Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus:backdoor.agent.dcrsagen. Please help


  • This topic is locked This topic is locked
30 replies to this topic

#1 scrubbo

scrubbo

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 12 March 2015 - 08:10 PM

We have removed backdoor agent with malwarebytes but the virus returns.  Please help.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by kwemple (administrator) on KITCHEN-PC on 12-03-2015 21:05:27
Running from G:\
Loaded Profiles: kwemple (Available profiles: kwemple & CarRide)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 7 (Default browser: FF)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\HelpPane.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-06] (AVAST Software)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-11-21] (Malwarebytes Corporation)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIHBA.EXE [249440 2012-02-29] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIHBA.EXE [249440 2012-02-29] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [Amazon Music] => C:\Users\kwemple\AppData\Local\Amazon Music\Amazon Music Helper.exe [3162944 2014-06-24] ()
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [GoogleDriveSync] => C:\Program Files\Google\Drive\googledrivesync.exe [23308256 2015-01-15] (Google)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [NETGEARGenie] => C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe [602880 2014-12-14] (NETGEAR Inc.)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Policies\system: [EnableLUA] 0
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\MountPoints2: {0eb0845a-d5e3-11e3-a02e-00235a6ef164} - H:\TLBootstrap_WPP.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk
ShortcutTarget: CodecPackUpdateChecker.lnk -> C:\Windows\System32\C2MP\UpdateChecker.exe ()
Startup: C:\Users\CarRide\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComcastUsageMeter.lnk
ShortcutTarget: ComcastUsageMeter.lnk -> C:\Program Files\ComcastUsageMeter\ComcastUsageMeter.exe ()
Startup: C:\Users\kwemple\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComcastUsageMeter.lnk
ShortcutTarget: ComcastUsageMeter.lnk -> C:\Program Files\ComcastUsageMeter\ComcastUsageMeter.exe ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)
ShellIconOverlayIdentifiers: [GDriveBlacklistedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSharedEditOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSharedViewOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSyncedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSyncingOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
SearchScopes: HKLM -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL =
SearchScopes: HKU\S-1-5-21-2542516745-2013250680-215552055-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?FORM=U079DF&PC=U079&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2542516745-2013250680-215552055-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?FORM=U079DF&PC=U079&q={searchTerms}&src=IE-SearchBox
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll No File
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File []
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll [2013-12-14] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-01-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-01-17] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2013-12-08] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js [2015-03-12]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-03-20] (Coupons, Inc.)
FF SearchPlugin: C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\searchplugins\bingp.xml [2014-08-28]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-03-06]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-03-06]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-02-18]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-09-14]

Chrome:
=======
CHR Profile: C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-05-21]
CHR Extension: (Google Drive) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-21]
CHR Extension: (YouTube) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-05-21]
CHR Extension: (Google Search) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-05-21]
CHR Extension: (Avast SafePrice) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-08-06]
CHR Extension: (Avast Online Security) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-06-04]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2014-11-11]
CHR Extension: (Google Wallet) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-21]
CHR Extension: (Gmail) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-05-21]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-06]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-06]
CHR HKU\S-1-5-21-2542516745-2013250680-215552055-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-06] (AVAST Software)
S2 CouponPrinterService; C:\Program Files\Coupons\CouponPrinterService.exe [153072 2014-04-28] (Coupons.com Inc.)
S2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [683080 2012-04-12] (Juniper Networks)
S2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [521600 2011-06-09] (SEIKO EPSON CORPORATION)
S2 EPSON_PM_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [142432 2012-02-21] (SEIKO EPSON CORPORATION)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S2 NETGEARGenieDaemon; C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [195840 2014-12-14] (NETGEAR)
S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 ACPIVPC; C:\Windows\System32\DRIVERS\AcpiVpc.sys [21520 2009-05-19] (Lenovo Corporation)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-08-06] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-08-06] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55112 2014-08-06] (AVAST Software)
S0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-08-06] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [779536 2014-11-21] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [414520 2014-08-06] (AVAST Software)
S1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57800 2014-08-06] (AVAST Software)
S0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [192352 2014-08-06] ()
S3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2012-04-12] (Juniper Networks)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [65896 2013-07-25] (FTDI Ltd.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-12] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
S3 NETwNv32; C:\Windows\System32\DRIVERS\NETwNv32.sys [7346176 2011-10-31] (Intel Corporation)
S2 NPF; C:\Windows\system32\drivers\npf.sys [35088 2015-02-19] (CACE Technologies, Inc.)
S3 usbsmi; C:\Windows\System32\DRIVERS\SMIksdrv.sys [161152 2009-01-23] (SMI)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 21:05 - 2015-03-12 21:05 - 00000000 ____D () C:\FRST
2015-03-12 20:33 - 2015-03-12 20:37 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-12 20:33 - 2015-03-12 20:33 - 00000859 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-12 20:33 - 2015-03-12 20:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-12 20:33 - 2015-03-12 20:33 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-12 20:33 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-12 20:33 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-12 20:33 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-10 10:53 - 2015-03-10 10:53 - 00018409 _____ () C:\Users\kwemple\Downloads\2015 Alpharetta LAX Raider Card Tracking Form - 03-09-2015.xlsx
2015-03-08 21:37 - 2015-03-08 21:37 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-08 21:35 - 2015-03-08 21:36 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\kwemple\Downloads\mbam-setup-2.0.4.1028(1).exe
2015-03-08 21:33 - 2015-03-08 21:34 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\kwemple\Downloads\mbam-setup-2.0.4.1028.exe
2015-03-08 19:28 - 2015-03-08 19:28 - 00000552 _____ () C:\Users\kwemple\AppData\Local\d3d8caps.dat
2015-03-08 18:07 - 2015-03-12 20:24 - 00000044 _____ () C:\Users\kwemple\AppData\Roaming\sample.wav
2015-03-08 17:58 - 2015-03-12 20:56 - 00000000 __SHD () C:\Users\kwemple\Documents\MSDCSC
2015-03-06 09:52 - 2015-03-06 09:54 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-02-25 15:33 - 2015-02-25 15:33 - 00013050 _____ () C:\Users\kwemple\Downloads\Maggioli Reservations Confirmed List 2-15 (1).xlsx
2015-02-25 15:09 - 2015-02-25 15:09 - 00013050 _____ () C:\Users\kwemple\Downloads\Maggioli Reservations Confirmed List 2-15.xlsx
2015-02-19 20:01 - 2015-02-19 20:01 - 39316824 _____ (NETGEAR Inc.) C:\Users\kwemple\Downloads\NETGEARGenie-install(1).exe
2015-02-17 15:26 - 2015-02-17 15:26 - 01217184 _____ (Microsoft Corporation) C:\Windows\system32\FM20.DLL
2015-02-12 12:53 - 2015-02-12 12:53 - 00034816 _____ () C:\Users\kwemple\Downloads\Copy of 2015 AHS Men's Lacrosse Official Game Schedule 02-12-2015.xls
2015-02-12 12:53 - 2015-02-12 12:53 - 00034816 _____ () C:\Users\kwemple\Downloads\Copy of 2015 AHS Men's Lacrosse Official Game Schedule 02-12-2015 (1).xls
2015-02-10 10:31 - 2015-02-10 10:31 - 00031930 _____ () C:\Users\kwemple\Downloads\U14 Girls Chapman (2).xlsx
2015-02-10 10:31 - 2015-02-10 10:31 - 00031930 _____ () C:\Users\kwemple\Downloads\U14 Girls Chapman (1).xlsx
2015-02-10 10:30 - 2015-02-10 10:30 - 00031930 _____ () C:\Users\kwemple\Downloads\U14 Girls Chapman.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 21:04 - 2013-12-14 21:59 - 00019456 _____ () C:\Users\kwemple\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-12 21:03 - 2013-12-16 22:29 - 00058270 _____ () C:\Windows\PFRO.log
2015-03-12 21:02 - 2014-01-29 20:59 - 00000000 ____D () C:\Windows\PCHEALTH
2015-03-12 20:35 - 2006-11-02 06:33 - 00703388 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-12 20:23 - 2006-11-02 08:52 - 02030423 _____ () C:\Windows\WindowsUpdate.log
2015-03-12 20:06 - 2006-11-02 08:47 - 00003664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-12 20:06 - 2006-11-02 08:47 - 00003664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-12 19:43 - 2014-05-21 21:16 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-12 19:36 - 2014-03-15 14:34 - 00000300 _____ () C:\Windows\Tasks\UpdaterEX.job
2015-03-12 18:43 - 2014-05-21 21:16 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-12 16:06 - 2013-12-15 19:10 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\Skype
2015-03-12 03:15 - 2014-01-29 20:55 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-11 14:58 - 2013-12-25 19:00 - 00000000 ____D () C:\Users\kwemple\AppData\Local\NETGEARGenie
2015-03-11 08:34 - 2014-10-05 18:35 - 00000000 ___RD () C:\Users\kwemple\Google Drive
2015-03-11 08:29 - 2006-11-02 09:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-11 08:28 - 2006-11-02 09:01 - 00030786 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-11 08:23 - 2014-03-15 14:34 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\UpdaterEX
2015-03-08 21:42 - 2013-12-14 13:38 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-03-03 20:55 - 2014-03-19 09:34 - 00002337 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-02-24 04:23 - 2014-02-24 16:17 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-23 18:13 - 2015-02-05 23:08 - 00000000 ____D () C:\Users\kwemple\Desktop\NETDRIVE2
2015-02-19 20:04 - 2013-12-25 18:59 - 00281104 _____ (CACE Technologies, Inc.) C:\Windows\system32\wpcap.dll
2015-02-19 20:04 - 2013-12-25 18:59 - 00096784 _____ (CACE Technologies, Inc.) C:\Windows\system32\packet.dll
2015-02-19 20:04 - 2013-12-25 18:59 - 00035088 _____ (CACE Technologies, Inc.) C:\Windows\system32\Drivers\npf.sys
2015-02-19 20:04 - 2013-12-25 18:59 - 00001803 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NETGEAR Genie.lnk
2015-02-19 20:04 - 2013-12-25 18:59 - 00001791 _____ () C:\Users\Public\Desktop\NETGEAR Genie.lnk
2015-02-17 13:43 - 2014-03-15 14:34 - 00000230 _____ () C:\Users\kwemple\AppData\Roaming\WB.CFG
2015-02-15 15:32 - 2014-12-14 17:14 - 00001195 _____ () C:\Users\CarRide\Desktop\ROBLOX Player.lnk
2015-02-15 15:32 - 2014-12-14 17:12 - 00001002 _____ () C:\Users\CarRide\Desktop\ROBLOX Studio.lnk
2015-02-15 15:32 - 2014-12-14 17:12 - 00000000 ____D () C:\Users\CarRide\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2015-02-14 13:17 - 2013-12-25 16:57 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR
2015-02-13 08:58 - 2013-12-14 19:32 - 00000000 ____D () C:\ProgramData\Sonos,_Inc
2015-02-13 04:15 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-02-13 04:07 - 2006-11-02 07:18 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared

