Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hitman pro found LEGACY_PPD\


  • This topic is locked This topic is locked
17 replies to this topic

#1 DenisX

DenisX

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 14 April 2015 - 05:40 AM

Hello,

I`m using firefox and maxthon in turns. Yesterday Maxthon suddenly stopped working and the message !url.Domain.empty2()! begun to showing which prompted me to run my antivirus scans. Malwarebytes Anti-Malware and Avira found nothing, but I ran expired trial version of HirmanPro 3.7.9 and it found 3 LEGACY_SPPD and 6 entries marked as UniDeals. Today Maxthon started working normaly, so maybe it was Maxthon`s error, but I`d like to ask if the LEGACY_SPPD is dangerous and how can I remove it?

Thank you for your advice.

 

FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2015
Ran by Lenovo (administrator) on LENOVO-PC on 14-04-2015 12:00:20
Running from E:\Denisa\Video
Loaded Profiles: Lenovo & UpdatusUser (Available profiles: Lenovo & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: Slovenčina (Slovensko)
Internet Explorer Version 11 (Default browser path: "E:\Program Files (x86)\Maxthon\Bin\Maxthon.exe" "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(SUPERAntiSpyware.com) E:\Program Files (x86)\Super AntiSpyware\SASCore64.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Computer, Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Red Bend Ltd.) C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel® Corporation) C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(SlySoft, Inc.) E:\Program Files (x86)\AnyDVD\AnyDVDtray.exe
() E:\Program Files (x86)\AnyDVD\ADvdDiscHlp64.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(CyberLink Corp.) E:\Program Files (x86)\PowerDVD\PowerDVD10\PDVD10Serv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe
() E:\Program Files (x86)\Corel\CorelIOMonitor.exe
(Vimicro) C:\Program Files (x86)\USB Camera2\VM332_STI.EXE
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTStackServer.exe
(Microsoft Corporation) C:\Windows\System32\dfrgui.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(SurfRight B.V.) E:\Denisa\Video\HitmanPro_x64.exe
(Adobe Systems, Incorporated) E:\Program Files (x86)\Adobe\Adobe Photoshop CS3\Photoshop.exe
(Macrovision Europe Ltd.) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) E:\Program Files (x86)\Firefox\firefox.exe
(Hola Networks Ltd.) C:\Users\Lenovo\AppData\Local\Hola\firefox\app\hola_plugin.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2899216 2012-03-26] (Synaptics Incorporated)
HKLM\...\Run: [SynLenovoGestureMgr] => C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe [410896 2012-03-26] (Synaptics)
HKLM\...\Run: [IntelWirelessWiMAX] => C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe [1626112 2011-12-01] (Intel® Corporation)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [6193152 2013-01-08] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [8071680 2013-01-08] (Lenovo (Beijing) Limited)
HKLM-x32\...\Run: [avgnt] => E:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [726320 2015-04-01] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2020704 2014-08-05] (Wondershare)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM-x32\...\Run: [RemoteControl10] => E:\Program Files (x86)\PowerDVD\PowerDVD10\PDVD10Serv.exe [87336 2010-02-03] (CyberLink Corp.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] => C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe [507744 2011-12-20] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe [1953792 2014-05-16] ()
HKLM-x32\...\Run: [Corel Photo Downloader] => C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [532808 2009-01-21] (Corel, Inc.)
HKLM-x32\...\Run: [Corel File Shell Monitor] => E:\Program Files (x86)\Corel\CorelIOMonitor.exe [16712 2009-01-21] ()
HKLM-x32\...\Run: [332BigDog] => C:\Program Files (x86)\USB Camera2\VM332_STI.EXE [548864 2011-12-09] (Vimicro)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [OEXPRESS] => [X]
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [Nektra OEAPI] => [X]
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [AnyDVD] => E:\Program Files (x86)\AnyDVD\AnyDVD.exe [109480 2015-03-16] (SlySoft, Inc.)
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {08045d17-52a3-11e4-b921-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2a437805-520b-11e4-840a-c0143dc9541a} - W:\Setup.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2a43780a-520b-11e4-840a-c0143dc9541a} - X:\RunGame.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2a437817-520b-11e4-840a-c0143dc9541a} - Y:\Setup.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2a43781c-520b-11e4-840a-c0143dc9541a} - Z:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2ffb4bc2-521e-11e4-a361-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2ffb4bce-521e-11e4-a361-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2ffb4bcf-521e-11e4-a361-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2ffb4bd3-521e-11e4-a361-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {2ffb4bd7-521e-11e4-a361-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {45420cb4-52ee-11e4-b214-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {52d2edde-5347-11e4-babb-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {708d1373-527e-11e4-af47-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {978b476e-51d6-11e4-bbcd-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {978b4773-51d6-11e4-bbcd-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {978b4787-51d6-11e4-bbcd-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {978b478e-51d6-11e4-bbcd-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\MountPoints2: {f66e39ec-52b3-11e4-8362-c0143dc9541a} - V:\autorun.exe
HKU\S-1-5-21-614083011-718981562-2214768546-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\XENASC~1.SCR [184520 2013-02-02] (MacSourcery)
Lsa: [Notification Packages] scecli C:\Program Files\Lenovo\Bluetooth Software\BtwProximityCP.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
BootExecute: autocheck autochk * bootdelete

