Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser.exe changed/moved error and various malware popups


  • This topic is locked This topic is locked
4 replies to this topic

#1 howardliao

howardliao

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 14 April 2015 - 06:52 PM

everytime I click on firefox or chrome browser, I get the browser.ext shortcut has been changed/moved. I restore the shortcut to no success, but internet explorer works now after I removed programs I didn't recognize, however I still get popups frequently. Please help.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-04-2015
Ran by Howard (administrator) on HOWARD-PC on 14-04-2015 18:46:03
Running from C:\Users\Howard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6OIEONY
Loaded Profiles: Howard (Available profiles: Howard)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser path: "C:\Program Files (x86)\speed browser\Application\browser.exe" -- "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(百度在线网络技术(北京)有限公司) C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.1.0.34\BaiduProtect.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
() C:\ProgramData\NetEngine\bin\D6\netengine.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
() C:\ProgramData\NetEngine\bin\D6\netengine.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_17_0_0_134_ActiveX.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
() C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [286056 2013-07-30] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7194840 2013-07-26] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-07-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-07-29] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [Dell Registration] => C:\Program Files (x86)\System Registration\prodreg.exe [4165440 2011-08-04] (Dell, Inc.)
HKLM-x32\...\Run: [NWEReboot] => [X]
HKLM-x32\...\Run: [StormWatch] => "C:\Program Files (x86)\StormWatch\StormWatchApp.exe"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [132736 2013-07-02] ( (Qualcomm®Atheros®))
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil64_17_0_0_134_ActiveX.exe [652464 2015-03-17] (Adobe Systems Incorporated)
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
Startup: C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk
ShortcutTarget: hqghumeaylnlf.lnk -> C:\ProgramData\{747a8e78-1f33-7ed6-747a-a8e781f339e0}\hqghumeaylnlf.exe (No File)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hao.360.cn/?a1004
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://hao.360.cn/?a1004
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1382067847-4211843049-822856409-1001 -> {2F580C36-8752-4A1B-BC6D-9CC5E9A16791} URL = http://search.yahoo.com/search?p={searchTerms}&fr=tightropetb&type=11067
SearchScopes: HKU\S-1-5-21-1382067847-4211843049-822856409-1001 -> {3CBBD072-6373-47FD-AC25-650BFD870E4A} URL =
SearchScopes: HKU\S-1-5-21-1382067847-4211843049-822856409-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=58051076_oem_dg&ch=33
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll [2013-07-02] (Qualcomm®Atheros®)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2014-07-14] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Toolbar: HKLM - FindWide Toolbar - {7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} - C:\Program Files (x86)\TNT2\2.0.0.1966\IEToolbar64.dll No File
Toolbar: HKLM-x32 - FindWide Toolbar - {7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} - C:\Program Files (x86)\TNT2\2.0.0.1966\ietoolbar.dll No File
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2014-07-14] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

FireFox:
========
FF ProfilePath: C:\Users\Howard\AppData\Roaming\Mozilla\Firefox\Profiles\vzq6f0r7.default
FF Homepage: www.yahoo.com
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-09] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-09] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-08] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-08] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-02-17] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: No Name - C:\Users\Howard\AppData\Roaming\Mozilla\Firefox\Profiles\vzq6f0r7.default\extensions\toolbar11067@freshy.com.xpi [Not Found]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.yahoo.com/
CHR StartupUrls: Default -> "hxxp://www.yahoo.com/"
CHR DefaultSearchKeyword: Default -> yahoo.com
CHR DefaultSearchURL: Default -> https://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}
CHR DefaultSuggestURL: Default -> https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
CHR Profile: C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-27]
CHR Extension: (Google Docs) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-27]
CHR Extension: (Google Drive) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-27]
CHR Extension: (YouTube) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-27]
CHR Extension: (Google Search) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-27]
CHR Extension: (Google Sheets) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Google Wallet) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-27]
CHR Extension: (Gmail) - C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-27]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [312448 2013-07-02] (Windows ® Win 7 DDK provider) [File not signed]
R2 BDSGRTP; C:\Program Files (x86)\Common Files\Baidu\BaiduProtect\1.1.0.34\BaiduProtect.exe [1101152 2013-12-10] (百度在线网络技术(北京)有限公司)
S3 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
S3 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2557136 2015-02-26] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [201936 2015-02-26] (Dell Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [14696 2013-07-30] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-09] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-03-17] (Malwarebytes Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-18] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [1924328 2014-09-18] (SoftThinks SAS)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [19288 2015-03-04] (Dell Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-09-23] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2013-06-21] (Atheros) [File not signed]
S2 StormWatch Update Service; "C:\Program Files (x86)\StormWatch\StormWatchSrv.exe" [X]
S2 SWUpdater; No ImagePath