==================== Files in the root of some directories =======

2015-03-08 19:23 - 2015-03-08 19:24 - 0086040 _____ () C:\Users\kwemple\AppData\Roaming\45 ACP sound effect.mp3
2015-03-08 19:26 - 2015-03-08 20:55 - 2487493 _____ () C:\Users\kwemple\AppData\Roaming\bensound-dance.mp3
2015-03-12 20:23 - 2015-03-12 20:23 - 0036542 _____ () C:\Users\kwemple\AppData\Roaming\giphy.gif
2015-03-08 18:07 - 2015-03-12 20:24 - 0000044 _____ () C:\Users\kwemple\AppData\Roaming\sample.wav
2015-03-08 19:24 - 2015-03-08 19:26 - 2240304 _____ () C:\Users\kwemple\AppData\Roaming\Track4.mp3
2014-03-15 14:34 - 2015-02-17 13:43 - 0000230 _____ () C:\Users\kwemple\AppData\Roaming\WB.CFG
2015-03-08 19:28 - 2015-03-08 19:28 - 0000552 _____ () C:\Users\kwemple\AppData\Local\d3d8caps.dat
2013-12-14 09:33 - 2014-09-01 15:13 - 0001356 _____ () C:\Users\kwemple\AppData\Local\d3d9caps.dat
2013-12-14 21:59 - 2015-03-12 21:04 - 0019456 _____ () C:\Users\kwemple\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some content of TEMP:
====================
C:\Users\kwemple\AppData\Local\Temp\Couponscom.exe
C:\Users\kwemple\AppData\Local\Temp\DefaultPack.exe
C:\Users\kwemple\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\kwemple\AppData\Local\Temp\SkypeSetup.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-12 20:54

==================== End Of Log ============================


Edited by scrubbo, 12 March 2015 - 08:12 PM.


BC AdBot (Login to Remove)

 


#2 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 12 March 2015 - 08:16 PM

Addition.txt attached



#3 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 12 March 2015 - 08:23 PM

mbam log attached



#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:21 AM

Posted 14 March 2015 - 03:10 PM

hi scrubbo,

 

Dosnt look like the MBAM log made it has an attachment. Can you resend it or just copy/paste it in your reply. Really only intrested in what its removing, the backdoor agent that would be shown in the MBAM log.

 

How Can I Reduce My Risk to Malware?


#5 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 14 March 2015 - 05:02 PM

<?xml version="1.0" encoding="UTF-16"?>

<mbam-log>

<header><date>2015/03/12 20:37:41 -0400</date><logfile>mbam-log-2015-03-12 (20-37-40).xml</logfile><isadmin>yes</isadmin></header>