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/?yhs=10005&cid=&t=266639_2043_svk_0_0_0_1_
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-614083011-718981562-2214768546-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: WebTransBHO Class -> {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} -> C:\ProgramData\LangSoft\WebIE.dll [2014-07-30] ()
BHO-x32: Wondershare Video Converter Ultimate 7.1.0 -> {451C804F-C205-4F03-B48E-537EC94937BF} -> C:\ProgramData\Wondershare\Video Converter Ultimate\WSBrowserAppMgr.dll [2014-07-29] (Wondershare)
Toolbar: HKLM-x32 - WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\ProgramData\LangSoft\WebIE.dll [2014-07-30] ()
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.100.1

FireFox:
========
FF ProfilePath: C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_134.dll [2015-03-26] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @videolan.org/vlc,version=2.1.2 -> E:\Program Files (x86)\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> E:\Program Files (x86)\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> E:\Program Files (x86)\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> E:\Program Files (x86)\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-03-26] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.6 -> E:\Program Files (x86)\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> E:\Program Files (x86)\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin HKU\S-1-5-21-614083011-718981562-2214768546-1000: @hola.org/vlc,version=1.7.455 -> C:\Users\Lenovo\AppData\Local\Hola\firefox\app\vlc [2015-04-13] ()
FF Extension: Hola Better Internet - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\Extensions\jid1-4P0kohSJxU1qGg@jetpack [2015-04-06]
FF Extension: Lightshot (screenshot tool) - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\Extensions\{394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B} [2014-12-05]
FF Extension: Disconnect - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\Extensions\2.0@disconnect.me.xpi [2015-01-13]
FF Extension: XJZ Survey Remover - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\Extensions\survey-remover@gmx.com.xpi [2014-10-14]
FF Extension: Easy Youtube Video Downloader Express - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\Extensions\{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi [2015-01-14]
FF Extension: Adblock Plus - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-23]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com
FF Extension: Wondershare Video Converter Ultimate - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com [2014-10-19]
StartMenuInternet: FIREFOX.EXE - E:\Program Files (x86)\Firefox\firefox.exe

