
 
2325492446-2510752143-1000\Software\Microsoft
 
\Internet Explorer\Main | Start Page : 
 
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3742083271-
 
2325492446-2510752143-1000\Software\Microsoft
 
\Internet Explorer\Main | Start Page : 
 
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System
 
\CurrentControlSet\Services\Tcpip\Parameters | 
 
DhcpNameServer : 10.1.10.1 [(Private Address) (XX)]  
 
-> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System
 
\ControlSet001\Services\Tcpip\Parameters | 
 
DhcpNameServer : 10.1.10.1 [(Private Address) (XX)]  
 
-> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System
 
\ControlSet002\Services\Tcpip\Parameters | 
 
DhcpNameServer : 10.1.10.1 [(Private Address) (XX)]  
 
-> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System
 
\CurrentControlSet\Services\Tcpip\Parameters
 
\Interfaces\{B2F72C53-E37E-4734-B734-5AD1CC825A89} | 
 
DhcpNameServer : 10.1.10.1 [(Private Address) (XX)]  
 
-> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System
 
\ControlSet001\Services\Tcpip\Parameters\Interfaces
 
\{B2F72C53-E37E-4734-B734-5AD1CC825A89} | 
 
DhcpNameServer : 10.1.10.1 [(Private Address) (XX)]  
 
-> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System
 
\ControlSet002\Services\Tcpip\Parameters\Interfaces
 
\{B2F72C53-E37E-4734-B734-5AD1CC825A89} | 
 
DhcpNameServer : 10.1.10.1 [(Private Address) (XX)]  
 
-> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowMyGames : 0  -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_TrackProgs : 0  -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowSetProgramAccessAndDefaults : 0  -> Not 
 
selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowPrinters : 0  -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowUser : 0  -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowRecentDocs : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowMyGames : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_TrackProgs : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowSetProgramAccessAndDefaults : 0  -> Not 
 
selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowPrinters : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowUser : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3742083271
 
-2325492446-2510752143-1000\Software\Microsoft
 
\Windows\CurrentVersion\Explorer\Advanced | 
 
Start_ShowRecentDocs : 0  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software
 
\Microsoft\Windows\CurrentVersion\Explorer
 
\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-
 
1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software
 
\Microsoft\Windows\CurrentVersion\Explorer
 
\HideDesktopIcons\NewStartPanel | {59031a47-3f72-
 
44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software
 
\Microsoft\Windows\CurrentVersion\Explorer
 
\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-
 
1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software
 
\Microsoft\Windows\CurrentVersion\Explorer
 
\HideDesktopIcons\NewStartPanel | {59031a47-3f72-
 
44a7-89c5-5595fe6b30ee} : 1  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) 
 
¤¤¤
 
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] 7l3vo787.default : 
 
user_pref("browser.startup.homepage", 
 
"http://www.golfwrx.com/forums/|about:home"); -> Not 
 
selected
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9750420AS +++++
--- User ---
[MBR] b9cb8abb4f7bce83c1fb4a819d4ec33f
[BSP] cee945974219a7a4c3e62d4295a436ba : HP MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_03172015_125222.log


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 17 March 2015 - 01:02 PM



Run this online scan.
It may take some time. Do it when you know you will not need the computer for a few hours.

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

lesestoff.png

#13 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 17 March 2015 - 02:19 PM

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=c01addeeb132f04aaa2df58d55ff6078
# engine=22950
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-03-17 07:14:35
# local_time=2015-03-17 02:14:35 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 178163125 0 0
# scanned=179435
# found=1
# cleaned=0
# scan_time=3909
sh=666BE117743DE10CCF510708B1A1E13A9F79A46A ft=1 fh=1d2985cca102c9fc vn="a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application" ac=I fn="C:\Users\Todd\Downloads\FoxitReader544.11281_enu_Setup.exe"
 


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 18 March 2015 - 06:35 AM

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Some people have had success in removing this Browser Hijacker running SpyHunter.

Download and run the free version of the tool.

http://www.enigmasoftware.com/products/spyhunter/


Keep me posted.

#15 asleep

asleep
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 18 March 2015 - 11:42 AM

Keep me posted.

We seem to have opposite schedules. :)

This SpyHunter found something called Blekko, browser hijacker, Imminent, and bunch of other cookies/ads/etc...

It says I have to purchase the software to remove the threats?

It's $40.00US.

Edited by asleep, 18 March 2015 - 11:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users