Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed inferctions but still got problems (vc32loader.dll)


  • This topic is locked This topic is locked
4 replies to this topic

#1 trentham666

trentham666

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 08 April 2015 - 05:55 AM

I've been cleaning up a laptop with MANY infections but I'm stuck with the message saying \\.\globalroot\systemroot\apppatch\nbin\vc32loader.dll is either not designed to run on windows or contains an error.  Clearly all is not fixed well enough and I assume there's some residual stuff left over.

 

I would add that trying to post this message from the machine in question met with problems - it couldn't upload the additions file, so I've copied the files from the infected machine and posted from a different computer.

 

Please help!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Chris (administrator) on CHRIS-THINK on 08-04-2015 11:28:54
Running from C:\Users\Chris\Downloads
Loaded Profiles: Chris (Available profiles: Chris)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Lenovo) C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Validity Sensors, Inc.) C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
() C:\Windows\System32\valWBFPolicyService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Realtek Semiconductor Corp.) C:\Windows\RtsCM64.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Michel Krämer) C:\Program Files (x86)\Spamihilator\spamihilator.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMUPDT.EXE
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMSWCS.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Validity Sensors, Inc.) C:\Program Files\Lenovo Fingerprint Reader\SwipeMonitor.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtsCM] => C:\Windows\RTSCM64.EXE [140872 2013-03-21] (Realtek Semiconductor Corp.)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [887968 2012-06-15] (Conexant Systems, Inc.)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-26] ()
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133440 2012-07-19] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] => C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe [508656 2012-09-01] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [Fastboot] => C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe [1085744 2012-11-21] (Lenovo)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-06] (AVAST Software)
HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1273448 2012-04-03] (CANON INC.)
HKLM-x32\...\RunOnce: [20150107] => C:\Program Files\AVAST Software\Avast\setup\emupdate\ba7b6aed-41d5-448b-a9e2-283a8f8906d6.exe [183232 2015-04-01] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2125230539-855419678-3863504621-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [30877280 2014-12-11] (Skype Technologies S.A.)
HKU\S-1-5-21-2125230539-855419678-3863504621-1000\...\MountPoints2: {523d8647-1f2d-11e3-bf39-806e6f6e6963} - Q:\LenovoQDrive.exe
Lsa: [Notification Packages] scecli C:\Program Files\Lenovo\Bluetooth Software\BtwProximityCP.dll
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spamihilator.lnk
ShortcutTarget: Spamihilator.lnk -> C:\Program Files (x86)\Spamihilator\spamihilator.exe (Michel Krämer)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKU\S-1-5-21-2125230539-855419678-3863504621-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=9&ar=msnhome
HKU\S-1-5-21-2125230539-855419678-3863504621-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=9&ar=msnhome
HKU\S-1-5-21-2125230539-855419678-3863504621-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://home.lenovo.com
HKU\S-1-5-21-2125230539-855419678-3863504621-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com
SearchScopes: HKLM -> DefaultScope {C0A011B8-C61B-4A36-A78A-A4E9EB857AF2} URL =
SearchScopes: HKU\S-1-5-21-2125230539-855419678-3863504621-1000 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2014-08-06] (AVAST Software)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2014-07-14] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06] (Adobe Systems Incorporated)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-08-06] (AVAST Software)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2014-07-14] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 208.67.222.222 208.67.220.220

