Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Changer Virus Infected ALL My Laptops And Mobiles On WiFi Network!


  • This topic is locked This topic is locked
40 replies to this topic

#1 shadowvalar

shadowvalar

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 22 March 2015 - 02:38 AM

Hi, this is my first post here. It’s a last resort to solve this huge problem!

 

The problem I have is very complex, but here is the situation at the moment. My router has a suspicious DNS loaded onto it, 1 laptop and 1 PC and 2 phones get pornographic popups on all browsers, and 3 other laptops cannot even connect to the router network!

 

I’ll go step by step

 

stage 1 : Began noticing pornographic popups on 1 laptop (DELL, Win7) and 1 mobile (Android) on chrome, firefox and torch. These popups were mostly adfoc.us and adultcameras.info. They appeared whenever any new site webpage was loaded and was clicked on for the first time.

 

stage 2 : Same problem began to appear on all devices connected to the WiFi network. 3 laptops, 2 phones and 1 desktop PC (that had Ethernet connected to the router).

 

stage 3 : After some googling I saw that the DNS changing Trojan could be the problem. And true enough the DNS on the router was a suspicious one. 91.194.254.105 which a google search said was a malicious address.

 

stage 4 : I tried everything. Reset router, configured DNS. Run various malware scans including MalwareBytes, did an Avast boot time scan. After some time, the problem just sort of stopped. By itself.

 

stage 5 : 2 MONTHS PASSED. Without any problems. Now there is a new laptop also connected to the network. And everything was working fine. No popups, no suspicious DNS etc.

 

stage 6 : Last Friday, suddenly the new laptop could not discover the WiFi network from the router. Same occurred to 2 other laptops that were being used for months on this network. The WiFi name did not appear at all. Even though other devices (laptops, desktop and phones) connected with full signal strength to the network from the same locations. So I checked the router DNS. And THE SUSPICIOUS DNS WAS THERE AGAIN! And for the first time after that my desktop computer had one popup appearing once!

 

I am really desperate. I don’t know if I have to reformat every device that connected to my home network and get a new router as well!

 

Methods I tried :

Reset router and change DNS. Doesn’t work, gets changed back to the problem DNS.

Avast boot time scan and fix. MalwareBytes running. Windows Security Essentials on some laptops and Windows Defender on another one.

 

Details about the devices :

router is TP-LINK type.

Laptops have Windows 7 and Windows 8.1. Phones have Android. If further details are needed will provide.

 

Would greatly appreciate any assistance.

 

I did the FRST scan on my desktop computer that is connected via Ethernet to the router. On this computer internet works and this was the only one that had one popup after 2 months. Have attached addition.txt.

Attached Files



BC AdBot (Login to Remove)

 


#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:09 AM

Posted 23 March 2015 - 09:55 AM

Hello shadowvalar and welcome to BleepingComputer!       :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 3 days, feel free to PM me.        :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

Please post FRST.txt (Don't attach. Just copy and paste.) for my review.

 

 

Using more than one anti-virus program is not advisableWhy? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scannerit can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are initiated, each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "false positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that threat. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you may encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found after it has already been neutralized.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of another and may insist that it be removed prior to installation. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms as described above while trying to use it. In some cases, one of the anti-virus programs may even get disabled by the other.

To avoid these problems, use only one anti-virus solution. Please uninstall Kaspersky Internet Security or Avast.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 shadowvalar

shadowvalar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 March 2015 - 05:58 AM

Hi Sirawit, Thank you so much for the quick reply :) Totally understand if you are unable to reply for a few days due to 'real life' ;)
 
So which computer should I start to work on first? Like I said, many computers and phones are infected.
 
Since I started on the desktop PC, I'll continue to do whatever you say on that unless you tell me otherwise. Have already backed up stuff. PC can be completely formatted if worst comes to worst. :)
 
Details about this PC : Win7, 3, 2GB RAM, doesnt have any antivirus except Avast and Kaspersky and MalwareBytes.
 
I uninstalled avast and Kaspersky since you asked me to. This will leave my PC without any antivirus. Please tell me if that is wrong.
 
After uninstalling I ran FRST again and will post FRST.txt on the next post.
 
Further updates on the popup situation : Popups appear more frequently now on all WiFi connected devices. Am now able to connect to the router using the other devices also (that could not connect before). I'm thinking of changing the router is that good?

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by user (administrator) on USER-PC on 24-03-2015 16:26:36
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available profiles: user)
Platform: Microsoft Windows 7 Ultimate  (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(TorchMedia Inc.) C:\Users\user\AppData\Local\Torch\Update\TorchCrashHandler.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(SoftPerfect Research) C:\Program Files\NetWorx\networx.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
() C:\Users\user\Desktop\NetMeter.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
() C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10082920 2011-06-09] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM\...\Run: [NetWorx] => C:\Program Files\NetWorx\networx.exe [3272592 2012-11-24] (SoftPerfect Research)
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [17875120 2012-10-19] (Skype Technologies S.A.)
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\Run: [NetMeter] => C:\Users\user\Desktop\NetMeter.exe [293888 2015-01-19] ()
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\MountPoints2: {065e920a-ceef-11e4-949f-bc5ff449f72c} - F:\Startme.exe
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\MountPoints2: {d17b3f11-61cb-11e4-b5b0-bc5ff449f72c} - F:\SISetup.exe
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\MountPoints2: {ed37f0cf-e220-11e3-b1b0-806e6f6e6963} - D:\ASRSetup.exe
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-2581912368-3558610858-2423039881-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 8.8.4.4 8.8.8.8
 