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 bd0001; C:\Windows\System32\DRIVERS\bd0001.sys [104264 2013-12-10] (Baidu)
R1 bd0004; C:\Windows\System32\DRIVERS\bd0004.sys [168264 2013-12-10] (Baidu)
R3 BTATH_LWFLT; C:\Windows\System32\DRIVERS\btath_lwflt.sys [77464 2013-07-02] (Qualcomm Atheros)
R3 DDDriver; C:\Windows\System32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
R3 DellProf; C:\Windows\System32\drivers\DellProf.sys [23312 2015-01-30] (Dell Computer Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2013-07-24] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-03-17] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-03-17] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation)
S1 swsenfd_1_10_0_13; system32\drivers\swsenfd_1_10_0_13.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 18:45 - 2015-04-14 18:46 - 00000000 ____D () C:\FRST
2015-04-14 18:37 - 2015-04-14 18:37 - 00001921 _____ () C:\Users\Howard\Desktop\Mozilla Firefox.lnk
2015-04-14 18:32 - 2015-04-14 18:32 - 00013827 _____ () C:\Users\Howard\Desktop\iexplore.lnk
2015-04-14 18:28 - 2015-04-14 18:28 - 00000000 ___RD () C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2015-04-14 18:25 - 2015-04-14 18:25 - 00000000 ____D () C:\ProgramData\2b89e07c00005e43
2015-04-07 23:27 - 2015-04-14 18:26 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-04-07 23:23 - 2015-04-07 23:23 - 00000000 ____D () C:\CrimeWatch
2015-04-07 23:17 - 2015-04-07 23:17 - 00003744 _____ () C:\Windows\System32\Tasks\gameo_update
2015-04-07 23:17 - 2015-04-07 23:17 - 00000174 _____ () C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url
2015-04-07 23:15 - 2015-04-07 23:15 - 29419944 _____ (Oracle Corporation) C:\Users\Howard\Downloads\jre-7u60-windows-i586.exe
2015-04-07 23:15 - 2015-04-07 23:15 - 00004018 _____ () C:\Windows\System32\Tasks\LaunchSignup
2015-04-07 23:14 - 2015-04-07 23:27 - 00000000 ____D () C:\Program Files (x86)\Portable WeatherApp
2015-04-07 23:14 - 2015-04-07 23:14 - 00003656 _____ () C:\Windows\System32\Tasks\IE_ERR4WDR
2015-04-07 23:14 - 2015-04-07 23:14 - 00003632 _____ () C:\Windows\System32\Tasks\HDNINSTSCHD
2015-04-07 23:14 - 2015-04-07 23:14 - 00003498 _____ () C:\Windows\System32\Tasks\UPDTEXE4_WDR
2015-04-07 22:22 - 2015-04-12 22:10 - 00000000 ____D () C:\Program Files (x86)\speed browser
2015-04-07 22:22 - 2015-04-12 21:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\speed browser
2015-04-07 22:22 - 2015-04-07 22:22 - 00000000 ____D () C:\Users\Howard\AppData\Local\speed browser
2015-04-07 22:16 - 2015-04-07 22:16 - 00000000 ____D () C:\ProgramData\Browser
2015-04-06 23:42 - 2015-04-12 21:51 - 00003436 _____ () C:\Windows\System32\Tasks\NetEngine
2015-04-06 23:42 - 2015-04-06 23:42 - 00000000 ____D () C:\ProgramData\NetEngine
2015-04-06 21:21 - 2015-04-06 21:21 - 00015075 _____ () C:\Users\Howard\Downloads\youtube (1).lua
2015-04-06 21:20 - 2015-04-06 21:20 - 00015075 _____ () C:\Users\Howard\Downloads\youtube.lua
2015-04-06 21:04 - 2015-04-06 21:59 - 00000000 ____D () C:\Users\Howard\AppData\Roaming\vlc
2015-04-06 20:49 - 2015-04-06 20:57 - 00000000 ____D () C:\ProgramData\T122078ED
2015-04-06 20:41 - 2015-04-06 20:41 - 00001068 _____ () C:\Users\Public\Desktop\VLC media player.lnk
2015-04-06 20:41 - 2015-04-06 20:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-04-06 20:41 - 2015-04-06 20:41 - 00000000 ____D () C:\Program Files (x86)\VideoLAN
2015-04-06 20:38 - 2015-04-12 22:11 - 00000000 ____D () C:\ProgramData\yPwyNknMRxO
2015-04-06 20:38 - 2015-04-12 22:11 - 00000000 ____D () C:\ProgramData\{747a8e78-1f33-7ed6-747a-a8e781f339e0}
2015-04-06 20:38 - 2015-04-06 20:38 - 00003844 _____ () C:\Windows\System32\Tasks\UpdateAdmin
2015-04-06 20:36 - 2015-04-06 20:36 - 00000636 _____ () C:\Users\Howard\Downloads\vlcmediaplayer-setup.website
