Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Skimlinks / Skimwords reappears even on fresh install? Am I infected?


  • This topic is locked This topic is locked
17 replies to this topic

#1 ericbecky

ericbecky

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 19 March 2015 - 12:02 AM

Due to a bad download while searching for a manual, I was having issues with skimlinks showing up on my computer, and since this was a recently installed drive, I simply erased the drive, and did a fresh install of Windows 7 from my recovery disks. Figured that would quickly take care of any problem. 
 
All I added back on the fresh install was Microsoft security essentials, and Google Chrome.
 
Interestingly as soon as I got back online I saw the skimlinks. (I have some screenshots.
For instance on Bleeping computers I get an ad that floats on the right side that says "Based on what you are reading.. with a picture of Kasperky antivirus.  Or on a car site, the word "headlights" becomes underlined and when you hover over it, it says "shopping link added by skimwords")
 
I'm worried there may be other things going on as well that I don't see.
 
Here is the log
 
****
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Eric (administrator) on ERIC-SONYVAIO on 19-03-2015 00:40:31
Running from C:\Users\Eric\Downloads
Loaded Profiles: Eric (Available profiles: Eric)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2910474099-1913494306-2775602058-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-19] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-19]
CHR Extension: (Google Docs) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-19]
CHR Extension: (Google Drive) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-19]
CHR Extension: (YouTube) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-19]
CHR Extension: (Google Search) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-19]
CHR Extension: (Google Sheets) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-19]
CHR Extension: (Google Wallet) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-19]
CHR Extension: (Gmail) - C:\Users\Eric\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-19]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-19 02:28 - 2015-03-18 23:44 - 00000000 ____D () C:\Windows\Panther
2015-03-19 02:17 - 2015-03-19 02:17 - 00000000 ____D () C:\Windows.old
2015-03-19 01:35 - 2015-03-19 00:32 - 01476629 _____ () C:\Windows\WindowsUpdate.log
2015-03-19 01:30 - 2015-03-19 01:30 - 00001345 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2015-03-19 01:30 - 2015-03-19 01:30 - 00001326 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2015-03-19 01:29 - 2015-03-19 01:29 - 00001355 _____ () C:\Windows\TSSysprep.log
2015-03-19 00:40 - 2015-03-19 00:40 - 00004972 _____ () C:\Users\Eric\Downloads\FRST.txt
2015-03-19 00:40 - 2015-03-19 00:40 - 00000000 ____D () C:\FRST
2015-03-19 00:39 - 2015-03-19 00:39 - 02095616 _____ (Farbar) C:\Users\Eric\Downloads\FRST64.exe
2015-03-19 00:02 - 2015-03-19 00:08 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-19 00:02 - 2015-03-19 00:07 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-19 00:02 - 2015-03-19 00:02 - 00003890 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-03-19 00:02 - 2015-03-19 00:02 - 00003638 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-03-19 00:02 - 2015-03-19 00:02 - 00002259 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-19 00:02 - 2015-03-19 00:02 - 00000000 ____D () C:\Users\Eric\AppData\Local\Google
2015-03-19 00:02 - 2015-03-19 00:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-19 00:02 - 2015-03-19 00:02 - 00000000 ____D () C:\Program Files (x86)\Google
2015-03-19 00:00 - 2015-03-19 00:02 - 00000000 ____D () C:\Users\Eric\AppData\Local\Deployment
2015-03-19 00:00 - 2015-03-19 00:00 - 00000000 ____D () C:\Users\Eric\AppData\Local\Apps\2.0
2015-03-18 23:51 - 2015-03-18 23:51 - 00057560 _____ () C:\Users\Eric\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-18 23:51 - 2015-03-18 23:51 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-03-18 23:51 - 2015-03-18 23:51 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-03-18 23:51 - 2015-03-18 23:51 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-03-18 23:51 - 2015-03-18 23:51 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2015-03-18 23:44 - 2015-03-18 23:44 - 00001447 _____ () C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-03-18 23:44 - 2015-03-18 23:44 - 00001413 _____ () C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-03-18 23:44 - 2015-03-18 23:44 - 00000020 ___SH () C:\Users\Eric\ntuser.ini
2015-03-18 23:44 - 2015-03-18 23:44 - 00000000 __SHD () C:\Recovery
2015-03-18 23:44 - 2015-03-18 23:44 - 00000000 ____D () C:\Users\Eric\AppData\Local\VirtualStore
2015-03-18 23:44 - 2015-03-18 23:44 - 00000000 ____D () C:\Users\Eric
2015-03-18 23:44 - 2014-05-14 11:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-03-18 23:44 - 2014-05-14 11:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-03-18 23:44 - 2014-05-14 11:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-03-18 23:44 - 2014-05-14 11:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-03-18 23:44 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-03-18 23:44 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-03-18 23:44 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-03-18 23:44 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-03-18 23:44 - 2009-07-13 23:54 - 00000000 ___RD () C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-18 23:44 - 2009-07-13 23:49 - 00000000 ___RD () C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-19 02:28 - 2009-07-14 00:38 - 00025600 ___SH () C:\Windows\system32\config\BCD-Template.LOG
2015-03-19 02:28 - 2009-07-14 00:32 - 00028672 _____ () C:\Windows\system32\config\BCD-Template
2015-03-19 01:37 - 2009-07-13 23:45 - 00020640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-19 01:37 - 2009-07-13 23:45 - 00020640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-19 01:36 - 2009-07-14 00:13 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-19 01:32 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-19 01:32 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2015-03-19 01:31 - 2009-07-13 23:51 - 00021763 _____ () C:\Windows\setupact.log
2015-03-19 01:31 - 2009-07-13 23:45 - 00274320 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-19 01:30 - 2009-07-14 00:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-03-19 01:30 - 2009-07-13 23:46 - 00002790 _____ () C:\Windows\DtcInstall.log
2015-03-19 01:30 - 2009-07-13 22:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-19 01:30 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\sysprep
2015-03-18 23:44 - 2010-11-20 21:50 - 00000000 ____D () C:\Users\Administrator
2015-03-18 23:44 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\system32\restore
2015-03-18 23:44 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Public\Libraries
2015-03-18 23:44 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\Recovery
2015-03-03 08:17 - 2010-11-20 22:27 - 00295552 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-19 01:28
 