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\r4xy0w40.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2014-07-22] (Adobe Systems)
FF Plugin HKU\S-1-5-21-2581912368-3558610858-2423039881-1000: TorchVLC -> C:\Users\user\AppData\Local\Torch\Plugins\Video\VLC\npvlc.dll [2013-07-31] (VideoLAN)
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-14]
 
Chrome: 
=======
CHR HomePage: Profile 1 -> hxxp://www.msn.com/?ocid=OIE9MSE
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-01]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-01]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-01]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-01]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-01]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-01]
CHR Extension: (AdBlock) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-03-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-17]
CHR Extension: (Google Input Tools) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mclkkofklkfljcocdinagocijmpgbhab [2015-03-22]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-01]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-01]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
CHR HKLM\...\Chrome\Extension: [poimdfnhgefmnkeefbjibbiemlimdnof] - https://clients2.google.com/service/update2/crx
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [274200 2012-01-12] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [458464 2012-02-02] (Intel® Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
R2 TorchCrashHandler; C:\Users\user\AppData\Local\Torch\Update\TorchCrashHandler.exe [1217032 2015-02-24] (TorchMedia Inc.) <==== ATTENTION
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD.sys [39360 2012-02-09] ()
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [46080 2011-11-10] (Intel Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-24 16:26 - 2015-03-24 16:27 - 00012510 _____ () C:\Users\user\Downloads\FRST.txt
2015-03-23 20:49 - 2015-03-23 20:49 - 00001040 _____ () C:\Users\user\Desktop\New Text Document.txt
2015-03-23 14:52 - 2015-03-23 14:52 - 00000197 _____ () C:\Windows\system32\2015-03-23-09-22-10.049-AvastVBoxSVC.exe-3012.log
2015-03-23 07:50 - 2015-03-23 07:51 - 00000197 _____ () C:\Windows\system32\2015-03-23-02-20-47.001-AvastVBoxSVC.exe-3392.log
2015-03-22 17:42 - 2015-03-22 17:42 - 00000197 _____ () C:\Windows\system32\2015-03-22-12-12-41.043-AvastVBoxSVC.exe-3144.log
2015-03-22 14:49 - 2015-03-22 14:49 - 00000197 _____ () C:\Windows\system32\2015-03-22-09-19-12.016-AvastVBoxSVC.exe-3028.log
2015-03-22 12:51 - 2015-03-24 16:26 - 00000000 ____D () C:\FRST
2015-03-22 12:44 - 2015-03-22 12:45 - 01135104 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2015-03-22 12:39 - 2015-03-22 12:39 - 00000197 _____ () C:\Windows\system32\2015-03-22-07-09-16.073-AvastVBoxSVC.exe-4364.log
2015-03-21 19:14 - 2015-03-21 19:14 - 00000197 _____ () C:\Windows\system32\2015-03-21-13-44-35.030-AvastVBoxSVC.exe-4528.log
2015-03-21 10:18 - 2015-03-21 10:18 - 00000197 _____ () C:\Windows\system32\2015-03-21-04-48-32.007-AvastVBoxSVC.exe-3452.log
2015-03-20 16:24 - 2015-03-20 16:24 - 00000197 _____ () C:\Windows\system32\2015-03-20-10-54-01.009-AvastVBoxSVC.exe-4636.log
2015-03-17 18:00 - 2015-03-17 18:00 - 00000197 _____ () C:\Windows\system32\2015-03-17-12-30-46.026-AvastVBoxSVC.exe-3132.log
2015-03-10 20:48 - 2015-03-10 20:48 - 00000197 _____ () C:\Windows\system32\2015-03-10-15-18-55.027-AvastVBoxSVC.exe-3496.log
2015-03-10 14:22 - 2015-03-10 14:22 - 10492202 _____ () C:\Users\user\Downloads\Grammar Bytes! Presents -- Finding and Fixing Misplaced and Dangling Modifiers - YouTube[via torchbrowser.com].aac
2015-03-10 14:21 - 2015-03-10 14:22 - 32263620 _____ () C:\Users\user\Downloads\Grammar Bytes! Presents -- Finding and Fixing Misplaced and Dangling Modifiers - YouTube[via torchbrowser.com].mp4
2015-03-10 14:17 - 2015-03-10 14:17 - 03034729 _____ () C:\Users\user\Downloads\Dangling Modifiers- a how-to music video - YouTube[via torchbrowser.com].aac
2015-03-10 14:16 - 2015-03-10 14:16 - 13793400 _____ () C:\Users\user\Downloads\Dangling Modifiers- a how-to music video - YouTube[via torchbrowser.com].mp4
2015-03-10 13:55 - 2015-03-10 13:55 - 00000197 _____ () C:\Windows\system32\2015-03-10-08-25-12.045-AvastVBoxSVC.exe-3112.log
2015-03-10 12:47 - 2015-03-10 12:47 - 15831695 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 4[via torchbrowser.com].flv
2015-03-10 12:38 - 2015-03-10 12:38 - 13397614 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 3[via torchbrowser.com].flv
2015-03-10 09:08 - 2015-03-10 09:14 - 00000247 _____ () C:\Windows\system32\2015-03-10-03-38-29.041-aswFe.exe-6112.log
2015-03-10 09:08 - 2015-03-10 09:08 - 00000197 _____ () C:\Windows\system32\2015-03-10-03-38-23.006-AvastVBoxSVC.exe-3708.log