2015-04-06 20:31 - 2015-04-06 20:31 - 00000000 ____D () C:\ProgramData\{plbackup-CFE0-66E8-660553B4C955}
2015-04-06 20:29 - 2015-04-06 20:29 - 00000000 ____D () C:\Users\Howard\AppData\Roaming\360SuperKiller
2015-04-06 20:16 - 2015-04-14 18:30 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-06 20:15 - 2015-04-06 20:15 - 00001104 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-04-06 20:15 - 2015-04-06 20:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-06 20:15 - 2015-04-06 20:15 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-06 20:15 - 2015-04-06 20:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-04-06 20:15 - 2015-03-17 06:15 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-04-06 20:15 - 2015-03-17 06:15 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-04-06 20:15 - 2015-03-17 06:15 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-04-06 20:14 - 2015-04-06 20:14 - 21540440 _____ (Malwarebytes Corporation ) C:\Users\Howard\Downloads\mbam-setup-2.1.4.1018.exe
2015-04-03 22:57 - 2015-04-03 22:57 - 00000000 ___SD () C:\Windows\SysWOW64\GWX
2015-04-03 22:57 - 2015-04-03 22:57 - 00000000 ___SD () C:\Windows\system32\GWX
2015-04-03 21:55 - 2015-04-03 21:55 - 01721898 _____ () C:\Users\Howard\Downloads\Attachments_201543.zip
2015-04-03 19:03 - 2015-04-03 19:03 - 00003038 _____ () C:\Windows\System32\Tasks\{889E2E82-DFE2-4EDE-84C9-C00BB9811D35}
2015-04-03 18:17 - 2005-10-24 09:55 - 00209791 ____N () C:\Windows\UNNeroVision.cfg
2015-04-03 18:17 - 2005-09-07 11:08 - 03006464 ____N (Nero AG) C:\Windows\UNNeroVision.exe
2015-04-03 18:17 - 2001-03-08 19:30 - 00024064 ____N (Microsoft Corporation) C:\Windows\SysWOW64\msxml3a.dll
2015-04-03 18:16 - 2015-04-03 18:16 - 00000000 ____D () C:\ProgramData\Ahead
2015-04-03 18:16 - 2015-04-03 18:16 - 00000000 ____D () C:\Program Files (x86)\Ahead
2015-04-03 18:16 - 2004-07-20 17:24 - 01568768 ____N (Pegasus Imaging Corp.) C:\Windows\SysWOW64\ImagX7.dll
2015-04-03 18:16 - 2004-07-20 17:24 - 00476320 ____N (Pegasus Imaging Corp.) C:\Windows\SysWOW64\ImagXpr7.dll
2015-04-03 18:16 - 2004-07-20 17:24 - 00471040 ____N (Pegasus Imaging Corp.) C:\Windows\SysWOW64\ImagXRA7.dll
2015-04-03 18:16 - 2004-07-20 17:24 - 00262144 ____N (Pegasus Imaging Corp.) C:\Windows\SysWOW64\ImagXR7.dll
2015-04-03 18:16 - 2004-07-09 09:43 - 00364544 ____N (Pegasus Imaging Corp.) C:\Windows\SysWOW64\TwnLib4.dll
2015-04-03 18:16 - 2001-06-26 08:15 - 00038912 ____N (Pegasus Imaging Corp.) C:\Windows\SysWOW64\picn20.dll
2015-04-03 18:16 - 2000-06-26 11:45 - 00106496 ____N (Pegasus Software) C:\Windows\SysWOW64\TwnLib20.dll
2015-03-24 23:13 - 2015-04-06 20:24 - 00000000 ____D () C:\Users\Howard\AppData\Roaming\wer52w
2015-03-24 22:55 - 2015-03-10 23:06 - 00943616 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-03-24 22:55 - 2015-03-10 23:06 - 00760832 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-03-24 22:55 - 2015-03-10 23:06 - 00677888 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-03-24 22:55 - 2015-03-10 23:06 - 00414720 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-03-24 22:55 - 2015-03-10 23:05 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-03-24 22:55 - 2015-03-10 23:05 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-03-24 22:55 - 2015-03-10 23:05 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-03-24 22:55 - 2015-03-10 23:02 - 01107456 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-03-23 23:03 - 2015-04-06 20:32 - 00000000 ____D () C:\Users\Howard\AppData\Local\CrashDumps
2015-03-21 20:51 - 2015-03-21 20:51 - 00000000 ____D () C:\Windows\TMP
2015-03-19 18:05 - 2015-04-06 20:24 - 00000000 ____D () C:\Users\Howard\AppData\Roaming\Baidu
2015-03-19 17:54 - 2015-03-19 17:54 - 00000000 ____D () C:\Users\Howard\AppData\Roaming\360Login
2015-03-19 17:49 - 2015-03-19 17:49 - 00000000 ____D () C:\KwSingMV
2015-03-17 23:46 - 2015-03-19 17:49 - 00000000 ____D () C:\ProgramData\koowo