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; E:\Program Files (x86)\Super AntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
S2 AntiVirMailService; E:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [815920 2015-04-01] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; E:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [434424 2015-04-01] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; E:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [434424 2015-04-01] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; E:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1004280 2015-04-01] (Avira Operations GmbH & Co. KG)
R2 Bonjour Service; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [229376 2006-02-28] (Apple Computer, Inc.) [File not signed]
R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [945440 2012-02-01] (Broadcom Corporation.)
R2 DMAgent; C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [514048 2011-11-30] (Red Bend Ltd.) [File not signed]
R3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2013-01-30] (Macrovision Europe Ltd.) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-29] (Intel Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2011-12-08] ()
R2 WiMAXAppSrv; C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [979456 2011-11-30] (Intel® Corporation) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [594704 2011-12-08] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [150440 2014-12-23] (SlySoft, Inc.)
R3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [150440 2014-12-23] (SlySoft, Inc.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [128536 2015-03-05] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132120 2015-03-05] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-11-24] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [44088 2015-03-05] (Avira Operations GmbH & Co. KG)
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2012-02-02] (Broadcom Corporation.)
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-04-14] ()
R3 hitmanpro37; C:\Windows\SysWOW64\drivers\hitmanpro37.sys [30616 2015-01-12] ()
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [104048 2012-03-02] (Qualcomm Atheros Co., Ltd.)
R1 SASDIFSV; E:\Program Files (x86)\Super AntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; E:\Program Files (x86)\Super AntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SmbDrvIntel; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [27408 2012-03-26] (Synaptics Incorporated)
S1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2050-06-19 22:08 - 2050-06-19 22:08 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivationBl
2050-06-19 22:06 - 2050-06-19 22:06 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivation3D
2050-06-19 21:51 - 2050-06-19 21:51 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivationPE
2050-06-19 21:39 - 2050-06-19 21:39 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivation4
2050-06-19 21:27 - 2050-06-19 21:27 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivation3
2050-06-19 21:18 - 2050-06-19 21:18 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivationVE0
2050-06-19 21:15 - 2050-06-19 21:16 - 00000000 ____D () C:\Program Files\NewBlue
2050-06-19 21:15 - 2050-06-19 21:15 - 00000000 ____D () C:\Program Files (x86)\NewBlue
2050-06-19 20:57 - 2050-06-19 20:57 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivationVE
2050-06-19 20:49 - 2050-06-19 20:49 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivation Film
2050-06-19 20:47 - 2050-06-19 20:47 - 00000000 ____D () C:\Program Files\Common Files\OFX
2050-06-19 20:37 - 2050-06-19 20:37 - 00000340 _____ () C:\Users\Lenovo\Documents\ManualActivation.txt
2050-06-19 20:30 - 2015-04-02 09:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NewBlue
2015-04-14 11:59 - 2015-04-14 12:00 - 00000000 ____D () C:\FRST
2015-04-14 11:03 - 2015-04-14 11:03 - 00043664 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2015-04-14 10:51 - 2015-04-14 11:17 - 00032609 _____ () C:\Windows\WindowsUpdate.log
2015-04-13 23:29 - 2015-04-13 23:29 - 00000000 ____D () C:\Users\Lenovo\AppData\Local\Hola
2015-04-07 21:34 - 2015-04-07 22:34 - 00601362 ____R () C:\Users\Lenovo\Downloads\T. Novan & Taylor Rickard - Words Heard In Silence.epub
2015-04-06 17:41 - 2015-04-06 17:41 - 00000188 _____ () C:\Users\Lenovo\Documents\hgvgvhfc.txt
2015-04-04 13:11 - 2015-04-04 13:11 - 00000814 _____ () C:\Users\Lenovo\Desktop\µTorrent.lnk
2015-04-04 13:11 - 2015-04-04 13:11 - 00000794 _____ () C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2015-04-04 11:22 - 2015-04-04 11:22 - 00000000 ____D () C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zariadenia Bluetooth
2015-04-04 09:29 - 2015-04-04 09:29 - 00000000 ___SD () C:\Windows\SysWOW64\GWX
2015-04-04 09:29 - 2015-04-04 09:29 - 00000000 ___SD () C:\Windows\system32\GWX
2015-04-02 20:26 - 2015-04-02 20:26 - 00001111 _____ () C:\Users\Public\Desktop\Bandizip.lnk
2015-04-02 20:26 - 2015-04-02 20:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bandizip
2015-04-02 20:26 - 2015-04-02 20:26 - 00000000 ____D () C:\Program Files (x86)\Bandizip
2015-04-02 13:39 - 2015-04-02 13:39 - 00000998 _____ () C:\Users\Public\Desktop\paint.net.lnk