2015-03-04 15:11 - 2015-03-04 15:11 - 02612019 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 6[via torchbrowser.com].aac
2015-03-04 15:09 - 2015-03-04 15:11 - 14603819 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 6[via torchbrowser.com].flv
2015-03-04 15:04 - 2015-03-04 15:04 - 02906459 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 5[via torchbrowser.com].aac
2015-03-04 15:03 - 2015-03-04 15:04 - 16168218 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 5[via torchbrowser.com].flv
2015-03-04 14:45 - 2015-03-04 15:00 - 00002357 _____ () C:\Users\user\Desktop\Facebook.lnk
2015-03-04 14:45 - 2015-03-04 15:00 - 00002315 _____ () C:\Users\user\Desktop\hsbc.lk.lnk
2015-03-04 14:43 - 2015-03-24 16:23 - 00000000 ____D () C:\ProgramData\TorchCrashHandler
2015-03-04 14:43 - 2015-03-04 14:45 - 00001397 _____ () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch.lnk
2015-03-04 14:43 - 2015-03-04 14:45 - 00001372 _____ () C:\Users\user\Desktop\Torch.lnk
2015-03-04 14:43 - 2015-03-04 14:44 - 00002217 _____ () C:\Users\user\Desktop\Free Music.lnk
2015-03-04 14:43 - 2015-03-04 14:44 - 00002217 _____ () C:\Users\user\Desktop\Free Games.lnk
2015-03-04 14:43 - 2015-03-04 14:43 - 00000000 ____D () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch
2015-03-04 14:40 - 2015-03-04 14:43 - 00000000 ____D () C:\Users\user\AppData\Local\Torch
2015-03-04 14:39 - 2015-03-04 14:39 - 02372136 _____ (Torch Media, Inc) C:\Users\user\Downloads\TorchSetup-r21-n-bc.exe
2015-03-04 13:58 - 2015-03-04 13:59 - 00000197 _____ () C:\Windows\system32\2015-03-04-08-28-54.033-AvastVBoxSVC.exe-3784.log
2015-03-02 03:50 - 2015-03-02 03:50 - 00000197 _____ () C:\Windows\system32\2015-03-01-22-20-09.035-AvastVBoxSVC.exe-4268.log
2015-02-28 17:37 - 2015-02-28 17:38 - 09213196 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 2[via torchbrowser.com].flv
2015-02-28 16:22 - 2015-02-28 16:23 - 21289903 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 1[via torchbrowser.com].flv
2015-02-28 15:56 - 2015-02-28 15:57 - 00000197 _____ () C:\Windows\system32\2015-02-28-10-26-59.009-AvastVBoxSVC.exe-4304.log
2015-02-28 10:31 - 2015-02-28 10:31 - 00527423 _____ ( ) C:\Users\user\Downloads\Lame_v3.99.3_for_Windows.exe
2015-02-28 09:34 - 2015-02-28 16:27 - 00000000 ____D () C:\Users\user\AppData\Roaming\Audacity
2015-02-28 09:34 - 2015-02-28 09:34 - 00000981 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2015-02-28 09:34 - 2015-02-28 09:34 - 00000969 _____ () C:\Users\Public\Desktop\Audacity.lnk
2015-02-28 09:34 - 2015-02-28 09:34 - 00000000 ____D () C:\Program Files\Audacity
2015-02-28 09:32 - 2015-02-28 09:33 - 22892794 _____ (Audacity Team ) C:\Users\user\Downloads\audacity-win-2.0.6.exe
2015-02-28 09:23 - 2015-02-28 09:24 - 00000197 _____ () C:\Windows\system32\2015-02-28-03-53-43.034-AvastVBoxSVC.exe-4936.log
2015-02-26 13:47 - 2015-02-26 13:47 - 00000197 _____ () C:\Windows\system32\2015-02-26-08-17-04.022-AvastVBoxSVC.exe-3756.log
2015-02-24 11:40 - 2015-02-24 11:40 - 00000197 _____ () C:\Windows\system32\2015-02-24-06-10-02.029-AvastVBoxSVC.exe-1352.log
2015-02-24 09:59 - 2015-02-24 09:59 - 00000197 _____ () C:\Windows\system32\2015-02-24-04-29-49.034-AvastVBoxSVC.exe-4652.log
2015-02-24 06:15 - 2015-02-24 06:16 - 00000197 _____ () C:\Windows\system32\2015-02-24-00-45-41.040-AvastVBoxSVC.exe-4636.log
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-24 16:25 - 2014-07-07 16:05 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-24 16:24 - 2014-05-22 19:37 - 00000000 ____D () C:\Users\user\AppData\Local\Adobe
2015-03-24 16:23 - 2014-07-07 16:05 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-24 16:23 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-24 16:23 - 2009-07-14 10:09 - 00045508 _____ () C:\Windows\setupact.log
2015-03-24 15:40 - 2014-05-22 19:29 - 01182860 _____ () C:\Windows\WindowsUpdate.log
2015-03-24 15:38 - 2014-05-22 19:53 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-24 13:52 - 2014-05-22 19:31 - 00726316 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-24 06:50 - 2009-07-14 10:04 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-24 06:50 - 2009-07-14 10:04 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-23 20:57 - 2014-05-22 19:57 - 00797866 _____ () C:\Windows\PFRO.log
2015-03-23 20:57 - 2014-05-22 19:47 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-03-23 20:46 - 2009-07-14 08:07 - 00000000 ___RD () C:\Users\Public
2015-03-23 15:43 - 2014-05-22 19:46 - 00000000 ____D () C:\Users\user\AppData\Roaming\Skype
2015-03-23 15:30 - 2015-02-01 12:03 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-22 13:27 - 2014-07-07 16:06 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-10 15:44 - 2014-10-28 13:22 - 00000000 ____D () C:\Users\user\Documents\Rushira
2015-03-04 15:08 - 2014-05-22 19:36 - 00000000 ____D () C:\Users\user\AppData\Roaming\vlc
 