FireFox:
========
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default
FF NewTab: hxxp://rts.dsrlte.com/?m=tab
FF SearchEngineOrder.1: Mysearchdial
FF SelectedSearchEngine: Ask Web Search
FF Homepage: hxxp://www.google.co.uk
FF Keyword.URL: hxxp://search.tb.ask.com/search/GGmain.jhtml?st=kwd&ptb=B301B194-542D-4EBD-B5B9-7DF2ECB03200&n=781ac706&ind=2015020806&p2=^ZO^xdm012^YYA^gb&si=produtools&searchfor=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-05] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-04-02] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-04-02] (Foxit Corporation)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll [2013-03-13] (Nitro PDF)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2014-11-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2014-11-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-06-06] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2125230539-855419678-3863504621-1000: intel.com/AppUp -> C:\Program Files (x86)\Intel\IntelAppStore\bin\npAppUp.dll [2013-03-25] (Intel)
FF Plugin HKU\S-1-5-21-2125230539-855419678-3863504621-1000: intel.com/AppUpx64 -> C:\Program Files (x86)\Intel\IntelAppStore\bin\npAppUp_x64.dll [2013-03-25] (Intel)
FF user.js: detected! => C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\user.js [2014-03-21]
FF Extension: ApptooU - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\029G@s.net [2015-02-24]
FF Extension: QueenCouupoon - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\30tKBtK@L.org [2015-03-16]
FF Extension: Utility Chest - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\49ffxtbr@UtilityChest_49.com [2015-02-08]
FF Extension: douwnloaditkeep - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\8@s4X.com [2015-02-25]
FF Extension: doeeaL2udeAalit - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\XQU@MzZOGh.com [2015-02-25]
FF Extension: MySearchDial - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi [2014-03-21]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-02-20]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-03-13]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3319709&octid=EB_ORIGINAL_CTID&ISID=M85FB0CE3-5835-4852-8438-2BA45E600946&SearchSource=55&CUI=&UM=8&UP=SP1F41B422-4662-4EA4-B82F-83D476F10FCA&SSPV=
CHR StartupUrls: Default -> "hxxp://www.google.co.uk/"
CHR DefaultSearchURL: Default -> http://rts.dsrlte.com/?q={searchTerms}
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-13]
CHR Extension: (Google Drive) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-15]
CHR Extension: (To Do List) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhieleigbmmonbckblbeodlmlihacjco [2015-02-24]
CHR Extension: (YouTube) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-13]
CHR Extension: (Google Search) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-13]
CHR Extension: (Weather Forecast) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\daidbcgjmglbmccacppklkejkpcekill [2015-03-14]
CHR Extension: (Avast SafePrice) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-08-27]
CHR Extension: (Related Content by Zemanta) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\fejeknoakjeblidffkajbioncodnmhge [2015-02-24]
CHR Extension: (Avast Online Security) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-03-13]
CHR Extension: (FBLayoutsForFree Facebook Layouts) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\lepbgbjeigddjmiejeaoblhjfombjfce [2015-02-24]
CHR Extension: (Skype Click to Call) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-08-24]
CHR Extension: (Google Wallet) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-13]
CHR Extension: (Gmail) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-13]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-25]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-06]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 4ef60154; c:\Program Files (x86)\Optimizer Pro 3.38\OptProMon.dll [1633848 2015-02-02] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-06] (AVAST Software)
S4 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [1008344 2013-02-05] (Broadcom Corporation.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S3 DfSdkS; C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer Free\Dfsdks.exe [544768 2009-08-24] (mst software GmbH, Germany) [File not signed]
R2 FastbootService; C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [160048 2012-11-21] (Lenovo)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2012-03-28] ()
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-07-19] (Intel Corporation)
S4 intelsba; C:\Program Files\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [48832 2013-04-10] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-07-19] (Intel Corporation)
R2 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [188200 2013-01-28] (Lenovo Group Limited)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [136288 2012-08-11] (Lenovo Group Limited)
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-03-13] (Nitro PDF Software)
S4 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [22376 2013-02-04] ()
R2 ValBioService; C:\Program Files\Lenovo Fingerprint Reader\ValBioService.exe [23600 2013-03-20] (Validity Sensors, Inc.)
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [28160 2013-03-19] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S4 CltMngSvc;  [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-08-06] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-08-06] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-08-06] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-08-06] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2015-02-07] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-08-06] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-08-06] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-08-06] ()
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [165688 2012-09-24] (Broadcom Corporation.)
S3 Fastboot; C:\Windows\System32\DRIVERS\Fastboot.sys [71472 2012-11-21] (Windows ® Win 7 DDK provider)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-26] (Malwarebytes Corporation)
R3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [288840 2013-05-16] (Realtek Semiconductor Corp.)
R3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [8243272 2013-03-21] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [33008 2013-04-04] (Synaptics Incorporated)
S3 SPPD; C:\Windows\system32\drivers\SPPD.sys [14040 2015-03-26] ()
R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [40248 2011-05-29] (Lenovo Information Product(ShenZhen China) Inc.)
R3 tvtvcamd; C:\Windows\System32\DRIVERS\tvtvcamd.sys [27432 2011-12-08] (ThinkVantage Communications Utility)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-08 11:28 - 2015-04-08 11:29 - 00022711 _____ () C:\Users\Chris\Downloads\FRST.txt
2015-04-08 11:28 - 2015-04-08 11:28 - 00000000 ____D () C:\FRST
2015-04-08 11:27 - 2015-04-08 11:27 - 02095616 _____ (Farbar) C:\Users\Chris\Downloads\FRST64.exe
2015-04-08 11:26 - 2015-04-08 11:26 - 01135104 _____ (Farbar) C:\Users\Chris\Downloads\FRST.exe
2015-04-02 10:39 - 2015-04-02 10:39 - 00010816 _____ () C:\Users\Chris\Documents\NOTICE ABOUT SMOKING AROUND GREEN.odt