2015-04-02 13:39 - 2015-04-02 13:39 - 00000998 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2015-04-01 11:17 - 2015-04-12 16:10 - 00000000 ____D () C:\Users\Lenovo\AppData\Roaming\uTorrent
2015-03-30 16:04 - 2015-03-30 16:04 - 00000221 _____ () C:\Users\Lenovo\Documents\Carpe DVD.txt
2015-03-30 15:09 - 2015-03-30 15:09 - 00001309 _____ () C:\Users\Lenovo\Documents\Creation DVDs.txt
2015-03-29 06:46 - 2015-04-05 12:40 - 00000165 _____ () C:\Users\Lenovo\Documents\B-day wish.txt
2015-03-28 13:05 - 2015-03-28 13:05 - 00000781 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-03-28 13:05 - 2015-03-28 13:05 - 00000781 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-03-28 13:05 - 2015-03-28 13:05 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-03-25 07:44 - 2015-03-11 06:06 - 00943616 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-03-25 07:44 - 2015-03-11 06:06 - 00760832 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-03-25 07:44 - 2015-03-11 06:06 - 00677888 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-03-25 07:44 - 2015-03-11 06:06 - 00414720 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-03-25 07:44 - 2015-03-11 06:05 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-03-25 07:44 - 2015-03-11 06:05 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-03-25 07:44 - 2015-03-11 06:05 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-03-25 07:44 - 2015-03-11 06:02 - 01107456 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-03-23 17:34 - 2015-04-13 23:03 - 00000000 ____D () C:\AdwCleaner
2015-03-23 03:10 - 2015-04-08 17:00 - 00000000 ____D () C:\Users\Lenovo\AppData\Local\PhotoEditor
2015-03-23 03:10 - 2015-03-23 03:10 - 00000000 ____D () C:\Users\Lenovo\AppData\Local\Anthropics
2015-03-23 03:09 - 2015-03-23 03:09 - 00000878 _____ () C:\Users\Lenovo\Desktop\Smart Photo Editor Trial.lnk
2015-03-23 03:09 - 2015-03-23 03:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Photo Editor Trial
2015-03-23 03:05 - 2015-03-23 04:02 - 00000000 ____D () C:\ProgramData\{29fd06d1-946e-8370-29fd-d06d19461b46}
2015-03-19 04:40 - 2015-03-19 06:58 - 00000511 _____ () C:\Users\Lenovo\Documents\Poznámky 7.txt
2015-03-18 19:14 - 2015-03-19 02:42 - 00002556 _____ () C:\Users\Lenovo\Documents\Poznámky 6.txt
2015-03-16 00:34 - 2015-03-29 06:54 - 00000836 _____ () C:\Users\Lenovo\Documents\DVD.txt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 11:33 - 2014-06-24 07:08 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-14 10:56 - 2009-07-14 06:45 - 00029120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-14 10:56 - 2009-07-14 06:45 - 00029120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-14 10:55 - 2009-07-14 07:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-14 10:48 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-13 21:06 - 2014-03-24 15:41 - 00000000 ____D () C:\Users\Lenovo\AppData\Local\Corel
2015-04-13 21:02 - 2014-03-24 15:37 - 00000000 ____D () C:\Users\Lenovo\Documents\My PSP Files
2015-04-13 19:56 - 2015-01-14 14:56 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-09 23:17 - 2015-01-26 22:02 - 00000000 ____D () C:\Users\Lenovo\AppData\Roaming\vlc
2015-04-03 03:05 - 2013-01-21 17:51 - 01039844 _____ () C:\Users\Lenovo\AppData\Local\HDGraph.log
2015-04-02 10:56 - 2014-10-12 10:30 - 00000000 ____D () C:\Users\Lenovo\AppData\Local\VS Revo Group
2015-04-02 10:26 - 2013-01-21 17:51 - 00000000 ____D () C:\Users\Lenovo\AppData\Local\HDGraph.com
2015-04-02 09:52 - 2014-10-20 18:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sony
2015-04-02 09:52 - 2013-01-21 21:28 - 00000000 ____D () C:\ProgramData\Sony
2015-04-01 11:15 - 2015-01-14 14:44 - 00000000 ____D () C:\Users\Lenovo\AppData\Roaming\Avira
2015-04-01 11:14 - 2015-01-14 14:42 - 00000980 _____ () C:\Users\Public\Desktop\Avira Control Center.lnk
2015-04-01 11:14 - 2015-01-14 14:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-04-01 11:14 - 2013-01-18 15:09 - 00000000 ____D () C:\ProgramData\Avira
2015-03-28 12:34 - 2014-10-17 10:25 - 00000000 ____D () C:\ProgramData\Wondershare Video Converter Ultimate
2015-03-26 09:12 - 2014-09-01 21:23 - 00000000 ____D () C:\Users\Lenovo\AppData\Local\Adobe
2015-03-26 09:12 - 2014-06-24 07:08 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-03-26 09:12 - 2014-06-24 07:08 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-03-26 09:12 - 2014-06-24 07:08 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-03-25 07:59 - 2014-12-11 13:04 - 00000000 ____D () C:\Windows\system32\appraiser
2015-03-25 07:59 - 2014-05-06 12:48 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-03-23 06:24 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\Vss
2015-03-22 11:20 - 2015-01-14 17:11 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-03-22 11:20 - 2015-01-14 17:11 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-22 11:19 - 2015-01-14 17:14 - 00000703 _____ () C:\Users\Public\Desktop\AnyDVD.lnk
2015-03-19 07:15 - 2015-03-05 19:52 - 00000272 _____ () C:\Users\Lenovo\Documents\PCbday.txt
2015-03-19 07:07 - 2015-02-22 19:43 - 00001492 _____ () C:\Users\Lenovo\Documents\Fred.txt
2015-03-16 17:27 - 2009-07-14 07:08 - 00032496 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