Some content of TEMP:
====================
C:\Users\user\AppData\Local\Temp\ose00000.exe
C:\Users\user\AppData\Local\Temp\siinst.exe
C:\Users\user\AppData\Local\Temp\SoftonicAssistant_v0-1-6.exe
C:\Users\user\AppData\Local\Temp\strings.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-20 18:47
 
==================== End Of Log ============================


#4 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:09 AM

Posted 24 March 2015 - 06:01 AM

Hi shadowvalar.

 

You should have one Antivirus actively protect your computer, not more than one. For now please install one antivirus and I will get back to you as fast as possible.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#5 shadowvalar

shadowvalar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 March 2015 - 06:19 AM

Hi Sirawat,

 

Oops my bad, I reinstalled avast free version for now :)

 

Thanks



#6 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:09 AM

Posted 24 March 2015 - 01:54 PM

Hi shadowvalar.

 

Please use the machine you use to creat previous logs for me.

 

We need to remove programs using "Programs and Features"

Click the "Start" orb on the taskbar, and then click the "Control Panel" button.

  • If you use Category mode, click on Uninstall a Program.
  • If you use Icons mode, click on Program and Features.

A list of programs installed will be "populated" (this may take a bit of time).
If they exist, uninstall the following by clicking on the below entries and selecting "Remove":

Softonic for Windows

Additional instructions can be found here if needed.

 

 

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

==========

 

After the fix was completed, please create new FRST log for me.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#7 shadowvalar

shadowvalar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 March 2015 - 09:33 PM

Hi Sirawit,

 

Thanks again for the quick reply.

 

Followed your steps and removed Softonic from programs and features

 

Used fixlist and ran a fix. Will post Fixlog.txt below. Computer needed to restart. Restarted normally

 

Ran a scan and will post FRST.txt

 

 

 

 

------------------------------------------------------------------------

Fixlog.txt

-------------------------------------------------------------------------

 

 

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by user at 2015-03-25 07:52:36 Run:1
Running from C:\Users\user\Desktop\New folder
Loaded Profiles: user (Available profiles: user)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
CloseProcesses:
C:\Users\user\Desktop\NetMeter.exe
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\Run: [NetMeter] => C:\Users\user\Desktop\NetMeter.exe [293888 2015-01-19] ()
CHR HKLM\...\Chrome\Extension: [poimdfnhgefmnkeefbjibbiemlimdnof] - https://clients2.google.com/service/update2/crx
cmd: ipconfig /all
EmptyTemp:
*****************
 
Processes closed successfully.
C:\Users\user\Desktop\NetMeter.exe => Moved successfully.
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\Software\Microsoft\Windows\CurrentVersion\Run\\NetMeter => value deleted successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\poimdfnhgefmnkeefbjibbiemlimdnof" => Key deleted successfully.
 
=========  ipconfig /all =========
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : user-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
   Physical Address. . . . . . . . . : BC-5F-F4-49-F7-2C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::645f:3083:90e2:4a18%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, March 25, 2015 7:47:00 AM
   Lease Expires . . . . . . . . . . : Saturday, March 28, 2015 7:47:00 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 247226356
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-10-69-8F-BC-5F-F4-49-F7-2C
   DNS Servers . . . . . . . . . . . : 8.8.4.4
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{5DD85A54-3EC5-42ED-B28F-26E7CE03E684}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:2c1e:a1cb:83d4:2983(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::2c1e:a1cb:83d4:2983%12(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
========= End of CMD: =========
 
EmptyTemp: => Removed 3 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 07:54:01 ====
 
 
 
 
 