2015-04-02 09:47 - 2015-04-02 09:47 - 00011531 _____ () C:\Users\Chris\Documents\Tuesday     Home and Away details for notice board.odt
2015-04-01 18:06 - 2015-04-01 18:06 - 01025464 _____ () C:\Windows\Minidump\040115-17191-01.dmp
2015-03-26 12:52 - 2015-03-26 12:52 - 00000000 ____D () C:\Windows\System32\Tasks\2BrightSparks
2015-03-26 12:52 - 2015-03-26 12:52 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\2BrightSparks
2015-03-26 12:45 - 2015-03-26 12:45 - 00054166 _____ () C:\Users\Chris\Documents\cc_20150326_114515.reg
2015-03-26 12:43 - 2015-03-26 12:43 - 00001158 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-03-26 12:41 - 2015-03-26 12:41 - 00243416 _____ () C:\Users\Chris\Downloads\Firefox Setup Stub 36.0.4.exe
2015-03-26 12:04 - 2015-03-26 12:04 - 02530453 _____ () C:\Users\Chris\Downloads\freefixer_portable.zip
2015-03-26 12:03 - 2015-03-26 12:30 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\FreeFixer
2015-03-26 12:03 - 2015-03-26 12:08 - 00000000 ____D () C:\Users\Chris\AppData\Local\FreeFixer
2015-03-26 12:03 - 2015-03-26 12:03 - 02666167 _____ (Kephyr) C:\Users\Chris\Downloads\freefixersetup.exe
2015-03-26 12:03 - 2015-03-26 12:03 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFixer
2015-03-26 12:03 - 2015-03-26 12:03 - 00000000 ____D () C:\Program Files\FreeFixer
2015-03-26 11:44 - 2015-03-26 11:44 - 00000000 _____ () C:\autoexec.bat
2015-03-26 11:04 - 2015-03-26 11:04 - 00000000 ____D () C:\Windows\pss
2015-03-26 11:02 - 2015-03-26 11:05 - 00002774 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-03-26 11:02 - 2015-03-26 11:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-03-26 11:02 - 2015-03-26 11:02 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-26 10:45 - 2015-03-26 10:45 - 00014040 _____ () C:\Windows\system32\Drivers\SPPD.sys
2015-03-26 10:44 - 2015-03-26 12:56 - 00001246 _____ () C:\Users\Chris\Desktop\backup.lnk
2015-03-26 10:44 - 2015-03-26 12:52 - 00000000 ____D () C:\Users\Chris\AppData\Local\2BrightSparks
2015-03-26 10:44 - 2015-03-26 10:47 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-26 10:44 - 2015-03-26 10:44 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-26 10:44 - 2015-03-26 10:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-26 10:44 - 2015-03-26 10:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2BrightSparks
2015-03-26 10:44 - 2015-03-26 10:44 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-26 10:44 - 2015-03-26 10:44 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-03-26 10:44 - 2015-03-26 10:44 - 00000000 ____D () C:\Program Files (x86)\2BrightSparks
2015-03-26 10:44 - 2014-11-21 07:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-26 10:44 - 2014-11-21 07:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-26 10:44 - 2014-11-21 07:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-26 10:41 - 2015-04-08 11:17 - 00000020 _____ () C:\Users\Chris\AppData\Roaming\appdataFr3.bin
2015-03-25 23:11 - 2015-03-25 23:11 - 00000000 ____D () C:\Users\Chris\AppData\Local\avaavxvyex
2015-03-23 20:58 - 2015-03-23 20:59 - 00895792 _____ (SlimWare Utilities, Inc.) C:\Users\Chris\Downloads\DriverUpdate-setup (1).exe
2015-03-23 20:58 - 2015-03-23 20:58 - 00895792 _____ (SlimWare Utilities, Inc.) C:\Users\Chris\Downloads\DriverUpdate-setup.exe
2015-03-14 18:29 - 2015-03-26 12:20 - 00000000 ____D () C:\Program Files (x86)\LuckYYCooUpOn
2015-03-14 18:29 - 2015-03-14 18:29 - 00000000 ____D () C:\Program Files (x86)\Weather Forecast
2015-03-14 18:29 - 2015-03-14 18:29 - 00000000 ____D () C:\Program Files (x86)\QueenCouupoon
2015-03-14 18:28 - 2015-03-26 12:20 - 00000000 ____D () C:\Program Files (x86)\RioyalShopeperApp
2015-03-10 14:30 - 2015-03-10 14:30 - 00784896 _____ (Reimage®) C:\Users\Chris\Downloads\ReimageRepair.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-08 11:28 - 2009-07-14 05:45 - 00034208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-08 11:28 - 2009-07-14 05:45 - 00034208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-08 11:24 - 2013-09-17 01:19 - 00226293 _____ () C:\Windows\WindowsUpdate.log
2015-04-02 17:03 - 2014-06-16 09:29 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Spamihilator
2015-04-02 16:59 - 2014-03-25 16:31 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2015-04-01 21:33 - 2009-07-14 06:13 - 00778150 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-01 18:11 - 2014-03-21 17:22 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Skype
2015-04-01 18:06 - 2014-03-21 18:43 - 00000000 ____D () C:\Windows\Minidump
2015-04-01 18:06 - 2014-03-21 18:42 - 355150351 _____ () C:\Windows\MEMORY.DMP
2015-04-01 18:06 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-01 18:06 - 2009-07-14 05:51 - 00049110 _____ () C:\Windows\setupact.log
2015-03-26 12:45 - 2014-03-13 21:38 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-03-26 12:43 - 2015-02-20 20:26 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-03-26 12:43 - 2014-03-13 21:35 - 00001170 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-03-26 12:20 - 2015-02-24 22:58 - 00000000 ____D () C:\Program Files (x86)\doeal2dealiit
2015-03-26 12:20 - 2015-02-24 22:39 - 00000000 ____D () C:\Program Files (x86)\duEal4maee
2015-03-26 12:20 - 2015-02-24 22:38 - 00000000 ____D () C:\Program Files (x86)\PriceDowNloadero
2015-03-26 12:20 - 2015-02-24 21:38 - 00000000 ____D () C:\Program Files (x86)\SSaverAddon
2015-03-26 12:20 - 2015-02-24 21:38 - 00000000 ____D () C:\Program Files (x86)\easyToshop
2015-03-26 12:20 - 2015-02-02 19:21 - 00000000 ____D () C:\Program Files (x86)\Optimizer Pro 3.38
2015-03-26 12:20 - 2013-09-17 01:34 - 00000000 ____D () C:\Windows\System32\Tasks\TVT
2015-03-26 12:20 - 2013-09-17 01:31 - 00000000 ____D () C:\Windows\System32\Tasks\Intel® Small Business Advantage
2015-03-26 11:08 - 2014-05-24 10:25 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-26 11:08 - 2014-03-13 21:27 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-26 11:08 - 2014-03-13 21:27 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-26 11:05 - 2015-02-02 19:20 - 00003838 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1422901196
2015-03-26 11:05 - 2014-05-24 10:25 - 00003770 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-03-26 11:05 - 2014-03-13 21:27 - 00003906 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-03-26 11:05 - 2014-03-13 21:27 - 00003654 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-03-26 11:05 - 2013-09-17 01:30 - 00002892 _____ () C:\Windows\System32\Tasks\StartPowerDVDService
2015-03-26 11:05 - 2013-09-17 01:24 - 00002960 _____ () C:\Windows\System32\Tasks\PMTask
2015-03-26 10:46 - 2010-11-21 04:47 - 00733968 _____ () C:\Windows\PFRO.log
2015-03-26 10:41 - 2014-03-15 15:35 - 00000000 ____D () C:\Users\Chris\AppData\Local\CrashDumps
2015-03-25 23:11 - 2015-02-02 19:18 - 00000000 ____D () C:\Program Files (x86)\SearchProtect_gone
2015-03-24 15:20 - 2015-02-02 19:19 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-03-24 15:16 - 2014-08-17 17:18 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-03-24 15:16 - 2014-03-21 17:17 - 00000000 ____D () C:\ProgramData\Skype
2015-03-24 15:15 - 2015-02-02 19:20 - 00000000 ____D () C:\ProgramData\{c4bfa712-6198-7896-c4bf-fa7126199c49}
2015-03-14 18:29 - 2015-02-24 21:38 - 00000000 ____D () C:\ProgramData\331210065367530490