==================== Files in the root of some directories =======

2013-05-06 15:51 - 2014-12-11 14:05 - 0000426 _____ () C:\Users\Lenovo\AppData\Roaming\burnaware.ini
2013-09-11 19:15 - 2014-02-12 07:58 - 0000042 _____ () C:\Users\Lenovo\AppData\Roaming\mbam.context.scan
2012-05-03 13:12 - 2012-05-03 13:12 - 0000532 _____ () C:\Users\Lenovo\AppData\Local\datos.txt
2013-01-22 22:28 - 2014-05-04 14:06 - 0010240 _____ () C:\Users\Lenovo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-21 17:51 - 2015-04-03 03:05 - 1039844 _____ () C:\Users\Lenovo\AppData\Local\HDGraph.log
2013-01-10 01:14 - 2015-01-14 17:21 - 0000080 ___SH () C:\ProgramData\.zreglib
2013-01-22 22:26 - 2013-01-22 22:41 - 0000088 __RSH () C:\ProgramData\43B47349DE.sys
2013-01-22 22:26 - 2013-01-22 22:52 - 0002828 ___SH () C:\ProgramData\KGyGaAvL.sys

Files to move or delete:
====================
C:\Users\Lenovo\mcplug.dll
C:\Users\Public\DeviceID.dat


Some content of TEMP:
====================
C:\Users\Lenovo\AppData\Local\Temp\avgnt.exe
C:\Users\Lenovo\AppData\Local\Temp\Hola-Setup-Plugin-x64-1.7.455.exe
C:\Users\Lenovo\AppData\Local\Temp\Quarantine.exe
C:\Users\Lenovo\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-02 10:44

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 18 April 2015 - 09:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [OEXPRESS] => [X]
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [Nektra OEAPI] => [X]
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
S1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [X]
Task: {5D4D9BBB-02F2-4C75-BB86-B6FBBCB2AFCC} - \ProtectedSearch\Protected Search No Task File <==== ATTENTION
AlternateDataStreams: C:\Windows:471EF89D998DF3B8
AlternateDataStreams: C:\ProgramData\Temp:6DDED7D9
AlternateDataStreams: C:\ProgramData\Temp:888AFB86

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


LEGACY_SPPD could be tied to some PUP (Potentially Unwanted Program) installed without your consent and so is UniDeals .
I do not see any trace of them in your logs.
AdwCleaner and Malwarebytes may have taken care of them.

===

How is the computer running now?

#3 DenisX

DenisX
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 18 April 2015 - 10:49 AM

Hello nasdaq, thank you for your answer.

 

I did all you said. Here is the log:

 

 

.Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-04-2015 01
Ran by Lenovo at 2015-04-18 17:37:28 Run:1
Running from E:\Denisa\Video
Loaded Profiles: Lenovo (Available profiles: Lenovo & UpdatusUser)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************

start

CloseProcesses:

HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [OEXPRESS] => [X]
HKU\S-1-5-21-614083011-718981562-2214768546-1000\...\Run: [Nektra OEAPI] => [X]
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
S1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [X]
Task: {5D4D9BBB-02F2-4C75-BB86-B6FBBCB2AFCC} - \ProtectedSearch\Protected Search No Task File <==== ATTENTION
AlternateDataStreams: C:\Windows:471EF89D998DF3B8
AlternateDataStreams: C:\ProgramData\Temp:6DDED7D9
AlternateDataStreams: C:\ProgramData\Temp:888AFB86

End
*****************

Processes closed successfully.
HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Microsoft\Windows\CurrentVersion\Run\\OEXPRESS => value deleted successfully.
HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Nektra OEAPI => value deleted successfully.
"HKCR\PROTOCOLS\Handler\WSWSVCUchrome" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully.
ElRawDisk => Service deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5D4D9BBB-02F2-4C75-BB86-B6FBBCB2AFCC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5D4D9BBB-02F2-4C75-BB86-B6FBBCB2AFCC}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProtectedSearch\Protected Search => Key not found.
C:\Windows => ":471EF89D998DF3B8" ADS removed successfully.
C:\ProgramData\Temp => ":6DDED7D9" ADS removed successfully.
C:\ProgramData\Temp => ":888AFB86" ADS removed successfully.