 
------------------------
FRST.txt
-------------------------
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by user (administrator) on USER-PC on 25-03-2015 07:55:51
Running from C:\Users\user\Desktop\New folder
Loaded Profiles: user (Available profiles: user)
Platform: Microsoft Windows 7 Ultimate  (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(TorchMedia Inc.) C:\Users\user\AppData\Local\Torch\Update\TorchCrashHandler.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(SoftPerfect Research) C:\Program Files\NetWorx\networx.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
() C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10082920 2011-06-09] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM\...\Run: [NetWorx] => C:\Program Files\NetWorx\networx.exe [3272592 2012-11-24] (SoftPerfect Research)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5512912 2015-03-24] (Avast Software s.r.o.)
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [17875120 2012-10-19] (Skype Technologies S.A.)
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\MountPoints2: {065e920a-ceef-11e4-949f-bc5ff449f72c} - F:\Startme.exe
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\MountPoints2: {d17b3f11-61cb-11e4-b5b0-bc5ff449f72c} - F:\SISetup.exe
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\...\MountPoints2: {ed37f0cf-e220-11e3-b1b0-806e6f6e6963} - D:\ASRSetup.exe
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (Avast Software s.r.o.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2581912368-3558610858-2423039881-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-2581912368-3558610858-2423039881-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-03-24] (Avast Software s.r.o.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 8.8.4.4 8.8.8.8
 
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\r4xy0w40.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2014-07-22] (Adobe Systems)
FF Plugin HKU\S-1-5-21-2581912368-3558610858-2423039881-1000: TorchVLC -> C:\Users\user\AppData\Local\Torch\Plugins\Video\VLC\npvlc.dll [2013-07-31] (VideoLAN)
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-14]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-03-24]
 