==================== Files in the root of some directories =======

2014-03-13 20:28 - 2014-04-14 11:08 - 0008993 _____ () C:\Users\Chris\AppData\Roaming\AbsoluteReminder.xml
2015-03-26 10:41 - 2015-04-08 11:17 - 0000020 _____ () C:\Users\Chris\AppData\Roaming\appdataFr3.bin
2015-02-02 19:22 - 2015-02-02 19:22 - 0001297 _____ () C:\Users\Chris\AppData\Roaming\Bubble Dock.boostrap.log
2015-02-02 19:22 - 2015-02-02 19:22 - 0005770 _____ () C:\Users\Chris\AppData\Roaming\Bubble Dock.installation.log
2015-02-02 19:22 - 2015-02-02 19:22 - 0000078 _____ () C:\Users\Chris\AppData\Roaming\Selection Tools.installation.log
2015-02-02 19:22 - 2015-02-02 19:22 - 0000078 _____ () C:\Users\Chris\AppData\Roaming\WindApp.installation.log
2015-02-02 19:22 - 2015-02-02 19:22 - 0000097 _____ () C:\Users\Chris\AppData\Roaming\WOffer.boostrap.log
2013-09-17 01:21 - 2013-09-17 01:21 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2013-09-17 01:28 - 2013-09-17 01:29 - 0000107 _____ () C:\ProgramData\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}.log
2013-09-17 01:26 - 2013-09-17 01:27 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2013-09-17 01:27 - 2013-09-17 01:28 - 0000110 _____ () C:\ProgramData\{B7A0CE06-068E-11D6-97FD-0050BACBF861}.log
2013-09-17 01:28 - 2013-09-17 01:28 - 0000115 _____ () C:\ProgramData\{D6E853EC-8960-4D44-AF03-7361BB93227C}.log

Some content of TEMP:
====================
C:\Users\Chris\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpg81ll5.dll
C:\Users\Chris\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\Chris\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\Chris\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Chris\AppData\Local\Temp\optprosetup.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-10 15:05

==================== End Of Log ============================
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:39 PM

Posted 08 April 2015 - 08:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these process in bold using the Add/Remove Programs applet.