<engine><version>2.00.4.1028</version><malware-database>v2015.03.12.07</malware-database><rootkit-database>v2015.02.25.01</rootkit-database><license>trial</license><file-protection>disabled</file-protection><web-protection>disabled</web-protection><self-protection>disabled</self-protection></engine><system><osversion>Windows Vista Service Pack 1</osversion><arch>x86</arch><username>kwemple</username><filesys>NTFS</filesys></system><summary><type>threat</type><result>completed</result><objects>360499</objects> <time>987</time><processes>0</processes><modules>0</modules><keys>1</keys><values>1</values><datas>4</datas><folders>1</folders><files>52</files><sectors>0</sectors></summary><options><memory>enabled</memory><startup>enabled</startup><filesystem>enabled</filesystem><archives>enabled</archives><rootkits>disabled</rootkits><deeprootkit>disabled</deeprootkit><heuristics>enabled</heuristics><pup>enabled</pup><pum>enabled</pum></options><items><key><path>HKU\S-1-5-21-2542516745-2013250680-215552055-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DC3_FEXEC</path><vendor>Malware.Trace</vendor><action>success</action><hash>c5e2f153fb8f75c1e405aaf127dd7c84</hash></key><value><path>HKU\S-1-5-21-2542516745-2013250680-215552055-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>MicroUpdate</valuename><vendor>Backdoor.Agent.DCRSAGen</vendor><action>success</action><valuedata>C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe</valuedata><hash>1b8c95af68225cdaec6b0fae5ea23cc4</hash></value><data><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON</path><valuename>Userinit</valuename><vendor>Backdoor.Agent.DCRSAGen</vendor><action>replaced</action><valuedata>userinit.exe,C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe</valuedata><baddata>C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe</baddata><gooddata/><hash>1b8c95af68225cdaec6b0fae5ea23cc4</hash></data><data><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON</path><valuename>Userinit</valuename><vendor>Hijack.UserInit</vendor><action>replaced</action><valuedata>userinit.exe,C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe</valuedata><baddata>userinit.exe,C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe</baddata><gooddata>userinit.exe</gooddata><hash>51564004b8d2b68023726778867f5ca4</hash></data><data><path>HKU\S-1-5-21-2542516745-2013250680-215552055-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM</path><valuename>DisableTaskMgr</valuename><vendor>PUM.Hijack.TaskManager</vendor><action>replaced</action><valuedata>1</valuedata><baddata>1</baddata><gooddata>0</gooddata><hash>cfd8f450a5e53df9c180f8eb749153ad</hash></data><data><path>HKU\S-1-5-21-2542516745-2013250680-215552055-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM</path><valuename>DisableRegistryTools</valuename><vendor>PUM.Hijack.Regedit</vendor><action>replaced</action><valuedata>1</valuedata><baddata>1</baddata><gooddata>0</gooddata><hash>c6e14cf86f1bd462538cebf643c256aa</hash></data><folder><path>C:\Users\kwemple\AppData\Roaming\dclogs</path><vendor>Stolen.Data</vendor><action>success</action><hash>8f180b39bfcb5fd735515377be46837d</hash></folder><file><path>C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe</path><vendor>Backdoor.Agent.DCRSAGen</vendor><action>success</action><hash>1b8c95af68225cdaec6b0fae5ea23cc4</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\dclogs\2015-03-12-5.dc</path><vendor>Stolen.Data</vendor><action>success</action><hash>8f180b39bfcb5fd735515377be46837d</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>user_pref("extensions.mysearchdial.AL", 2);</baddata><gooddata/><hash>e4c36fd598f23204fc2d3ee63fc7d828</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ser Preferences /* Do not edit this file. * * If you ma</baddata><gooddata/><hash>089f4df7701aea4c9891f23266a02ad6</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>/* Do not edit this file. * * If you make changes to this file while the applicat</baddata><gooddata/><hash>d6d1291b206a41f5ef3a3ce8b650768a</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>e. * * If you make changes to this file while the application is running, * the changes will be overwritten when the application exits. * * To make a </baddata><gooddata/><hash>9c0bed5772180c2a80a971b385814db3</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>g, * the changes will be overwritten when the appli</baddata><gooddata/><hash>2d7afa4adfab2313ce5b31f30204f010</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ences /* Do not edit this file. * * If you</baddata><gooddata/><hash>683f360ec2c823139f8a24001cea11ef</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>eferences /* Do not edit this file. * * If yo</baddata><gooddata/><hash>4067380cf79340f69891de46e3239b65</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>rences /* Do not edit this file. * * If you</baddata><gooddata/><hash>208711331d6d23130b1e3aeae422f709</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ferences /* Do not edit this file. * * If you</baddata><gooddata/><hash>72353014355565d11d0ca1836b9b8080</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>rences /* Do not edit this file. * * If you make chan</baddata><gooddata/><hash>aef91a2a38525bdb16136eb6b94d54ac</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata> /* Do not edit this file. * * If you make changes</baddata><gooddata/><hash>33744301cebc53e32efbf23235d147b9</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ces /* Do not edit this file. * * If you make chang</baddata><gooddata/><hash>c4e3d56f048603338f9a2df78b7b9967</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata> /* Do not edit this file. * * If you make changes to this file while the application is running, * the changes will be overwritten when the application exits. * * To make a manual change to preferences, you can visit the URL ab</baddata><gooddata/><hash>782f7bc9127893a341e8d2529175649c</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>e a manual change to preferences, you can visit the URL abo</baddata><gooddata/><hash>8e1962e24a40ca6c53d6988cb25425db</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata> /* Do not edit this file. * * If you make changes to t</baddata><gooddata/><hash>782f172d55353105ab7eb2723ccae61a</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata> /* Do not edit this file. * * If you make changes to this </baddata><gooddata/><hash>9215bf85f89278be80a932f2ba4cbb45</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>* Do not edit this file. * * If you make changes</baddata><gooddata/><hash>5f489da7afdb9f97b079170d6b9b48b8</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>rences /* Do not edit this file. * * If you make changes to this file while the application is running, * the changes will be overwritten when the application exits. * * To make a manual change to preferences, you can visit the URL a</baddata><gooddata/><hash>ffa8ba8aa5e5280eda4f978d7492ba46</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>anual change to preferences, you can visit the URL abo</baddata><gooddata/><hash>188f4bf9068467cf84a557cd887eeb15</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>nces /* Do not edit this file. * * If you make c</baddata><gooddata/><hash>e7c01232cbbfba7c0425af75c6405ca4</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ces /* Do not edit this file. * * If you make </baddata><gooddata/><hash>4c5b1a2a375341f589a094904abcbc44</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ences /* Do not edit this file. * * If you make </baddata><gooddata/><hash>485faf95c6c40e282cfd91933fc7d42c</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\prefs.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ces /* Do not edit this file. * * If you make changes to th</baddata><gooddata/><hash>a8ff61e35535a29457d2a2828f7705fb</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearch.A</vendor><action>replaced</action><baddata>user_pref("extensions.irmysearch.cr", "248540438");</baddata><gooddata/><hash>bee959eb04863cfae53c51d30ef8847c</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearch.A</vendor><action>replaced</action><baddata>pref("extensions.irmysearch.cr", "248540438"); user_pref("extensions.irmysearch.cd", "2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDt</baddata><gooddata/><hash>e1c6222223679d9940e148dcf610768a</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>user_pref("extensions.mysearchdial.dfltSrch", true);</baddata><gooddata/><hash>d5d2fe468bff25118e9ced378d79a35d</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>_pref("extensions.irmysearch.cr", "248540438"); user_pref("ext</baddata><gooddata/><hash>4c5b94b03d4d122499917aaa34d257a9</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>nsions.irmysearch.cr", "248540438"); user_pref("e</baddata><gooddata/><hash>8423d86cec9e59dd111940e4719556aa</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>er_pref("extensions.irmysearch.cr", "248540438"); us</baddata><gooddata/><hash>d3d4053faedc6bcb0e1c0f15e91da060</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>pref("extensions.irmysearch.cr", "248540438"); user_pref("extensions.irmysearch.cd", "2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2SyEyCyCtAyDtCyB0AzyyE2Q"); user_pref("extensions.mysearc</baddata><gooddata/><hash>e8bf2d177812cb6b80aaab79cf37d828</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>AyDtCyB0AzyyE2Q"); user_pref("extensions.mysearchdial.dfltSrch", true); user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial"); user_pref("extensions.mysearchdial.dnsErr", true); user_pref("extensions.mysearchdial_i.newTab", false</baddata><gooddata/><hash>287fe361701afc3a2802b173ae58748c</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>yB0AzyyE2Q"); user_pref("extensions.mysearchdial.dfltSr</baddata><gooddata/><hash>00a7f64eeb9f072f121866beae58a35d</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>xtensions.irmysearch.cr", "248540438"); user_pref("ext</baddata><gooddata/><hash>198e95afdcaec17543e71e06858140c0</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ef("extensions.irmysearch.cr", "248540438"); user_pre</baddata><gooddata/><hash>9d0ac08476143303dc4e71b34abc53ad</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ref("extensions.irmysearch.cr", "248540438"); user_pre</baddata><gooddata/><hash>36711c283a501224f436978d2cdac53b</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ef("extensions.irmysearch.cr", "248540438"); user_pref("extension</baddata><gooddata/><hash>e2c58aba305aeb4baf7b78ac3fc719e7</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ons.irmysearch.cr", "248540438"); user_pref("extensions.irmy</baddata><gooddata/><hash>396efb497218a690bd6d50d427dfa35d</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>tensions.irmysearch.cr", "248540438"); user_pref("extensio</baddata><gooddata/><hash>c0e783c16624d06647e30b196c9a9f61</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>extensions.irmysearch.cr", "248540438"); user_pref("extension</baddata><gooddata/><hash>d4d3e85c27637abca08a2cf85bab04fc</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ensions.irmysearch.cr", "248540438"); user_pref("exten</baddata><gooddata/><hash>55524ff5dbafe551111974b05aac7888</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ef("extensions.irmysearch.cr", "248540438"); user_p</baddata><gooddata/><hash>56518eb6b0da063078b20b1910f68c74</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>_pref("extensions.irmysearch.cr", "248540438"); user_pref</baddata><gooddata/><hash>2e79a79deb9f45f11e0c61c341c543bd</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>"extensions.irmysearch.cr", "248540438"); user_p</baddata><gooddata/><hash>495e32122f5b3105d159e044ae588779</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>ser_pref("extensions.irmysearch.cr", "248540438"); user_pref("extensions.irmysearch.</baddata><gooddata/><hash>9314e163c5c5360056d4170d1beb6a96</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata> "248540438"); user_pref("extensions.irmysearch.cd"</baddata><gooddata/><hash>7433192bf892270f5dcd2301be488f71</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>_pref("extensions.irmysearch.cr", "248540438"); user</baddata><gooddata/><hash>6c3bc183e4a680b66dbde83c7d8957a9</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>pref("extensions.irmysearch.cr", "248540438"); user_pref("extensions.irmysearch.cd", "2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0</baddata><gooddata/><hash>099e77cd2565af8739f1180cb551ba46</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0</baddata><gooddata/><hash>02a5d76d1773cd6984a6bf65fb0b5aa6</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>user_pref("extensions.mysearchdial.newTabUrl", "http://start.mysearchdial.com/?f=2&a=dnldstr_14_11_ff&cd=2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2SyEyCyCtAyDtCyB0AzyyE2Q&cr=248540438&ir=");</baddata><gooddata/><hash>adfabc88c0caa88e78b3dc48d432fb05</hash></file><file><path>C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js</path><vendor>PUP.Optional.MySearchDial.A</vendor><action>replaced</action><baddata>zD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2SyEyCyCtAyDtCyB0AzyyE2Q"); user_pref("extensions.mysearchdial.dfltSrch", true); user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial"); user_pref("extensions.mysearchdial.dnsErr", true); user_pre</baddata><gooddata/><hash>129569dbf298280ed6558a9a74928d73</hash></file></items></mbam-log>