Chrome: 
=======
CHR HomePage: Profile 1 -> hxxp://www.msn.com/?ocid=OIE9MSE
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-01]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-01]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-01]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-01]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-01]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-01]
CHR Extension: (AdBlock) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-03-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-17]
CHR Extension: (Google Input Tools) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mclkkofklkfljcocdinagocijmpgbhab [2015-03-22]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-01]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-01]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-24]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-03-24] (Avast Software s.r.o.)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [3205216 2015-03-24] (Avast Software)
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [274200 2012-01-12] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [458464 2012-02-02] (Intel® Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
R2 TorchCrashHandler; C:\Users\user\AppData\Local\Torch\Update\TorchCrashHandler.exe [1217032 2015-02-24] (TorchMedia Inc.) <==== ATTENTION
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24144 2015-03-24] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [73440 2015-03-24] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81728 2015-03-24] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49904 2015-03-24] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [788272 2015-03-24] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427736 2015-03-24] (Avast Software s.r.o.)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [106912 2015-03-24] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [208024 2015-03-24] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD.sys [39360 2012-02-09] ()
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [46080 2011-11-10] (Intel Corporation)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [220240 2015-03-24] (Avast Software)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-25 07:51 - 2015-03-25 07:55 - 00000000 ____D () C:\Users\user\Desktop\New folder
2015-03-24 16:52 - 2015-03-24 16:52 - 00000000 ____D () C:\Users\user\AppData\Roaming\Dropbox
2015-03-24 16:51 - 2015-03-24 16:51 - 00002079 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-03-24 16:51 - 2015-03-24 16:51 - 00000000 ____D () C:\Users\user\AppData\Roaming\AVAST Software
2015-03-24 16:51 - 2015-03-24 16:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-03-24 16:50 - 2015-03-24 16:50 - 00788272 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswSnx.sys
2015-03-24 16:50 - 2015-03-24 16:50 - 00427736 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswSP.sys
2015-03-24 16:50 - 2015-03-24 16:50 - 00291312 _____ (Avast Software s.r.o.) C:\Windows\system32\aswBoot.exe
2015-03-24 16:50 - 2015-03-24 16:50 - 00208024 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2015-03-24 16:50 - 2015-03-24 16:50 - 00106912 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswStm.sys
2015-03-24 16:50 - 2015-03-24 16:50 - 00081728 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswRdr2.sys
2015-03-24 16:50 - 2015-03-24 16:50 - 00073440 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-03-24 16:50 - 2015-03-24 16:50 - 00049904 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2015-03-24 16:50 - 2015-03-24 16:50 - 00043112 _____ (Avast Software s.r.o.) C:\Windows\avastSS.scr
2015-03-24 16:50 - 2015-03-24 16:50 - 00024144 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2015-03-24 16:48 - 2015-03-24 16:48 - 00000000 ____D () C:\Program Files\AVAST Software
2015-03-24 16:47 - 2015-03-24 16:47 - 06144920 _____ (AVAST Software s. r. o.) C:\Users\user\Downloads\avast_free_antivirus_setup_online (1).exe
2015-03-24 16:47 - 2015-03-24 16:47 - 00292376 _____ (AVAST Software s. r. o.) C:\Windows\AswCheck.exe
2015-03-24 16:27 - 2015-03-24 16:27 - 00020577 _____ () C:\Users\user\Downloads\Addition.txt
2015-03-24 16:26 - 2015-03-24 16:27 - 00022213 _____ () C:\Users\user\Downloads\FRST.txt
2015-03-23 20:49 - 2015-03-23 20:49 - 00001040 _____ () C:\Users\user\Desktop\New Text Document.txt
2015-03-23 14:52 - 2015-03-23 14:52 - 00000197 _____ () C:\Windows\system32\2015-03-23-09-22-10.049-AvastVBoxSVC.exe-3012.log
2015-03-23 07:50 - 2015-03-23 07:51 - 00000197 _____ () C:\Windows\system32\2015-03-23-02-20-47.001-AvastVBoxSVC.exe-3392.log
2015-03-22 17:42 - 2015-03-22 17:42 - 00000197 _____ () C:\Windows\system32\2015-03-22-12-12-41.043-AvastVBoxSVC.exe-3144.log
2015-03-22 14:49 - 2015-03-22 14:49 - 00000197 _____ () C:\Windows\system32\2015-03-22-09-19-12.016-AvastVBoxSVC.exe-3028.log
2015-03-22 12:51 - 2015-03-25 07:55 - 00000000 ____D () C:\FRST
2015-03-22 12:39 - 2015-03-22 12:39 - 00000197 _____ () C:\Windows\system32\2015-03-22-07-09-16.073-AvastVBoxSVC.exe-4364.log
2015-03-21 19:14 - 2015-03-21 19:14 - 00000197 _____ () C:\Windows\system32\2015-03-21-13-44-35.030-AvastVBoxSVC.exe-4528.log
2015-03-21 10:18 - 2015-03-21 10:18 - 00000197 _____ () C:\Windows\system32\2015-03-21-04-48-32.007-AvastVBoxSVC.exe-3452.log
2015-03-20 16:24 - 2015-03-20 16:24 - 00000197 _____ () C:\Windows\system32\2015-03-20-10-54-01.009-AvastVBoxSVC.exe-4636.log
2015-03-17 18:00 - 2015-03-17 18:00 - 00000197 _____ () C:\Windows\system32\2015-03-17-12-30-46.026-AvastVBoxSVC.exe-3132.log
2015-03-10 20:48 - 2015-03-10 20:48 - 00000197 _____ () C:\Windows\system32\2015-03-10-15-18-55.027-AvastVBoxSVC.exe-3496.log
2015-03-10 14:22 - 2015-03-10 14:22 - 10492202 _____ () C:\Users\user\Downloads\Grammar Bytes! Presents -- Finding and Fixing Misplaced and Dangling Modifiers - YouTube[via torchbrowser.com].aac