2015-03-17 23:45 - 2015-04-06 20:06 - 00000000 ____D () C:\Users\Howard\AppData\Roaming\360se6
2015-03-17 23:44 - 2015-04-06 20:32 - 00000000 ____D () C:\ProgramData\360safe
2015-03-17 23:43 - 2015-03-17 23:43 - 00000000 ____D () C:\Program Files (x86)\360
2015-03-17 23:41 - 2015-03-17 23:41 - 00056648 _____ (Baidu) C:\Windows\system32\Drivers\BDMWrench.sys
2015-03-17 23:40 - 2015-04-06 20:26 - 00000000 ____D () C:\Program Files (x86)\Baidu
2015-03-17 23:40 - 2015-03-21 21:01 - 00000000 ____D () C:\Program Files (x86)\BaiduAddr
2015-03-17 23:40 - 2015-03-19 18:05 - 00000000 ____D () C:\ProgramData\Baidu
2015-03-17 23:40 - 2013-12-10 02:53 - 00168264 _____ (Baidu) C:\Windows\system32\Drivers\bd0004.sys
2015-03-17 23:40 - 2013-12-10 02:53 - 00104264 _____ (Baidu) C:\Windows\system32\Drivers\bd0001.sys
2015-03-17 23:40 - 2013-12-10 02:53 - 00041800 _____ (Baidu) C:\Windows\system32\bd64_x64.dll
2015-03-17 23:40 - 2013-12-10 02:53 - 00039056 _____ (Baidu) C:\Windows\system32\bd64_x86.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 18:38 - 2014-09-23 09:33 - 01849478 _____ () C:\Windows\WindowsUpdate.log
2015-04-14 18:35 - 2014-09-23 09:50 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery
2015-04-14 18:35 - 2009-07-13 23:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-14 18:35 - 2009-07-13 23:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-14 18:33 - 2009-07-14 00:13 - 00783606 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-14 18:28 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-14 18:28 - 2009-07-13 23:51 - 00039462 _____ () C:\Windows\setupact.log
2015-04-14 18:27 - 2010-11-20 22:47 - 00991260 _____ () C:\Windows\PFRO.log
2015-04-12 22:11 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PLA
2015-04-12 21:53 - 2014-12-27 14:59 - 00000000 ____D () C:\Users\Howard\Desktop\Account Receivable
2015-04-12 21:52 - 2014-12-27 17:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-04-10 22:38 - 2014-12-27 15:18 - 00000000 ____D () C:\Users\Howard\Documents\Total Experts
2015-04-07 23:10 - 2014-12-27 15:05 - 00000000 ____D () C:\Users\Howard\Documents\Howard
2015-04-06 20:43 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system
2015-04-06 20:36 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Resources
2015-04-06 20:26 - 2015-02-13 09:17 - 00003592 _____ () C:\Windows\System32\Tasks\Dell SupportAssistAgent AutoUpdate
2015-03-27 14:22 - 2015-02-13 09:17 - 00000000 ____D () C:\ProgramData\SupportAssistAgent
2015-03-25 20:12 - 2014-12-29 04:49 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-03-25 20:12 - 2014-12-29 04:49 - 00000000 ____D () C:\Windows\system32\appraiser
2015-03-24 22:50 - 2015-02-11 23:41 - 00004034 _____ () C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2015-03-24 22:50 - 2014-12-27 17:45 - 00003906 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-03-24 22:50 - 2014-12-27 17:45 - 00003654 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-03-24 22:50 - 2014-09-23 09:33 - 00003770 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-03-22 11:57 - 2009-07-13 22:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2015-03-22 11:57 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2015-03-20 11:03 - 2015-02-11 23:41 - 00003484 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2015-03-17 23:44 - 2014-12-27 17:28 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-03-17 22:26 - 2014-12-29 21:44 - 00000000 ____D () C:\Users\Howard\AppData\Local\Adobe
2015-03-17 22:26 - 2014-09-23 09:47 - 00000000 ____D () C:\ProgramData\McAfee
2015-03-17 22:26 - 2014-09-23 09:33 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-03-17 22:26 - 2014-09-23 09:33 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-03-17 19:58 - 2009-07-14 00:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD

==================== Files in the root of some directories =======

2014-09-23 09:39 - 2014-09-23 09:39 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some content of TEMP:
====================
C:\Users\Howard\AppData\Local\Temp\1501010.dll
C:\Users\Howard\AppData\Local\Temp\26254.dll
C:\Users\Howard\AppData\Local\Temp\26925.dll
C:\Users\Howard\AppData\Local\Temp\28002.dll
C:\Users\Howard\AppData\Local\Temp\30451.dll
C:\Users\Howard\AppData\Local\Temp\30bb05dd-15cc-44de-baf1-0f0f43f1757f.exe
C:\Users\Howard\AppData\Local\Temp\31449.dll
C:\Users\Howard\AppData\Local\Temp\34523.dll
C:\Users\Howard\AppData\Local\Temp\39109.dll
C:\Users\Howard\AppData\Local\Temp\40123.dll
C:\Users\Howard\AppData\Local\Temp\40716.dll
C:\Users\Howard\AppData\Local\Temp\46815.dll
C:\Users\Howard\AppData\Local\Temp\52681.dll
C:\Users\Howard\AppData\Local\Temp\bdrl.exe
C:\Users\Howard\AppData\Local\Temp\CloudBackup8113.exe
C:\Users\Howard\AppData\Local\Temp\kwuninsthelper.exe
C:\Users\Howard\AppData\Local\Temp\optprosetup.exe
C:\Users\Howard\AppData\Local\Temp\vcredist_x64.exe
C:\Users\Howard\AppData\Local\Temp\vlc-2.1.5-win32.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-04-14 03:58