#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:21 AM

Posted 14 March 2015 - 06:27 PM

ok thanks for the info. The FRST exe needs to be on your desktop. Looks like your running it off another drive?

You can download a new copy to your desktop, scan and posts its log:

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

 

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

    Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).

    When the tool opens

    click Yes to disclaimer.

    Press the Scan button.

    When finished, it will produce a log called FRST.txt in the same directory the tool was run from.

    Please copy and paste the log in your next reply.

The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

 

Then we can use it to remove some items.


How Can I Reduce My Risk to Malware?


#7 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 14 March 2015 - 07:47 PM

FRST.TXT

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by kwemple (administrator) on KITCHEN-PC on 14-03-2015 20:36:35
Running from C:\prowork
Loaded Profiles: kwemple (Available profiles: kwemple & CarRide)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 7 (Default browser: FF)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\cmd.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-06] (AVAST Software)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-11-21] (Malwarebytes Corporation)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIHBA.EXE [249440 2012-02-29] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIHBA.EXE [249440 2012-02-29] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [Amazon Music] => C:\Users\kwemple\AppData\Local\Amazon Music\Amazon Music Helper.exe [3162944 2014-06-24] ()
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [GoogleDriveSync] => C:\Program Files\Google\Drive\googledrivesync.exe [23308256 2015-01-15] (Google)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Run: [NETGEARGenie] => C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe [602880 2014-12-14] (NETGEAR Inc.)
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Policies\system: [EnableLUA] 0
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\MountPoints2: {0eb0845a-d5e3-11e3-a02e-00235a6ef164} - H:\TLBootstrap_WPP.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk
ShortcutTarget: CodecPackUpdateChecker.lnk -> C:\Windows\System32\C2MP\UpdateChecker.exe ()
Startup: C:\Users\CarRide\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComcastUsageMeter.lnk
ShortcutTarget: ComcastUsageMeter.lnk -> C:\Program Files\ComcastUsageMeter\ComcastUsageMeter.exe ()
Startup: C:\Users\kwemple\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComcastUsageMeter.lnk
ShortcutTarget: ComcastUsageMeter.lnk -> C:\Program Files\ComcastUsageMeter\ComcastUsageMeter.exe ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)
ShellIconOverlayIdentifiers: [GDriveBlacklistedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSharedEditOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSharedViewOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSyncedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)
ShellIconOverlayIdentifiers: [GDriveSyncingOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync32.dll (Google)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
SearchScopes: HKLM -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL =
SearchScopes: HKU\S-1-5-21-2542516745-2013250680-215552055-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?FORM=U079DF&PC=U079&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2542516745-2013250680-215552055-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?FORM=U079DF&PC=U079&q={searchTerms}&src=IE-SearchBox
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll No File
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File []
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll [2013-12-14] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-01-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-01-17] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2013-12-08] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js [2015-03-12]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-03-20] (Coupons, Inc.)
FF SearchPlugin: C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\searchplugins\bingp.xml [2014-08-28]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-03-06]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-03-06]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-02-18]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-09-14]