2015-03-10 14:21 - 2015-03-10 14:22 - 32263620 _____ () C:\Users\user\Downloads\Grammar Bytes! Presents -- Finding and Fixing Misplaced and Dangling Modifiers - YouTube[via torchbrowser.com].mp4
2015-03-10 14:17 - 2015-03-10 14:17 - 03034729 _____ () C:\Users\user\Downloads\Dangling Modifiers- a how-to music video - YouTube[via torchbrowser.com].aac
2015-03-10 14:16 - 2015-03-10 14:16 - 13793400 _____ () C:\Users\user\Downloads\Dangling Modifiers- a how-to music video - YouTube[via torchbrowser.com].mp4
2015-03-10 13:55 - 2015-03-10 13:55 - 00000197 _____ () C:\Windows\system32\2015-03-10-08-25-12.045-AvastVBoxSVC.exe-3112.log
2015-03-10 12:47 - 2015-03-10 12:47 - 15831695 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 4[via torchbrowser.com].flv
2015-03-10 12:38 - 2015-03-10 12:38 - 13397614 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 3[via torchbrowser.com].flv
2015-03-10 09:08 - 2015-03-10 09:14 - 00000247 _____ () C:\Windows\system32\2015-03-10-03-38-29.041-aswFe.exe-6112.log
2015-03-10 09:08 - 2015-03-10 09:08 - 00000197 _____ () C:\Windows\system32\2015-03-10-03-38-23.006-AvastVBoxSVC.exe-3708.log
2015-03-04 15:11 - 2015-03-04 15:11 - 02612019 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 6[via torchbrowser.com].aac
2015-03-04 15:09 - 2015-03-04 15:11 - 14603819 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 6[via torchbrowser.com].flv
2015-03-04 15:04 - 2015-03-04 15:04 - 02906459 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 5[via torchbrowser.com].aac
2015-03-04 15:03 - 2015-03-04 15:04 - 16168218 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 5[via torchbrowser.com].flv
2015-03-04 14:45 - 2015-03-04 15:00 - 00002357 _____ () C:\Users\user\Desktop\Facebook.lnk
2015-03-04 14:45 - 2015-03-04 15:00 - 00002315 _____ () C:\Users\user\Desktop\hsbc.lk.lnk
2015-03-04 14:43 - 2015-03-25 07:54 - 00000000 ____D () C:\ProgramData\TorchCrashHandler
2015-03-04 14:43 - 2015-03-04 14:45 - 00001397 _____ () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch.lnk
2015-03-04 14:43 - 2015-03-04 14:45 - 00001372 _____ () C:\Users\user\Desktop\Torch.lnk
2015-03-04 14:43 - 2015-03-04 14:44 - 00002217 _____ () C:\Users\user\Desktop\Free Music.lnk
2015-03-04 14:43 - 2015-03-04 14:44 - 00002217 _____ () C:\Users\user\Desktop\Free Games.lnk
2015-03-04 14:43 - 2015-03-04 14:43 - 00000000 ____D () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch
2015-03-04 14:40 - 2015-03-04 14:43 - 00000000 ____D () C:\Users\user\AppData\Local\Torch
2015-03-04 14:39 - 2015-03-04 14:39 - 02372136 _____ (Torch Media, Inc) C:\Users\user\Downloads\TorchSetup-r21-n-bc.exe
2015-03-04 13:58 - 2015-03-04 13:59 - 00000197 _____ () C:\Windows\system32\2015-03-04-08-28-54.033-AvastVBoxSVC.exe-3784.log
2015-03-02 03:50 - 2015-03-02 03:50 - 00000197 _____ () C:\Windows\system32\2015-03-01-22-20-09.035-AvastVBoxSVC.exe-4268.log
2015-02-28 17:37 - 2015-02-28 17:38 - 09213196 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 2[via torchbrowser.com].flv
2015-02-28 16:22 - 2015-02-28 16:23 - 21289903 _____ () C:\Users\user\Downloads\LearnEnglish - British Council - Episode 1[via torchbrowser.com].flv
2015-02-28 15:56 - 2015-02-28 15:57 - 00000197 _____ () C:\Windows\system32\2015-02-28-10-26-59.009-AvastVBoxSVC.exe-4304.log
2015-02-28 10:31 - 2015-02-28 10:31 - 00527423 _____ ( ) C:\Users\user\Downloads\Lame_v3.99.3_for_Windows.exe
2015-02-28 09:34 - 2015-02-28 16:27 - 00000000 ____D () C:\Users\user\AppData\Roaming\Audacity
2015-02-28 09:34 - 2015-02-28 09:34 - 00000981 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2015-02-28 09:34 - 2015-02-28 09:34 - 00000969 _____ () C:\Users\Public\Desktop\Audacity.lnk
2015-02-28 09:34 - 2015-02-28 09:34 - 00000000 ____D () C:\Program Files\Audacity
2015-02-28 09:32 - 2015-02-28 09:33 - 22892794 _____ (Audacity Team ) C:\Users\user\Downloads\audacity-win-2.0.6.exe
2015-02-28 09:23 - 2015-02-28 09:24 - 00000197 _____ () C:\Windows\system32\2015-02-28-03-53-43.034-AvastVBoxSVC.exe-4936.log
2015-02-26 13:47 - 2015-02-26 13:47 - 00000197 _____ () C:\Windows\system32\2015-02-26-08-17-04.022-AvastVBoxSVC.exe-3756.log
2015-02-24 11:40 - 2015-02-24 11:40 - 00000197 _____ () C:\Windows\system32\2015-02-24-06-10-02.029-AvastVBoxSVC.exe-1352.log
2015-02-24 09:59 - 2015-02-24 09:59 - 00000197 _____ () C:\Windows\system32\2015-02-24-04-29-49.034-AvastVBoxSVC.exe-4652.log
2015-02-24 06:15 - 2015-02-24 06:16 - 00000197 _____ () C:\Windows\system32\2015-02-24-00-45-41.040-AvastVBoxSVC.exe-4636.log
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-25 07:54 - 2014-07-07 16:05 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-25 07:54 - 2014-05-22 19:29 - 01199944 _____ () C:\Windows\WindowsUpdate.log
2015-03-25 07:54 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-25 07:54 - 2009-07-14 10:09 - 00045788 _____ () C:\Windows\setupact.log
2015-03-25 07:52 - 2009-07-14 10:04 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-25 07:52 - 2009-07-14 10:04 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-25 07:34 - 2014-05-22 19:46 - 00000000 ____D () C:\Users\user\AppData\Roaming\Skype
2015-03-25 07:25 - 2014-07-07 16:05 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-24 17:05 - 2014-05-22 19:53 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-24 17:04 - 2014-05-22 19:57 - 00798652 _____ () C:\Windows\PFRO.log
2015-03-24 16:47 - 2014-05-22 19:47 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-03-24 16:24 - 2014-05-22 19:37 - 00000000 ____D () C:\Users\user\AppData\Local\Adobe
2015-03-24 13:52 - 2014-05-22 19:31 - 00726316 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-23 20:46 - 2009-07-14 08:07 - 00000000 ___RD () C:\Users\Public
2015-03-23 15:30 - 2015-02-01 12:03 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-22 13:27 - 2014-07-07 16:06 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-10 15:44 - 2014-10-28 13:22 - 00000000 ____D () C:\Users\user\Documents\Rushira
2015-03-04 15:08 - 2014-05-22 19:36 - 00000000 ____D () C:\Users\user\AppData\Roaming\vlc
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-20 18:47
 