AnySend (HKLM-x32\...\ASPackage) (Version: 1.0.0.0 - CMI Limited) <==== ATTENTION!
CouponFactor (HKLM-x32\...\{37476589-E48E-439E-A706-56189E2ED4C4}_is1) (Version: - CouponFactor) <==== ATTENTION
Optimizer Pro v3.2 (HKLM-x32\...\Optimizer Pro_is1) (Version: 3.2.0.3 - PC Utilities Software Limited) <==== ATTENTION
Selection Tools (HKU\S-1-5-21-2125230539-855419678-3863504621-1000\...\Selection Tools) (Version: - WTools) <==== ATTENTION
Skype Packages (HKU\S-1-5-21-2125230539-855419678-3863504621-1000\...\Skype Packages) (Version: - ) <==== ATTENTION
WindApp (HKU\S-1-5-21-2125230539-855419678-3863504621-1000\...\WindApp) (Version: - Store) <==== ATTENTION
Yahoo! Search (HKU\S-1-5-21-2125230539-855419678-3863504621-1000\...\Yahoo! Search) (Version: - Pay-By-Ads) <==== ATTENTION

===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2125230539-855419678-3863504621-1000 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
FF NewTab: hxxp://rts.dsrlte.com/?m=tab
FF SearchEngineOrder.1: Mysearchdial
FF SelectedSearchEngine: Ask Web Search
FF Keyword.URL: hxxp://search.tb.ask.com/search/GGmain.jhtml?st=kwd&ptb=B301B194-542D-4EBD-B5B9-7DF2ECB03200&n=781ac706&ind=2015020806&p2=^ZO^xdm012^YYA^gb&si=produtools&searchfor=
FF user.js: detected! => C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\user.js [2014-03-21]
FF Extension: ApptooU - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\029G@s.net [2015-02-24]
FF Extension: QueenCouupoon - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\30tKBtK@L.org [2015-03-16]
FF Extension: Utility Chest - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\49ffxtbr@UtilityChest_49.com [2015-02-08]
FF Extension: douwnloaditkeep - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\8@s4X.com [2015-02-25]
FF Extension: doeeaL2udeAalit - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\XQU@MzZOGh.com [2015-02-25]
FF Extension: MySearchDial - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi [2014-03-21]
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3319709&octid=EB_ORIGINAL_CTID&ISID=M85FB0CE3-5835-4852-8438-2BA45E600946&SearchSource=55&CUI=&UM=8&UP=SP1F41B422-4662-4EA4-B82F-83D476F10FCA&SSPV=
CHR DefaultSearchURL: Default -> http://rts.dsrlte.com/?q={searchTerms}
CHR Extension: (Avast SafePrice) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-08-27]
CHR Extension: (Avast Online Security) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-03-13]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-25]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-06]
R2 4ef60154; c:\Program Files (x86)\Optimizer Pro 3.38\OptProMon.dll [1633848 2015-02-02] ()
S4 CltMngSvc;  [X]
S3 SPPD; C:\Windows\system32\drivers\SPPD.sys [14040 2015-03-26] ()
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\029G@s.net
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\30tKBtK@L.org
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\8@s4X.com
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\XQU@MzZOGh.com
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi
c:\Program Files (x86)\Optimizer Pro 3.38
C:\Windows\system32\drivers\SPPD.sys

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===


CHR dev: Chrome dev build detected! <======= ATTENTION

Your Chrome was compromised.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

How is the computer running now?

#3 trentham666

trentham666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 08 April 2015 - 09:26 AM

Many thanks.

 

I removed the programs mentioned.  In fact many were already gone but needed removing from the programs list though Optimizer Pro and Selection Tools got removed properly.

 

FRST fixed and produced the following log

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Chris at 2015-04-08 14:46:05 Run:1
Running from C:\Users\Chris\Downloads
Loaded Profiles: Chris (Available profiles: Chris)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2125230539-855419678-3863504621-1000 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
FF NewTab: hxxp://rts.dsrlte.com/?m=tab
FF SearchEngineOrder.1: Mysearchdial
FF SelectedSearchEngine: Ask Web Search
FF Keyword.URL: hxxp://search.tb.ask.com/search/GGmain.jhtml?st=kwd&ptb=B301B194-542D-4EBD-B5B9-7DF2ECB03200&n=781ac706&ind=2015020806&p2=^ZO^xdm012^YYA^gb&si=produtools&searchfor=
FF user.js: detected! => C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\user.js [2014-03-21]
FF Extension: ApptooU - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\029G@s.net [2015-02-24]
FF Extension: QueenCouupoon - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\30tKBtK@L.org [2015-03-16]
FF Extension: Utility Chest - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\49ffxtbr@UtilityChest_49.com [2015-02-08]
FF Extension: douwnloaditkeep - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\8@s4X.com [2015-02-25]
FF Extension: doeeaL2udeAalit - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\XQU@MzZOGh.com [2015-02-25]
FF Extension: MySearchDial - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi [2014-03-21]
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3319709&octid=EB_ORIGINAL_CTID&ISID=M85FB0CE3-5835-4852-8438-2BA45E600946&SearchSource=55&CUI=&UM=8&UP=SP1F41B422-4662-4EA4-B82F-83D476F10FCA&SSPV=
CHR DefaultSearchURL: Default -> http://rts.dsrlte.com/?q={searchTerms}
CHR Extension: (Avast SafePrice) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-08-27]
CHR Extension: (Avast Online Security) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-03-13]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-25]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-06]
R2 4ef60154; c:\Program Files (x86)\Optimizer Pro 3.38\OptProMon.dll [1633848 2015-02-02] ()
S4 CltMngSvc;  [X]
S3 SPPD; C:\Windows\system32\drivers\SPPD.sys [14040 2015-03-26] ()
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\029G@s.net
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\30tKBtK@L.org
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\8@s4X.com
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\XQU@MzZOGh.com
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi
c:\Program Files (x86)\Optimizer Pro 3.38
C:\Windows\system32\drivers\SPPD.sys