Chrome:
=======
CHR Profile: C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-05-21]
CHR Extension: (Google Drive) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-21]
CHR Extension: (YouTube) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-05-21]
CHR Extension: (Google Search) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-05-21]
CHR Extension: (Avast SafePrice) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-08-06]
CHR Extension: (Avast Online Security) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-06-04]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2014-11-11]
CHR Extension: (Google Wallet) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-21]
CHR Extension: (Gmail) - C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-05-21]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-06]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-06]
CHR HKU\S-1-5-21-2542516745-2013250680-215552055-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-06] (AVAST Software)
S2 CouponPrinterService; C:\Program Files\Coupons\CouponPrinterService.exe [153072 2014-04-28] (Coupons.com Inc.)
S2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [683080 2012-04-12] (Juniper Networks)
S2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [521600 2011-06-09] (SEIKO EPSON CORPORATION)
S2 EPSON_PM_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [142432 2012-02-21] (SEIKO EPSON CORPORATION)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S2 NETGEARGenieDaemon; C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [195840 2014-12-14] (NETGEAR)
S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 ACPIVPC; C:\Windows\System32\DRIVERS\AcpiVpc.sys [21520 2009-05-19] (Lenovo Corporation)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-08-06] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-08-06] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55112 2014-08-06] (AVAST Software)
S0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-08-06] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [779536 2014-11-21] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [414520 2014-08-06] (AVAST Software)
S1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57800 2014-08-06] (AVAST Software)
S0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [192352 2014-08-06] ()
S3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2012-04-12] (Juniper Networks)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [65896 2013-07-25] (FTDI Ltd.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-12] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
S3 NETwNv32; C:\Windows\System32\DRIVERS\NETwNv32.sys [7346176 2011-10-31] (Intel Corporation)
S2 NPF; C:\Windows\system32\drivers\npf.sys [35088 2015-02-19] (CACE Technologies, Inc.)
S3 usbsmi; C:\Windows\System32\DRIVERS\SMIksdrv.sys [161152 2009-01-23] (SMI)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 21:05 - 2015-03-14 20:36 - 00000000 ____D () C:\FRST
2015-03-12 20:33 - 2015-03-12 21:18 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-12 20:33 - 2015-03-12 20:33 - 00000859 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-12 20:33 - 2015-03-12 20:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-12 20:33 - 2015-03-12 20:33 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-12 20:33 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-12 20:33 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-12 20:33 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-10 10:53 - 2015-03-10 10:53 - 00018409 _____ () C:\Users\kwemple\Downloads\2015 Alpharetta LAX Raider Card Tracking Form - 03-09-2015.xlsx
2015-03-08 21:37 - 2015-03-08 21:37 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-08 21:35 - 2015-03-08 21:36 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\kwemple\Downloads\mbam-setup-2.0.4.1028(1).exe
2015-03-08 21:33 - 2015-03-08 21:34 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\kwemple\Downloads\mbam-setup-2.0.4.1028.exe
2015-03-08 19:28 - 2015-03-08 19:28 - 00000552 _____ () C:\Users\kwemple\AppData\Local\d3d8caps.dat
2015-03-08 18:07 - 2015-03-12 20:24 - 00000044 _____ () C:\Users\kwemple\AppData\Roaming\sample.wav
2015-03-08 17:58 - 2015-03-12 20:56 - 00000000 __SHD () C:\Users\kwemple\Documents\MSDCSC
2015-03-06 09:52 - 2015-03-06 09:54 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-02-25 15:33 - 2015-02-25 15:33 - 00013050 _____ () C:\Users\kwemple\Downloads\Maggioli Reservations Confirmed List 2-15 (1).xlsx
2015-02-25 15:09 - 2015-02-25 15:09 - 00013050 _____ () C:\Users\kwemple\Downloads\Maggioli Reservations Confirmed List 2-15.xlsx
2015-02-19 20:01 - 2015-02-19 20:01 - 39316824 _____ (NETGEAR Inc.) C:\Users\kwemple\Downloads\NETGEARGenie-install(1).exe
2015-02-17 15:26 - 2015-02-17 15:26 - 01217184 _____ (Microsoft Corporation) C:\Windows\system32\FM20.DLL
2015-02-12 12:53 - 2015-02-12 12:53 - 00034816 _____ () C:\Users\kwemple\Downloads\Copy of 2015 AHS Men's Lacrosse Official Game Schedule 02-12-2015.xls
2015-02-12 12:53 - 2015-02-12 12:53 - 00034816 _____ () C:\Users\kwemple\Downloads\Copy of 2015 AHS Men's Lacrosse Official Game Schedule 02-12-2015 (1).xls

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-14 20:36 - 2014-06-30 10:32 - 00000000 ____D () C:\prowork
2015-03-14 20:36 - 2006-11-02 06:33 - 00703388 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-14 20:31 - 2006-11-02 08:47 - 00370488 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-12 21:04 - 2013-12-14 21:59 - 00019456 _____ () C:\Users\kwemple\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-12 21:03 - 2013-12-16 22:29 - 00058270 _____ () C:\Windows\PFRO.log
2015-03-12 21:02 - 2014-01-29 20:59 - 00000000 ____D () C:\Windows\PCHEALTH
2015-03-12 20:23 - 2006-11-02 08:52 - 02030423 _____ () C:\Windows\WindowsUpdate.log
2015-03-12 20:06 - 2006-11-02 08:47 - 00003664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-12 20:06 - 2006-11-02 08:47 - 00003664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-12 19:43 - 2014-05-21 21:16 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-12 19:36 - 2014-03-15 14:34 - 00000300 _____ () C:\Windows\Tasks\UpdaterEX.job
2015-03-12 18:43 - 2014-05-21 21:16 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-12 16:06 - 2013-12-15 19:10 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\Skype
2015-03-12 03:15 - 2014-01-29 20:55 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-11 14:58 - 2013-12-25 19:00 - 00000000 ____D () C:\Users\kwemple\AppData\Local\NETGEARGenie
2015-03-11 08:34 - 2014-10-05 18:35 - 00000000 ___RD () C:\Users\kwemple\Google Drive
2015-03-11 08:29 - 2006-11-02 09:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-11 08:28 - 2006-11-02 09:01 - 00030786 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-11 08:23 - 2014-03-15 14:34 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\UpdaterEX
2015-03-08 21:42 - 2013-12-14 13:38 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-03-03 20:55 - 2014-03-19 09:34 - 00002337 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-02-24 04:23 - 2014-02-24 16:17 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-23 18:13 - 2015-02-05 23:08 - 00000000 ____D () C:\Users\kwemple\Desktop\NETDRIVE2
2015-02-19 20:04 - 2013-12-25 18:59 - 00281104 _____ (CACE Technologies, Inc.) C:\Windows\system32\wpcap.dll
2015-02-19 20:04 - 2013-12-25 18:59 - 00096784 _____ (CACE Technologies, Inc.) C:\Windows\system32\packet.dll
2015-02-19 20:04 - 2013-12-25 18:59 - 00035088 _____ (CACE Technologies, Inc.) C:\Windows\system32\Drivers\npf.sys
2015-02-19 20:04 - 2013-12-25 18:59 - 00001803 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NETGEAR Genie.lnk
2015-02-19 20:04 - 2013-12-25 18:59 - 00001791 _____ () C:\Users\Public\Desktop\NETGEAR Genie.lnk
2015-02-17 13:43 - 2014-03-15 14:34 - 00000230 _____ () C:\Users\kwemple\AppData\Roaming\WB.CFG
2015-02-15 15:32 - 2014-12-14 17:14 - 00001195 _____ () C:\Users\CarRide\Desktop\ROBLOX Player.lnk
2015-02-15 15:32 - 2014-12-14 17:12 - 00001002 _____ () C:\Users\CarRide\Desktop\ROBLOX Studio.lnk
2015-02-15 15:32 - 2014-12-14 17:12 - 00000000 ____D () C:\Users\CarRide\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2015-02-14 13:17 - 2013-12-25 16:57 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR
2015-02-13 08:58 - 2013-12-14 19:32 - 00000000 ____D () C:\ProgramData\Sonos,_Inc
2015-02-13 04:15 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-02-13 04:07 - 2006-11-02 07:18 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared

==================== Files in the root of some directories =======

2015-03-08 19:23 - 2015-03-08 19:24 - 0086040 _____ () C:\Users\kwemple\AppData\Roaming\45 ACP sound effect.mp3
2015-03-08 19:26 - 2015-03-08 20:55 - 2487493 _____ () C:\Users\kwemple\AppData\Roaming\bensound-dance.mp3
2015-03-12 20:23 - 2015-03-12 20:23 - 0036542 _____ () C:\Users\kwemple\AppData\Roaming\giphy.gif
2015-03-08 18:07 - 2015-03-12 20:24 - 0000044 _____ () C:\Users\kwemple\AppData\Roaming\sample.wav
2015-03-08 19:24 - 2015-03-08 19:26 - 2240304 _____ () C:\Users\kwemple\AppData\Roaming\Track4.mp3
2014-03-15 14:34 - 2015-02-17 13:43 - 0000230 _____ () C:\Users\kwemple\AppData\Roaming\WB.CFG
2015-03-08 19:28 - 2015-03-08 19:28 - 0000552 _____ () C:\Users\kwemple\AppData\Local\d3d8caps.dat
2013-12-14 09:33 - 2014-09-01 15:13 - 0001356 _____ () C:\Users\kwemple\AppData\Local\d3d9caps.dat
2013-12-14 21:59 - 2015-03-12 21:04 - 0019456 _____ () C:\Users\kwemple\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some content of TEMP:
====================
C:\Users\kwemple\AppData\Local\Temp\Couponscom.exe
C:\Users\kwemple\AppData\Local\Temp\DefaultPack.exe
C:\Users\kwemple\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\kwemple\AppData\Local\Temp\SkypeSetup.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-12 21:22