==================== End Of Log ============================
 
 
 
 
Thank You


#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:09 AM

Posted 25 March 2015 - 11:44 AM

Hi shadowvalar.

 

Apart from popups, are there any more problems?

 

How many devices are affected? Is this machine having popups too? Did you fixed DNS settings on this machine?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 shadowvalar

shadowvalar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 25 March 2015 - 11:04 PM

Hi Sirawit,

 

There are no problems that I know of apart from popus and redirects. Though they are very annoying since I sometimes cant even load a site due to the page redirecting.

 

For the past few days there were no popups on any devices except the desktop (where I did the frst scans). Don't know why or how, only change I did was reset DNS on the router but that was almost a week ago.

 

For the past day there have been no popups on the desktop as well. I didnt do any changes. After the last frst fix, there havent been any popups. However I havent been using the desktop that much yesterday and today because I was not at home. Didnt install any new antivirus or anti malware. But its too early to tell if the problem is solved or not. The popups are unpredictable, suddenly they appear and suddenly they are gone completely.

 

There are 4 laptops, 1 desktop and 2 mobiles that were affected. The desktop is where I did all the previous frst scans. Should we look at each laptop one by one as the next step?

 

Thanks for your continued support :)



#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:09 AM

Posted 28 March 2015 - 12:34 PM

Hi shadowvalar.
Sorry for the delay, I'm currently away and I will get back to you in 2-3 days.

Thank you.

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:09 AM

Posted 28 March 2015 - 12:41 PM

Hi shadowvalar,
 
I'll be taking over for a little while, whilst Sirawit is away.
 
Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------
 
This scan can take a long time, so it is best done overnight or when you do not need the computer
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Emsisoft log
  • ESET log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 shadowvalar

shadowvalar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 31 March 2015 - 12:19 AM

Hi Toffee,

 

Sorry for not responding sooner, I was away and did not have access to this computer for the past few days. I am running the scans now and will post the results soon.



#13 shadowvalar

shadowvalar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 31 March 2015 - 04:50 AM

EMISOFT report

 

-----------------------------------------------------------------------------

 

 

 

 

Emsisoft Emergency Kit - Version 9.0
Last update: 3/31/2015 10:55:46 AM
User account: user-PC\user
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, I:\, J:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 3/31/2015 10:58:17 AM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\AU__RASAPI32 detected: Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\AU__RASMANCS detected: Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TORCHCRASHHANDLER detected: Application.AdServ (A)
Key: HKEY_USERS\S-1-5-21-2581912368-3558610858-2423039881-1000\SOFTWARE\SOFTONIC detected: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-2581912368-3558610858-2423039881-1000\SOFTWARE\INSTALLCORE detected: Application.AdTool (A)
C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\File System\000\t\00\00000000 detected: Gen:Variant.Adware.Mikey.8206 (B)
C:\Users\user\Downloads\TorchSetup-r21-n-bc.exe detected: Application.Toolbar (A)
 
Scanned 149873
Found 7
 
Scan end: 3/31/2015 11:23:12 AM
Scan time: 0:24:55
 
C:\Users\user\Downloads\TorchSetup-r21-n-bc.exe Quarantined Application.Toolbar (A)
C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\File System\000\t\00\00000000 Quarantined Gen:Variant.Adware.Mikey.8206 (B)
Key: HKEY_USERS\S-1-5-21-2581912368-3558610858-2423039881-1000\SOFTWARE\INSTALLCORE Quarantined Application.AdTool (A)
Key: HKEY_USERS\S-1-5-21-2581912368-3558610858-2423039881-1000\SOFTWARE\SOFTONIC Quarantined Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TORCHCRASHHANDLER Quarantined Application.AdServ (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\AU__RASMANCS Quarantined Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TRACING\AU__RASAPI32 Quarantined Application.Win32.InstallExt (A)
 
Quarantined 7
 
 
 
 
 
 
 
--------------------------------------------------------
 
 
 




ESET Scan
 
 
 
 
 
 
 
------------------------------------------------------------------
 
 
 
 
C:\Users\user\AppData\Local\Torch\Helper.dll a variant of Win32/Toolbar.SearchSuite.X potentially unwanted application deleted - quarantined
C:\Users\user\Downloads\FreeStudio(1).exe Win32/OpenCandy potentially unsafe application deleted - quarantined
I:\doc\Downloads\setup.exe Win32/OutBrowse.K potentially unwanted application deleted - quarantined
 
 
---------------------------------------------------------------
 
 
 
Thank you so much for your patience.


#14 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:09 AM

Posted 31 March 2015 - 01:53 PM

Hi shadowvalar.

 

How is your computer running? Also please try using the computer normally for a while and see if anything happens. (popups, Antivirus alert, etc.)

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#15 shadowvalar

shadowvalar
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 04 April 2015 - 07:43 AM

Hi Sirawit,

 

Sorry again for the delay. I was not able to use the desktop much over the last few days. I use the laptops and not this desktop. So I waited till I actually used the desktop for a bit before posting.

 

I have not had any popups or other issues on this PC since the last scan. There have been no symptoms like running slow or any other issues. I guess the problem is solved on this for now?

 

However I am getting redirects on my phone and on some of my other laptops. Can we switch to another laptop and clean that out as well?

 

Thank you so much for all your help. I am very relieved that this PC at last seems to be clean :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users