==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by Eric at 2015-03-19 00:40:58
Running from C:\Users\Eric\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.89 - Google Inc.)
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.7.205.0 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

18-03-2015 23:44:34 Windows Update
18-03-2015 23:54:22 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {201182EB-1888-41A6-A9D7-297987ADF6B5} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-19] (Google Inc.)
Task: {639257B3-9906-42C1-BD93-2795CEABA2A8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-19] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2015-03-19 00:02 - 2015-03-07 01:13 - 09279304 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\pdf.dll
2015-03-19 00:02 - 2015-03-07 01:13 - 14974280 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2910474099-1913494306-2775602058-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-2910474099-1913494306-2775602058-500 - Administrator - Disabled)
Eric (S-1-5-21-2910474099-1913494306-2775602058-1001 - Administrator - Enabled) => C:\Users\Eric
Guest (S-1-5-21-2910474099-1913494306-2775602058-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2910474099-1913494306-2775602058-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: Ethernet Controller
Description: Ethernet Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/19/2015 00:03:06 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (03/18/2015 11:45:56 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (03/18/2015 11:44:23 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1533) (User: NT AUTHORITY)
Description: Windows cannot delete the profile directory C:\Users\Administrator. This error may be caused by files in this directory being used by another program.

DETAIL - The directory is not empty.

Error: (03/19/2015 01:33:15 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============

Microsoft Office Sessions:
=========================
Error: (03/19/2015 00:03:06 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/18/2015 11:45:56 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/18/2015 11:44:23 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1533) (User: NT AUTHORITY)
Description: C:\Users\AdministratorThe directory is not empty.