==================== End Of Log ============================


ADDITION.TXT

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015
Ran by kwemple at 2015-03-14 20:37:35
Running from C:\prowork
Boot Mode: Safe Mode (minimal)
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 13.0.0.83 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader X (10.1.13) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.13 - Adobe Systems Incorporated)
Amazon Music (HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Amazon Amazon Music) (Version: 3.0.5.567 - Amazon Services LLC)
Apple Application Support (HKLM\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{C0CC75CD-F5B7-46AD-B016-17C0F5171718}) (Version: 8.0.0.23 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Audacity 2.0.6 (HKLM\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Gigabit NetLink Controller (HKLM\...\{9AF0B106-56F1-461B-A270-95BC1682E282}) (Version: 11.21.01 - Broadcom Corporation)
Broadcom WLAN (HKLM\...\{8991E763-21F5-4DEA-A938-5D9D77DCB488}) (Version: 5.10.38.14 Round2 - Lenovo Electronics Inc.)
ComcastUsageMeter (HKLM\...\ComcastUsageMeter) (Version: 1.5 - Comcast Cable Communications Management LLC)
ComcastUsageMeter (Version: 1.5 - Comcast Cable Communications Management LLC) Hidden
Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows5.0.0.9) (Version: 5.0.0.9 - Coupons.com Incorporated)
Download Navigator (HKLM\...\{3A3A3B34-6EA2-4031-8580-D66D29533E89}) (Version: 3.4.0 - SEIKO EPSON CORPORATION)
DualMiner 1.0.0.6 (HKLM\...\DualMiner) (Version: 1.0.0.6 - Broadeng, Inc.)
Epson Connect (HKLM\...\{64BA551C-9AF6-495C-93F3-D1270E0045FC}) (Version:  - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.0.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{8ED43F7E-A8F6-4898-AF11-B6158F2EDF94}) (Version: 2.50.0000 - SEIKO EPSON CORPORATION)
EPSON NX430 Series Printer Uninstall (HKLM\...\EPSON NX430 Series) (Version:  - SEIKO EPSON Corporation)
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.89 - Google Inc.)
Google Drive (HKLM\...\{65EACBB4-B0B8-4A5B-AE46-22DBE15C70B5}) (Version: 1.19.8406.6504 - Google, Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - Intel Corporation)
Intel® TV Wizard (HKLM\...\TVWiz) (Version:  - Intel Corporation)
iTunes (HKLM\...\{F32DC846-4457-40A8-BECA-BCC0E960BC53}) (Version: 11.4.0.18 - Apple Inc.)
Juniper Networks Network Connect 7.2.0 (HKLM\...\Juniper Network Connect 7.2.0) (Version: 7.2.0.20761 - Juniper Networks)
Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-2542516745-2013250680-215552055-1000\...\Juniper_Setup_Client) (Version: 7.2.1.20017 - Juniper Networks, Inc.)
Juniper Networks, Inc. Setup Client Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
Lenovo EasyCamera (HKLM\...\{FE7AD27A-62B1-44F6-B69C-25D1ECA94F5D}) (Version: 5.4.1.6 - Silicon Motion)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 36.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 36.0.1 (x86 en-US)) (Version: 36.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
NETGEAR Genie (HKLM\...\NETGEAR Genie) (Version: 2.3.1.57 - NETGEAR Inc.)
NETGEAR Live Parental Controls Management Utility 2.1.5 (HKLM\...\NETGEAR Live Parental Controls Management Utility) (Version: 2.1.5 - )
QuickTime 7 (HKLM\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.13.13771 - Skype Technologies S.A.)
Skype™ 6.20 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
Sonos Controller (HKLM\...\{7BBA9BF8-05DF-47D8-8880-82A9B99505B9}) (Version: 28.1.83040 - Sonos, Inc.)
System Requirements Lab for Intel (HKLM\...\{04C4B49D-45D9-4A28-9ED1-B45CBD99B8C7}) (Version: 4.5.24.0 - Husdawg, LLC)
VLC media player 2.1.2 (HKLM\...\VLC media player) (Version: 2.1.2 - VideoLAN)
Windows 7 Codec Pack 4.0.9 (HKLM\...\Windows 7 - Codec Pack) (Version: 4.0.9 - Windows 7 Codec Pack)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

17-02-2015 13:17:12 Windows Update
19-02-2015 16:52:28 Windows Update
20-02-2015 13:05:32 Windows Update
22-02-2015 14:21:59 Scheduled Checkpoint
24-02-2015 07:41:42 Windows Update
27-02-2015 14:56:24 Scheduled Checkpoint
28-02-2015 12:09:14 Windows Update
01-03-2015 01:00:02 Scheduled Checkpoint
02-03-2015 09:37:54 Scheduled Checkpoint
03-03-2015 09:39:44 Windows Update
04-03-2015 11:26:13 Scheduled Checkpoint
06-03-2015 09:46:33 Windows Update
08-03-2015 13:40:10 Scheduled Checkpoint
10-03-2015 10:53:34 Windows Update
11-03-2015 13:19:48 Scheduled Checkpoint
12-03-2015 03:03:45 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 06:23 - 2014-10-30 21:16 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {20D9C4A0-ED16-4C96-A9CF-3DCCBBAB267D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-05-21] (Google Inc.)
Task: {255484F3-25A6-4F29-841A-C9CEB6321CBE} - System32\Tasks\{17BE388F-3D19-45AD-B2A1-7C47DF1852ED} => pcalua.exe -a C:\Users\kwemple\Downloads\IN1WLN20WW3.exe -d C:\Users\kwemple\Downloads
Task: {2659A38A-2DC0-43FC-AFAD-CDFCD3D97791} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {7C8CDCA4-4D01-4A24-A2FC-F387E1E0D190} - System32\Tasks\{9BD5E339-2D6C-48E1-A41B-308E5BCDC618} => Firefox.exe http://ui.skype.com/ui/0/7.1.0.105/en/abandoninstall?page=tsMain
Task: {8152947C-A848-457E-9716-5A98CA8075BF} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-19] (Microsoft Corporation)
Task: {8FEDE65A-B689-4DBC-B4CF-C91EBFE2EFB6} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {B95B7C99-B3CE-4484-ADA6-9E0A4695E8F6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-05-21] (Google Inc.)
Task: {C174273A-5A1D-4582-AD68-88ADD31391DC} - \MySearchDial No Task File <==== ATTENTION
Task: {E28D679C-6BC1-4CE8-B153-C2D9CAB28BEC} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-08-06] (AVAST Software)
Task: {ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B} - System32\Tasks\UpdaterEX => C:\Users\kwemple\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {FBB7C864-C546-4774-A823-5C04FC1BA781} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {FEC96710-3A52-43F4-8663-6C2EB949E1FF} - System32\Tasks\{F59F5589-F52C-497F-BED2-DA89D942AF95} => Firefox.exe http://ui.skype.com/ui/0/6.11.60.102/en/abandoninstall?page=tsBing