The system needed a reboot.

==== End of Fixlog 17:37:28 ====

 

=====================

 

Computer is running okay. At least I don`t see any problem now.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 18 April 2015 - 12:31 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 DenisX

DenisX
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 18 April 2015 - 02:43 PM

Thank you for the link. I will read it.

 

Today I ran expired version of Hitman pro again and it showed same problems as Monday. I`m posting the capture of it below. I`m not an expert, Most of the time I`m using Malwarebytes Anti-Malware, ISUPERAntiSpyware Free Edition and AdwCleaner for my protection besides antivirus program. So I want to ask if this entries can do a harm to my computer. I want to let you know that I didn`t install anything new on my computer this week. And that OneWay.dll was there before, so I guess that is okay.

 

Untitled-3.jpg



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 19 April 2015 - 06:51 AM

Instead of posting the image can you copy and paste the information on your next reply.

I may be able with that information to check the registry.

#7 DenisX

DenisX
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 19 April 2015 - 10:23 AM

Sorry, didn`t realize Hitman pro is able to make a log. Here is the info:

 

HitmanPro 3.7.9.240
www.hitmanpro.com

   Computer name . . . . : LENOVO-PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : Lenovo-PC\Lenovo
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2015-04-19 17:14:12
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 4m 48s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 3
   Traces  . . . . . . . : 12

   Objects scanned . . . : 1 399 299
   Files scanned . . . . : 50 818
   Remnants scanned  . . : 245 421 files / 1 103 060 keys

Suspicious files ____________________________________________________________

   C:\Windows\SysWOW64\OneWay.dll
      Size . . . . . . . : 78 848 bytes
      Age  . . . . . . . : 368.4 days (2014-04-16 08:20:55)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : DBADB9D9976336491E455BCE0CEA2B9A51D59B19F29E8F59670AC9846B07F6C7
      Fuzzy  . . . . . . : 24.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The Entry Point of this file lies in a resource section. This is an indication of malware infection.
         The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Malware remnants ____________________________________________________________

   HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD\ (SearchProtect)
   HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD\ (SearchProtect)
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD\ (SearchProtect)

Potential Unwanted Programs _________________________________________________

   HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals)
   HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\ (UniDeals)
   HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals)
   HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\ (UniDeals)
   HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ (UniDeals)
   HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals)
   HKU\S-1-5-21-614083011-718981562-2214768546-1001\Software\Systweak\ (AdvSysProtector)

Cookies _____________________________________________________________________

   C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\cookies.sqlite:server.cpmstar.com
 

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 19 April 2015 - 12:58 PM


Except for the OneWay.dll all the rest are in your ControlSet.
Let see if we can remove them. The malware programs are gone it's just that these keys are remnant in the registry.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

C:\Windows\SysWOW64\OneWay.dll
Reg: reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1001\Software\Systweak"

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now.

#9 DenisX

DenisX
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 19 April 2015 - 01:04 PM

Should I remove OneWay.dll too? It`s there a long time and if it`s not necessary I`d  rather not remore it.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 19 April 2015 - 01:36 PM

Remove it from my fix.

What I suggest is that you rename it to OneWay.dll.old

If a program needs it you will get an error.
You can then rename it back to it's original name.

#11 DenisX

DenisX
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 19 April 2015 - 02:10 PM

Thank you for an advice considering OneWay.dll. I deleted it from your fix and try your advice renaming it later.

I ran FRST. I have noticed that some answers in Fixlog are in Slovak language with errors so I want to let you know what those quotes means:
"Prˇstup je odmietnutě." means Access denied

"Oper cia sa Łspeçne dokonźila." means Action was successfully finished

 

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-04-2015 01
Ran by Lenovo at 2015-04-19 20:46:00 Run:2
Running from E:\Denisa\Video
Loaded Profiles: Lenovo & UpdatusUser (Available profiles: Lenovo & UpdatusUser)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CreateRestorePoint:
CloseProcesses:

Reg: reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}"
Reg: reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1001\Software\Systweak"

End
*****************

Restore point was successfully created.
Processes closed successfully.

========= reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD" =========

Permanently delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD (Yes/No)? ERROR: Prˇstup je odmietnutě.



========= End of Reg: =========


========= reg delete "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD" =========

Permanently delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD (Yes/No)? ERROR: Prˇstup je odmietnutě.