End
*****************

Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncBackedUp" => Key deleted successfully.
HKCR\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncPending" => Key deleted successfully.
HKCR\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncRoot" => Key deleted successfully.
HKCR\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncShared" => Key deleted successfully.
HKCR\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51} => Key not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\S-1-5-21-2125230539-855419678-3863504621-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
Firefox newtab deleted successfully.
Firefox SearchEngineOrder.1 deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox Keyword.URL deleted successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\user.js => Moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\029G@s.net => Moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\30tKBtK@L.org => Moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\49ffxtbr@UtilityChest_49.com => Moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\8@s4X.com => Moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\XQU@MzZOGh.com => Moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi => Moved successfully.
Chrome HomePage deleted successfully.
Chrome DefaultSearchURL deleted successfully.
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => Moved successfully.
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => Key deleted successfully.
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => Key deleted successfully.
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
4ef60154 => Service not found.
CltMngSvc => Service deleted successfully.
SPPD => Service deleted successfully.
"C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\029G@s.net" => File/Directory not found.
"C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\30tKBtK@L.org" => File/Directory not found.
"C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\8@s4X.com" => File/Directory not found.
"C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\XQU@MzZOGh.com" => File/Directory not found.
"C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x7i4g0eo.default\Extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}.xpi" => File/Directory not found.
"c:\Program Files (x86)\Optimizer Pro 3.38" => File/Directory not found.
C:\Windows\system32\drivers\SPPD.sys => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-04-08 14:48:00)<=

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx" => File could not move.
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => File could not move.

==== End of Fixlog 14:48:00 ====

 

 

ADWcleaner ran and produced the folllowing log

 

# AdwCleaner v4.201 - Logfile created 08/04/2015 at 14:55:46
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Chris - CHRIS-THINK
# Running from : C:\Users\Chris\Downloads\adwcleaner_4.201.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : ClaraUpdater

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\easytoshop
Folder Deleted : C:\Program Files (x86)\ApptooU
Folder Deleted : C:\Program Files (x86)\doeal2dealiit
Folder Deleted : C:\Program Files (x86)\doeeaL2udeAalit
Folder Deleted : C:\Program Files (x86)\douwnloaditkeep
Folder Deleted : C:\Program Files (x86)\duEal4maee
Folder Deleted : C:\Program Files (x86)\FBLayoutsForFree Facebook Layouts
Folder Deleted : C:\Program Files (x86)\LuckYYCooUpOn
Folder Deleted : C:\Program Files (x86)\PriceDowNloadero
Folder Deleted : C:\Program Files (x86)\QueenCouupoon
Folder Deleted : C:\Program Files (x86)\RioyalShopeperApp
Folder Deleted : C:\Program Files (x86)\SSaverAddon
Folder Deleted : C:\Program Files (x86)\Common Files\ClaraUpdater
Folder Deleted : C:\Windows\Util
Folder Deleted : C:\Users\Chris\AppData\Local\Temp\Mega Browse
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect
Folder Deleted : C:\Program Files\FreeFixer
Folder Deleted : C:\Users\Chris\AppData\Local\FreeFixer
Folder Deleted : C:\Users\Chris\AppData\Local\pay-by-ads
Folder Deleted : C:\Users\Chris\AppData\Local\SearchProtect
Folder Deleted : C:\Users\Chris\AppData\Local\UnicoBrowser
Folder Deleted : C:\Users\Chris\AppData\Local\avaavxvyex
Folder Deleted : C:\Users\Chris\AppData\Roaming\FreeFixer
Folder Deleted : C:\Users\Chris\AppData\Roaming\Nosibay
Folder Deleted : C:\Users\Chris\AppData\Roaming\Store
Folder Deleted : C:\Users\Chris\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Chris\AppData\Roaming\WTools
Folder Deleted : C:\Users\Chris\AppData\Roaming\ASPackage
Folder Deleted : C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bubble Dock
Folder Deleted : C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFixer
Folder Deleted : C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASPackage
Folder Deleted : C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\lepbgbjeigddjmiejeaoblhjfombjfce
File Deleted : C:\Windows\apppatch\apppatch64\vcldr64.dll
File Deleted : C:\Windows\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
File Deleted : C:\Windows\AppPatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
File Deleted : C:\Windows\AppPatch\nbin\VC32Loader.dll
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Users\Chris\AppData\Roaming\Bubble Dock.boostrap.log
File Deleted : C:\Users\Chris\AppData\Roaming\Bubble Dock.installation.log
File Deleted : C:\Users\Chris\AppData\Roaming\Selection Tools.installation.log
File Deleted : C:\Users\Chris\AppData\Roaming\WindApp.installation.log
File Deleted : C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Unico Browser.lnk
File Deleted : C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Unico Browser.lnk
File Deleted : C:\Users\Chris\Desktop\Facebook.lnk
File Deleted : C:\Users\Chris\Desktop\Youtube.lnk
File Deleted : C:\Users\Chris\Desktop\Unico Browser.lnk