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\kwemple\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

==================== Loaded Modules (whitelisted) ==============


==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2542516745-2013250680-215552055-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\kwemple\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
DNS Servers: Media is not connected to internet.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-2542516745-2013250680-215552055-500 - Administrator - Disabled)
CarRide (S-1-5-21-2542516745-2013250680-215552055-1001 - Limited - Enabled) => C:\Users\CarRide
Guest (S-1-5-21-2542516745-2013250680-215552055-501 - Limited - Disabled)
kwemple (S-1-5-21-2542516745-2013250680-215552055-1000 - Administrator - Enabled) => C:\Users\kwemple

==================== Faulty Device Manager Devices =============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Data Acquisition and Signal Processing Controller
Description: PCI Data Acquisition and Signal Processing Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/14/2015 08:32:24 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (03/12/2015 09:04:12 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (03/12/2015 08:32:05 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (03/12/2015 08:12:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application notepad.exe, version 6.0.6001.18000, time stamp 0x47918ea2, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x6a914618,
process id 0x23cf8, application start time 0xnotepad.exe0.

Error: (03/12/2015 04:06:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   18 10.1.168.192.in-addr.arpa. PTR KITCHEN-PC.local.

Error: (03/12/2015 04:06:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.10:5353   20 10.1.168.192.in-addr.arpa. PTR KITCHEN-PC-2.local.

Error: (03/12/2015 04:06:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 23481333

Error: (03/12/2015 04:06:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 23481333

Error: (03/12/2015 04:06:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/12/2015 04:06:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 23479976


System errors:
=============
Error: (08/11/2014 06:39:11 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:20:34 PM on 8/10/2014 was unexpected.

Error: (08/10/2014 06:30:46 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.8 for the Network Card with network address 0022FAB8AAC6 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (08/10/2014 02:40:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058

Error: (08/10/2014 02:40:28 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (08/10/2014 02:40:28 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (08/10/2014 02:39:24 PM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (08/10/2014 02:39:16 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 8:56:18 PM on 8/9/2014 was unexpected.

Error: (08/09/2014 08:52:05 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058

Error: (08/09/2014 08:51:47 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (08/09/2014 08:51:42 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)


Microsoft Office Sessions:
=========================
Error: (03/14/2015 08:32:24 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (03/12/2015 09:04:12 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (03/12/2015 08:32:05 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (03/12/2015 08:12:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: notepad.exe6.0.6001.1800047918ea2unknown0.0.0.000000000c00000056a91461823cf801d05d2258214130

Error: (03/12/2015 04:06:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   18 10.1.168.192.in-addr.arpa. PTR KITCHEN-PC.local.

Error: (03/12/2015 04:06:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.10:5353   20 10.1.168.192.in-addr.arpa. PTR KITCHEN-PC-2.local.

Error: (03/12/2015 04:06:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 23481333

Error: (03/12/2015 04:06:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 23481333

Error: (03/12/2015 04:06:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/12/2015 04:06:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 23479976


CodeIntegrity Errors:
===================================
  Date: 2015-03-14 20:37:23.431
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:23.369
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:23.291
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:23.228
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:23.057
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:22.994
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:22.932
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:22.869
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:03.494
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-14 20:37:03.432
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU T6400 @ 2.00GHz
Percentage of memory in use: 16%
Total physical RAM: 3031.86 MB
Available physical RAM: 2523.3 MB
Total Pagefile: 6266 MB
Available Pagefile: 5951.87 MB
Total Virtual: 2047.88 MB
Available Virtual: 1948.63 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:283.44 GB) (Free:115.6 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive g: () (Removable) (Total:29.82 GB) (Free:8.23 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: 3B3ED063)
Partition 1: (Not Active) - (Size=14.6 GB) - (Type=06)
Partition 2: (Active) - (Size=283.4 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 29.8 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================



#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:21 AM

Posted 14 March 2015 - 09:05 PM

ok thanks, now we can use FRST.

Copy/paste whats below in the code box into notepad. Save it as fixlist.txt in the same place you have as FRST.

Next start FRST like you did before but this time click on the fix button once.

The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
SearchScopes: HKLM -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL =
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File []
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
2015-03-12 21:04 - 2013-12-14 21:59 - 00019456 _____ () C:\Users\kwemple\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-12 19:36 - 2014-03-15 14:34 - 00000300 _____ () C:\Windows\Tasks\UpdaterEX.job
2015-03-11 08:23 - 2014-03-15 14:34 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\UpdaterEX
2015-03-08 17:58 - 2015-03-12 20:56 - 00000000 __SHD () C:\Users\kwemple\Documents\MSDCSC
C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe
2015-03-11 08:23 - 2014-03-15 14:34 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\UpdaterEX
Task: {ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B} - System32\Tasks\UpdaterEX => C:\Users\kwemple\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B} - System32\Tasks\UpdaterEX => C:\Users\kwemple\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\kwemple\AppData\Roaming
EmptyTemp:

Next you can get two other downloads to use: Adwcleaner  and JRT.exe both target adware:

 

1)  Please download adwcleaner and save to your desktop.

    http://www.bleepingcomputer.com/download/adwcleaner/

    Right click AdwCleaner.exe and select "run as admin"
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

2) Please download Junkware Removal Tool to your desktop.

     http://thisisudax.org/downloads/JRT.exe

    Shutdown your antivirus to avoid any conflicts.
    Double click the icon or Right click for Vista/W7,8 and select Run as administrator
    The tool will open and start scanning.
    Please be patient as this can take a while to complete.
    On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    Post the contents of JRT.txt into your next message

 

Wont be back online for 10-12 hrs or so.


How Can I Reduce My Risk to Malware?


#9 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 14 March 2015 - 09:59 PM

FIXLOG.TXT

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by kwemple at 2015-03-14 22:37:14 Run:1
Running from C:\prowork
Loaded Profiles: kwemple (Available profiles: kwemple & CarRide)
Boot Mode: Safe Mode (minimal)

==============================================

Content of fixlist:
*****************
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
SearchScopes: HKLM -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL =
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File []
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
2015-03-12 21:04 - 2013-12-14 21:59 - 00019456 _____ () C:\Users\kwemple\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-12 19:36 - 2014-03-15 14:34 - 00000300 _____ () C:\Windows\Tasks\UpdaterEX.job
2015-03-11 08:23 - 2014-03-15 14:34 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\UpdaterEX
2015-03-08 17:58 - 2015-03-12 20:56 - 00000000 __SHD () C:\Users\kwemple\Documents\MSDCSC
C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe
2015-03-11 08:23 - 2014-03-15 14:34 - 00000000 ____D () C:\Users\kwemple\AppData\Roaming\UpdaterEX
Task: {ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B} - System32\Tasks\UpdaterEX => C:\Users\kwemple\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B} - System32\Tasks\UpdaterEX => C:\Users\kwemple\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\kwemple\AppData\Roaming
EmptyTemp:
*****************

HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKU\S-1-5-21-2542516745-2013250680-215552055-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F27237D7-93C8-44C2-AC6E-D6057B9A918F}" => Key deleted successfully.
"HKCR\CLSID\{F27237D7-93C8-44C2-AC6E-D6057B9A918F}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\skype-ie-addon-data" => Key deleted successfully.
"HKCR\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}" => Key deleted successfully.
blbdrive => Service deleted successfully.
IpInIp => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.
C:\Users\kwemple\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => Moved successfully.
C:\Windows\Tasks\UpdaterEX.job => Moved successfully.
C:\Users\kwemple\AppData\Roaming\UpdaterEX => Moved successfully.
C:\Users\kwemple\Documents\MSDCSC => Moved successfully.
"C:\Users\kwemple\Documents\MSDCSC\msdcsc.exe" => File/Directory not found.
"C:\Users\kwemple\AppData\Roaming\UpdaterEX" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B}" => Key deleted successfully.
C:\Windows\System32\Tasks\UpdaterEX => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdaterEX" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ECD3A0A3-7834-4B9C-B6BD-C4B568AB6C2B} => Key not found.
C:\Windows\System32\Tasks\UpdaterEX not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdaterEX => Key not found.
C:\Windows\Tasks\UpdaterEX.job not found.
EmptyTemp: => Removed 10.7 GB temporary data.