Error: (03/19/2015 01:33:15 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Processor: Intel® Core™ i3 CPU M 330 @ 2.13GHz
Percentage of memory in use: 58%
Total physical RAM: 3758.1 MB
Available physical RAM: 1569.86 MB
Total Pagefile: 7514.39 MB
Available Pagefile: 5641.21 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:214.49 GB) (Free:187.48 GB) NTFS
Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 223.6 GB) (Disk ID: 0FE2FF5D)
Partition 1: (Not Active) - (Size=9 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=214.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Attached Files


Edited by Oh My!, 22 March 2015 - 06:37 PM.
Posted Addition.txt


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 22 March 2015 - 06:44 PM

Greetings ericbecky and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please make sure you are logged into the BleepingComputer site. If you are not logged in as a User you will get legitimate popups.

Please do this with Chrome.

===================================================

Launching Chrome Without Plugins or Extensions

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type in chrome --incognito and press Enter
  • Test Chrome for links
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Do you get ads on BleepingComputer.com?
  • How is Chrome?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 ericbecky

ericbecky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 22 March 2015 - 08:17 PM

I first want to mention three things happened/changed since my original post:

- I have installed malwarebytes and did one scan just because I was paranoid. (no negative results)

- I had to install Quickbooks Accountant version.

- Windows did a mass of updates. (nearly 200!)The reinstall iso I used was an old version of Windows 7 so I guess that makes sense.

 

I followed your instructions above typing in the incognito command.

Doing this removed the sliding side ad on bleeping computer site.

 

I tested a couple of other sites, some it does appear that simply logging in makes the ads go away.

 

Perhaps the one site I was on, leaves the links active, even for registered users.

Here is a screenshot from post #9 on this forum's thread 

http://priuschat.com/threads/changing-engine-coolant.30813/

 

So based on your comment "If you are not logged in as a User you will get legitimate popups", 

perhaps my original screenshot was legitimate ads and I am just paranoid?

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 22 March 2015 - 09:21 PM

Thank you for the update.

Please do this.

===================================================

Removing Chrome Extension/Plugin

--------------------
  • Lauch Chrome web browser
  • Type chrome://settings and press Enter
  • Delete any plugin or extension you do not recoginze or you recognize as illegitimate
  • Close Chrome, relaunch it and check the performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 ericbecky

ericbecky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 22 March 2015 - 11:58 PM

No plug ins.

Only Google extensions: Docs, Sheets, Slides. All of which I trust.

 

Performance is good.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 23 March 2015 - 09:53 AM

Thank you. Are you still getting links of that one site or any other sites?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 ericbecky

ericbecky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 March 2015 - 08:47 AM

The links are still in that site whether I'm logged in or not. But I think it may be that webmasters choice.
I'm going to continue to watch for other issues just in case.

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 24 March 2015 - 09:39 AM

Just so I am clear. When you say the links are there even if you are logged in you are referring to the priuschat web site and not BleepingComputer, correct? You are not having the popup issue here, right?

Please see this site and follow the steps for Manage pop-ups for a specific site.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 ericbecky

ericbecky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 25 March 2015 - 01:55 PM

Yes. I'm referring to priuschat
Not bleeping computer.
Thanks for the link for managing pop-ups.

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 25 March 2015 - 02:58 PM

Were you able to resolve the link issue in priuschat?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 ericbecky

ericbecky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 27 March 2015 - 05:20 PM

Yes.

It appears that the issue there is resolved.

I know my computer had been infected, but after I rebooted I think I may have simply been overly paranoid when I started seeing skimlink ads again.

There are some sites that use legitimate popups, slider ads, and even skimlinks.

 

I just need to relax a little.

Still be vigilant about virus, but a little less paranoid.



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 27 March 2015 - 05:38 PM

Thanks for the update. A couple more programs to run.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click Run ESET Online Scanner.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Click Enable detection of potentially unwanted applications
  • Accept any security warnings from your browser.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Check Uninstall application on close and Delete quarantined files
  • Click the Finish button.
  • Close the ESET window and reboot your computer
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 30 March 2015 - 04:51 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 ericbecky

ericbecky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 30 March 2015 - 11:03 PM

I have lost my computer charge cord and am waiting for a replacement.
Sorry. I will be able to charge it tomorrow and do the items you mentioned. (18 hours from now)

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:20 PM

Posted 31 March 2015 - 08:47 AM

No problem thanks for letting me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users