***** [ Scheduled tasks ] *****

Task Deleted : Run_Browser

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\esrv.mysearchdialesrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.mysearchdialesrvc.1
Key Deleted : HKCU\Software\Classes\keepmysearch
Value Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [UnicoBrowser]
Key Deleted : HKLM\SOFTWARE\ae8fa115-a429-2cb1-ff89-c296067145c4
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{89310413-97E0-4F09-AA75-390A7F4D4918}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\mysearchdial.com
Key Deleted : HKCU\Software\Nosibay
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\Store
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\WTools
Key Deleted : HKCU\Software\UnicoBrowser
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKLM\SOFTWARE\Clara
Key Deleted : HKLM\SOFTWARE\SPPDCOM
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bubble Dock
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnicoBrowser

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.16611


-\\ Mozilla Firefox v36.0.4 (x86 en-GB)

[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.FecpN3lhyVre3ocS.scode", "(function(){try{if(window.self.location.href.indexOf(\"qHsHrHUEqHk5qdgEpjn6qjw9rE\")>-1){return;}}catch(e){}try{var d=[[\"acebook\",\"e4everything.co\",[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.irmysearch.aflt", "dsites_14_12_ff");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.irmysearch.cd", "2XzuyEtN2Y1L1Qzu0BtDtDyDzyyE0E0BtDzzzy0BtDtC0BtCtN0D0Tzu0SzztCtCtN1L2XzutBtFtCzztFyBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0AtCyEtBtCyBzytGyB0E0E0Et[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.irmysearch.cr", "1553163932");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.irmysearch.instlRef", "140305_a");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.AL", 2);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.aflt", "dsites_14_12_ff");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.appId", "{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.cd", "2XzuyEtN2Y1L1Qzu0BtDtDyDzyyE0E0BtDzzzy0BtDtC0BtCtN0D0Tzu0SzztCtCtN1L2XzutBtFtCzztFyBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0AtCyEtBtCyBzytGyB0E0E0[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.cntry", "GB");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.cr", "1553163932");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.dfltLng", "");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.dfltSrch", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.dnsErr", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.dpkLst", "3654782829,1334533236,1121012847,231756876,1895130307,603719297,4288797614,3754950497,426401714,3046281807,752626116,1657571787,3224935090,2597085128,18285[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.excTlbr", false);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.hdrMd5", "BC747598B5C8FED646997BC91691BEDA");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.hmpg", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.hmpgUrl", "hxxp://start.mysearchdial.com/?f=1&a=dsites_14_12_ff&cd=2XzuyEtN2Y1L1Qzu0BtDtDyDzyyE0E0BtDzzzy0BtDtC0BtCtN0D0Tzu0SzztCtCtN1L2XzutBtFtCzztFyBtFtDtN1L1CzutC[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.id", "B00594EB089B01B1");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.instlDay", "16150");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.instlRef", "140305_a");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.lastB", "hxxp://start.mysearchdial.com/?f=1&a=dsites_14_12_ff&cd=2XzuyEtN2Y1L1Qzu0BtDtDyDzyyE0E0BtDzzzy0BtDtC0BtCtN0D0Tzu0SzztCtCtN1L2XzutBtFtCzztFyBtFtDtN1L1CzutCyE[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.lastVrsnTs", "1.8.29.016:17:31");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.newTabUrl", "hxxp://start.mysearchdial.com/?f=2&a=dsites_14_12_ff&cd=2XzuyEtN2Y1L1Qzu0BtDtDyDzyyE0E0BtDzzzy0BtDtC0BtCtN0D0Tzu0SzztCtCtN1L2XzutBtFtCzztFyBtFtDtN1L1Czu[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.pnu_base", "{\"newVrsn\":\"92\",\"lastVrsn\":\"92\",\"vrsnLoad\":\"\",\"showMsg\":\"false\",\"showSilent\":\"false\",\"msgTs\":0,\"lstMsgTs\":\"0\"}");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.prdct", "mysearchdial");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.prtnrId", "mysearchdial");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.sg", "none");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.tlbrId", "base");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.tlbrSrchUrl", "hxxp://start.mysearchdial.com/?f=3&a=dsites_14_12_ff&cd=2XzuyEtN2Y1L1Qzu0BtDtDyDzyyE0E0BtDzzzy0BtDtC0BtCtN0D0Tzu0SzztCtCtN1L2XzutBtFtCzztFyBtFtDtN1L1C[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.vrsn", "1.8.29.0");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial.vrsni", "1.8.29.0");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial_i.newTab", false);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial_i.smplGrp", "none");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.29.016:17:31");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mywebsearch.prevKwdEnabled", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.mywebsearch.prevKwdURL", "hxxp://rts.dsrlte.com/?q=");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.BUTTON_STRUCTURE", "[{\"b\":221352991,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221352992,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.search.defaultenginename.prev", "Mysearchdial");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.search.defaultenginename.savedPrev", "true");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.search.defaultenginename.tb", "Ask Web Search");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.search.selectedEngine.prev", "Google");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.search.selectedEngine.savedPrev", "true");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.search.selectedEngine.tb", "Ask Web Search");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.startup.homepage.prev", "hxxp://www.google.co.uk/");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.startup.homepage.savedPrev", "true");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.startup.homepage.tb", "hxxp://home.tb.ask.com/index.jhtml?ptb=B301B194-542D-4EBD-B5B9-7DF2ECB03200&n=781ac706&p2=^ZO^xdm012^YYA^gb&si=produt[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.startup.page.savedPrev", 1);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.startup.page.tb", 1);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.browser.version.last", "36.0");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.competitorDNS", "{\"comment\":\"refresh every 1 week (7*24*60*60*1000)\",\"refreshPeriod\":604800000,\"list\":[{\"url\":\"hxxp://www.dnsrsearch.com/[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.firstKnownVersion", "6.85.5.65368");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=B301B194-542D-4EBD-B5B9-7DF2ECB03200&n=781ac706&p2=^ZO^xdm012^YYA^gb&si=produtools");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.hp.enabled", false);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.hp.guardType", "HPR");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.hp.user.defined", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.initialized", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installKeysSource", "LocalStorage");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installType", "XPI");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.contextKey", "");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.installDate", "2015020806");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.partnerId", "^ZO^xdm012^YYA^gb");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.partnerSubId", "produtools");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.pixelUrl", "hxxp://www.utilitychest.com/install_pixels.jhtml?partner=^ZO^xdm012^YYA^gb&sub_id=produtools&coId=b9a64a50099a48e6879333b7f[...]
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.success", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.installation.toolbarId", "B301B194-542D-4EBD-B5B9-7DF2ECB03200");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.isCompliantUninstallImplementation", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.lastActivePing", "1427362900943");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.lastKnownVersion", "6.85.5.65368");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.defaultSearch", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.homePageEnabled", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.keywordEnabled", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.options.tabEnabled", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.partnerPixelFired", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.searchHistory", "victorian stone range fireplaceold range fireplacesregistration services");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.successUrl", "hxxp://produtools.com/thankyou_utility.php");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.toolbar.ownSearch", true);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.toolbarCollapsed", false);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark._49Members_.weather.location", "10001");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "");
[x7i4g0eo.default\prefs.js] - Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "utilitychest@mindspark.com");