The system needed a reboot.

==== End of Fixlog 22:44:01 ====



#10 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 15 March 2015 - 05:49 AM

AdWare Cleaner RO

 

# AdwCleaner v4.112 - Logfile created 14/03/2015 at 23:03:18
# Updated 09/03/2015 by Xplode
# Database : 2015-03-05.1 [Local]
# Operating system : Windows Vista ™ Home Premium Service Pack 1 (x86)
# Username : kwemple - KITCHEN-PC
# Running from : C:\prowork\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : CouponPrinterService

***** [ Files / Folders ] *****

File Found : C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\invalidprefs.js
File Found : C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\searchplugins\bingp.xml
File Found : C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js
Folder Found : C:\Program Files\Coupons
Folder Found : C:\Program Files\Coupons
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Found : C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Folder Found : C:\Users\kwemple\AppData\LocalLow\Toolbar4
Folder Found : C:\Users\kwemple\Documents\Optimizer Pro

***** [ Scheduled tasks ] *****

Task Found : MySearchDial

***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.0.9
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mysearchdial
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\UpdaterEX
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found : HKCU\Software\UpdaterEX
Key Found : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler
Key Found : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Found : HKLM\SOFTWARE\InstallCore
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.9

***** [ Web browsers ] *****

-\\ Internet Explorer v7.0.6001.18000


-\\ Mozilla Firefox v36.0.1 (x86 en-US)

[98ugkftq.default] - Line Found : user_pref("extensions.irmysearch.cd", "2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2SyEyCyCtAyDtCyB0AzyyE2Q");
[98ugkftq.default] - Line Found : user_pref("extensions.irmysearch.cr", "248540438");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.AL", 2);
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.aflt", "dnldstr_14_11_ff");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.appId", "{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.cd", "2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2SyEyCyCtAyDtCyB0AzyyE2Q");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.cr", "248540438");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.dfltLng", "");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.dfltSrch", true);
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.dnsErr", true);
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.excTlbr", false);
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.id", "00FF1004FF8505A7");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.instlDay", "16144");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.instlRef", "140305_b");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.newTabUrl", "hxxp://start.mysearchdial.com/?f=2&a=dnldstr_14_11_ff&cd=2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2Sy[...]
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.prdct", "mysearchdial");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.prtnrId", "mysearchdial");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.tlbrId", "base");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.tlbrSrchUrl", "hxxp://start.mysearchdial.com/?f=3&a=dnldstr_14_11_ff&cd=2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2[...]
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.vrsn", "1.8.29.0");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial.vrsni", "1.8.29.0");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial_i.newTab", false);
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial_i.smplGrp", "none");
[98ugkftq.default] - Line Found : user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.29.014:32:44");

-\\ Google Chrome v41.0.2272.89

[C:\Users\CarRide\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\CarRide\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
*************************

AdwCleaner[R0].txt - [9592 bytes] - [14/03/2015 23:03:18]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [9651 bytes] ##########
 


AdwCleaner SO

 

# AdwCleaner v4.112 - Logfile created 14/03/2015 at 23:05:57
# Updated 09/03/2015 by Xplode
# Database : 2015-03-05.1 [Local]
# Operating system : Windows Vista ™ Home Premium Service Pack 1 (x86)
# Username : kwemple - KITCHEN-PC
# Running from : C:\prowork\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : CouponPrinterService

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Deleted : C:\Program Files\Coupons
Folder Deleted : C:\Users\kwemple\AppData\LocalLow\Toolbar4
Folder Deleted : C:\Users\kwemple\Documents\Optimizer Pro
Folder Deleted : C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
File Deleted : C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\invalidprefs.js
File Deleted : C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\searchplugins\bingp.xml
File Deleted : C:\Users\kwemple\AppData\Roaming\Mozilla\Firefox\Profiles\98ugkftq.default\user.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKCU\Software\UpdaterEX
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\InstallCore
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.9
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mysearchdial
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\UpdaterEX
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.0.9
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v7.0.6001.18000


-\\ Mozilla Firefox v36.0.1 (x86 en-US)

[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.irmysearch.cd", "2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2SyEyCyCtAyDtCyB0AzyyE2Q");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.irmysearch.cr", "248540438");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.AL", 2);
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.aflt", "dnldstr_14_11_ff");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.appId", "{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.cd", "2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2SyEyCyCtAyDtCyB0AzyyE2Q");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.cr", "248540438");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.dfltLng", "");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.dfltSrch", true);
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.dnsErr", true);
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.excTlbr", false);
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.id", "00FF1004FF8505A7");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.instlDay", "16144");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.instlRef", "140305_b");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.newTabUrl", "hxxp://start.mysearchdial.com/?f=2&a=dnldstr_14_11_ff&cd=2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2Sy[...]
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.prdct", "mysearchdial");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.prtnrId", "mysearchdial");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.tlbrId", "base");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.tlbrSrchUrl", "hxxp://start.mysearchdial.com/?f=3&a=dnldstr_14_11_ff&cd=2XzuyEtN2Y1L1QzutDtD0F0FtCtDtDyE0F0FzzyDtDyD0AyBtN0D0Tzu0SzD0E0EtGtDyDtC0CtG0CzytAzztGyL1Qzu2[...]
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.vrsn", "1.8.29.0");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.vrsni", "1.8.29.0");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial_i.newTab", false);
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial_i.smplGrp", "none");
[98ugkftq.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.29.014:32:44");

-\\ Google Chrome v41.0.2272.89

[C:\Users\CarRide\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\CarRide\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\kwemple\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [9730 bytes] - [14/03/2015 23:03:18]
AdwCleaner[S0].txt - [9617 bytes] - [14/03/2015 23:05:57]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9676  bytes] ##########
 



#11 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 15 March 2015 - 06:05 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.3 (03.01.2015:1)
OS: Windows Vista ™ Home Premium x86
Ran by kwemple on Sun 03/15/2015 at  6:51:21.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\Windows\couponprinter.ocx"



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\kwemple\AppData\Roaming\mozilla\firefox\profiles\98ugkftq.default\minidumps [56 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/15/2015 at  6:52:50.32
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:21 AM

Posted 15 March 2015 - 07:34 AM

ok. Good. Hows it looking on your end now?


How Can I Reduce My Risk to Malware?


#13 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 15 March 2015 - 10:48 AM

still in safe mode.   we thought we got rid of it last week with mbam quarantine.  but it didn't remove it.  in fact, i believe backdoor agent uninstalled mbam and we had to quarantine it again.  this is why i contacted you guys.    do you think i can go ahead and reboot in normal mode?



#14 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:21 AM

Posted 15 March 2015 - 12:18 PM

Boot it up normally and see how it goes.


How Can I Reduce My Risk to Malware?


#15 scrubbo

scrubbo
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 15 March 2015 - 12:25 PM

any thoughts on why avast didn't catch this?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users