========= End of Reg: =========


========= reg delete "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD" =========

Permanently delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD (Yes/No)? ERROR: Prˇstup je odmietnutě.



========= End of Reg: =========


========= reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}" =========

Permanently delete the registry key HKEY_USERS\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} (Yes/No)? Oper cia sa Łspeçne dokonźila.



========= End of Reg: =========


========= reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}" =========

Permanently delete the registry key HKEY_USERS\S-1-5-21-614083011-718981562-2214768546-1000\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} (Yes/No)? Oper cia sa Łspeçne dokonźila.



========= End of Reg: =========


========= reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}" =========

Permanently delete the registry key HKEY_USERS\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}" =========

Permanently delete the registry key HKEY_USERS\S-1-5-21-614083011-718981562-2214768546-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" =========

Permanently delete the registry key HKEY_USERS\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} (Yes/No)? Oper cia sa Łspeçne dokonźila.



========= End of Reg: =========


========= reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}" =========

Permanently delete the registry key HKEY_USERS\S-1-5-21-614083011-718981562-2214768546-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} (Yes/No)? Oper cia sa Łspeçne dokonźila.



========= End of Reg: =========


========= reg delete "HKU\S-1-5-21-614083011-718981562-2214768546-1001\Software\Systweak" =========

Permanently delete the registry key HKEY_USERS\S-1-5-21-614083011-718981562-2214768546-1001\Software\Systweak (Yes/No)? Oper cia sa Łspeçne dokonźila.



========= End of Reg: =========



The system needed a reboot.

==== End of Fixlog 20:46:25 ====



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 20 April 2015 - 06:57 AM

Try this one.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

Unlock: delete HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD
Unlock: delete HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD
Unlock: delete HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD
Reg: reg delete HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD /f
Reg: reg delete HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD /f
Reg: reg delete HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD /f


Restart the when completed.

You can delete the fixme.reg file when done.

How is it now?

#13 DenisX

DenisX
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 20 April 2015 - 12:59 PM

Hello,

I did as you told me, but that LEGACY_SPPD is still there.I`m posting log from hitman pro for you to see.

 

But when I was first lookng for this problem a week ago, I came across this video How to delete Legacy Keys from the registry, https://www.youtube.com/watch?v=7OwfLtmqEwk . Do you this, this is the problem why it wasn`t successfully removed? If yes, I can follow the instuction of that video. I just wanted to ask you first.

 

Log from hitman pro

 

HitmanPro 3.7.9.240
www.hitmanpro.com

   Computer name . . . . : LENOVO-PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : Lenovo-PC\Lenovo
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2015-04-20 19:29:56
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 7m 25s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 3
   Traces  . . . . . . . : 5

   Objects scanned . . . : 1 402 603
   Files scanned . . . . : 52 104
   Remnants scanned  . . : 247 945 files / 1 102 554 keys

Suspicious files ____________________________________________________________

   C:\Windows\SysWOW64\OneWay.dll
      Size . . . . . . . : 78 848 bytes
      Age  . . . . . . . : 369.5 days (2014-04-16 08:20:55)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : DBADB9D9976336491E455BCE0CEA2B9A51D59B19F29E8F59670AC9846B07F6C7
      Fuzzy  . . . . . . : 24.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The Entry Point of this file lies in a resource section. This is an indication of malware infection.
         The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Malware remnants ____________________________________________________________

   HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD\ (SearchProtect)
   HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD\ (SearchProtect)
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD\ (SearchProtect)

Cookies _____________________________________________________________________

   C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\64our0ft.default-1408819549314\cookies.sqlite:server.cpmstar.com



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 20 April 2015 - 01:40 PM


Yes if you feel comfortable in deleting these keys.

In my instructions in post no. 11 I created a restore point.

Restore point was successfully created.

So proceed carefully in the removal.
Make sure you save you work when done.

#15 DenisX

DenisX
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2015 - 12:15 PM

Hello,
I changed who can modify LEGACY_SPPD in its preferences as the video showed, then I used this fix in FRST:

start

CreateRestorePoint:
CloseProcesses:

Reg: reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD"
Reg: reg delete "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD"

End

in log first entry was successfully removed,

second: The system was unable to find the specified registry key or value.

and third: Access denied.

 

When I checked Hitman pro again,  LEGACY_SPPD was finally not there, so it worked.

Thank you very much for your help, nasdaq.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users