-\\ Google Chrome v40.0.2214.94

[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://rts.dsrlte.com/?q={searchTerms}
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_12_ff&cd=2XzuyEtN2Y1L1Qzu0BtDtDyDzyyE0E0BtDzzzy0BtDtC0BtCtN0D0Tzu0SzztCtCtN1L2XzutBtFtCzztFyBtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0AtCyEtBtCyBzytGyB0E0E0EtG0EyE0BtDtGtCtC0E0AtGyDyD0CtCtDyBtByByD0ByC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB0F0CyEtAyE0E0AtGyDtB0E0CtGyEyCyDtBtGyB0DtCzztGtB0D0D0DyE0EtDzzyBtA0A0D2Q&cr=1553163932&ir=
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3319709&octid=EB_ORIGINAL_CTID&ISID=M85FB0CE3-5835-4852-8438-2BA45E600946&SearchSource=58&CUI=&UM=8&UP=SP1F41B422-4662-4EA4-B82F-83D476F10FCA&q={searchTerms}&SSPV=
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : eofcbnmajmjmplflapaojjnihcjkigck
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : lepbgbjeigddjmiejeaoblhjfombjfce
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Default_Search_Provider_Data] :

-\\ Opera v28.0.1750.48


*************************

AdwCleaner[R0].txt - [901 bytes] - [13/03/2014 22:09:23]
AdwCleaner[R1].txt - [37763 bytes] - [08/04/2015 14:52:14]
AdwCleaner[S0].txt - [19915 bytes] - [08/04/2015 14:55:46]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [19975  bytes] ##########
 

 

 

 

I removed the old Chrome and installed the latest version and things seem to be working cleanly now - no more messages about vc32loader and no more prompts from Avast telling me it's blocked bad websites even though I'd not told it to visit any.  :thumbup2:

 

Many thanks.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:39 PM

Posted 09 April 2015 - 07:06 AM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:39 PM

Posted 14 April 2015 - 08:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users