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 AM

Posted 18 April 2015 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:
EmptyTemp:

() C:\ProgramData\NetEngine\bin\D6\netengine.exe
() C:\ProgramData\NetEngine\bin\D6\netengine.exe
HKLM-x32\...\Run: [NWEReboot] => [X]
HKLM-x32\...\Run: [StormWatch] => "C:\Program Files (x86)\StormWatch\StormWatchApp.exe"
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
Startup: C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk
ShortcutTarget: hqghumeaylnlf.lnk -> C:\ProgramData\{747a8e78-1f33-7ed6-747a-a8e781f339e0}\hqghumeaylnlf.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1382067847-4211843049-822856409-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=58051076_oem_dg&ch=33
Toolbar: HKLM - FindWide Toolbar - {7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} - C:\Program Files (x86)\TNT2\2.0.0.1966\IEToolbar64.dll No File
Toolbar: HKLM-x32 - FindWide Toolbar - {7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} - C:\Program Files (x86)\TNT2\2.0.0.1966\ietoolbar.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: No Name - C:\Users\Howard\AppData\Roaming\Mozilla\Firefox\Profiles\vzq6f0r7.default\extensions\toolbar11067@freshy.com.xpi [Not Found]
S2 StormWatch Update Service; "C:\Program Files (x86)\StormWatch\StormWatchSrv.exe" [X]
S2 SWUpdater; No ImagePath
S1 swsenfd_1_10_0_13; system32\drivers\swsenfd_1_10_0_13.sys [X]
C:\Program Files (x86)\Itibiti Soft Phone
C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk
Task: {302C0F87-4C17-42E4-B507-94F6E062FC74} - \KwRunAsStdUser Task26226 No Task File <==== ATTENTION
Task: {3254A673-925C-4941-94D3-275298B7B427} - \KwRunAsStdUser Task29865 No Task File <==== ATTENTION
Task: {4808BCB5-C544-4740-899C-02B2106D5179} - System32\Tasks\UpdateAdmin => C:\Users\Howard\AppData\Local\UpdateAdmin\UpdateAdmin.exe <==== ATTENTION
Task: {54BBCD56-59FC-43DB-9B98-08E803706D65} - \KwRunAsStdUser Task859 No Task File <==== ATTENTION
Task: {93E4689E-992C-46D6-A8E5-D884AAD7883E} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
Task: {9868366A-321D-43C8-83FE-EAC97553BB5D} - \KwRunAsStdUser Task29209 No Task File <==== ATTENTION
Task: {CA26DC86-3D83-4A36-8410-37F066ABD8B1} - \KwRunAsStdUser Task29872 No Task File <==== ATTENTION
Task: {EF5291DD-4846-458D-A323-1C7E6DAF842E} - \KwRunAsStdUser Task29215 No Task File <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 howardliao

howardliao
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 18 April 2015 - 11:06 AM

Seems good, browers work, no popups so far. thanks.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-04-2015 01
Ran by Howard at 2015-04-18 10:46:07 Run:1
Running from C:\Users\Howard\Desktop\frst
Loaded Profiles: Howard (Available profiles: Howard)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:
EmptyTemp:

() C:\ProgramData\NetEngine\bin\D6\netengine.exe
() C:\ProgramData\NetEngine\bin\D6\netengine.exe
HKLM-x32\...\Run: [NWEReboot] => [X]
HKLM-x32\...\Run: [StormWatch] => "C:\Program Files (x86)\StormWatch\StormWatchApp.exe"
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
Startup: C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk
ShortcutTarget: hqghumeaylnlf.lnk -> C:\ProgramData\{747a8e78-1f33-7ed6-747a-a8e781f339e0}\hqghumeaylnlf.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1382067847-4211843049-822856409-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=58051076_oem_dg&ch=33
Toolbar: HKLM - FindWide Toolbar - {7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} - C:\Program Files (x86)\TNT2\2.0.0.1966\IEToolbar64.dll No File
Toolbar: HKLM-x32 - FindWide Toolbar - {7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} - C:\Program Files (x86)\TNT2\2.0.0.1966\ietoolbar.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: No Name - C:\Users\Howard\AppData\Roaming\Mozilla\Firefox\Profiles\vzq6f0r7.default\extensions\toolbar11067@freshy.com.xpi [Not Found]
S2 StormWatch Update Service; "C:\Program Files (x86)\StormWatch\StormWatchSrv.exe" [X]
S2 SWUpdater; No ImagePath
S1 swsenfd_1_10_0_13; system32\drivers\swsenfd_1_10_0_13.sys [X]
C:\Program Files (x86)\Itibiti Soft Phone
C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk
Task: {302C0F87-4C17-42E4-B507-94F6E062FC74} - \KwRunAsStdUser Task26226 No Task File <==== ATTENTION
Task: {3254A673-925C-4941-94D3-275298B7B427} - \KwRunAsStdUser Task29865 No Task File <==== ATTENTION
Task: {4808BCB5-C544-4740-899C-02B2106D5179} - System32\Tasks\UpdateAdmin => C:\Users\Howard\AppData\Local\UpdateAdmin\UpdateAdmin.exe <==== ATTENTION
Task: {54BBCD56-59FC-43DB-9B98-08E803706D65} - \KwRunAsStdUser Task859 No Task File <==== ATTENTION
Task: {93E4689E-992C-46D6-A8E5-D884AAD7883E} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
Task: {9868366A-321D-43C8-83FE-EAC97553BB5D} - \KwRunAsStdUser Task29209 No Task File <==== ATTENTION
Task: {CA26DC86-3D83-4A36-8410-37F066ABD8B1} - \KwRunAsStdUser Task29872 No Task File <==== ATTENTION
Task: {EF5291DD-4846-458D-A323-1C7E6DAF842E} - \KwRunAsStdUser Task29215 No Task File <==== ATTENTION

End
*****************

Processes closed successfully.
C:\ProgramData\NetEngine\bin\D6\netengine.exe => No running process found
C:\ProgramData\NetEngine\bin\D6\netengine.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\NWEReboot => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\StormWatch => value deleted successfully.
HKU\S-1-5-21-1382067847-4211843049-822856409-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Itibiti.exe => value deleted successfully.
C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk => Moved successfully.
C:\ProgramData\{747a8e78-1f33-7ed6-747a-a8e781f339e0}\hqghumeaylnlf.exe not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1382067847-4211843049-822856409-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}" => Key deleted successfully.
HKCR\CLSID\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} => value deleted successfully.
"HKCR\CLSID\{7343D7F5-9EB3-41FA-A1D0-78CABCD5F083}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{7343D7F5-9EB3-41FA-A1D0-78CABCD5F083} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{7343D7F5-9EB3-41FA-A1D0-78CABCD5F083}" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Users\Howard\AppData\Roaming\Mozilla\Firefox\Profiles\vzq6f0r7.default\extensions\toolbar11067@freshy.com.xpi not found.
StormWatch Update Service => Service deleted successfully.
SWUpdater => Service deleted successfully.
swsenfd_1_10_0_13 => Service deleted successfully.
"C:\Program Files (x86)\Itibiti Soft Phone" => File/Directory not found.
"C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{302C0F87-4C17-42E4-B507-94F6E062FC74}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{302C0F87-4C17-42E4-B507-94F6E062FC74}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KwRunAsStdUser Task26226" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3254A673-925C-4941-94D3-275298B7B427}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3254A673-925C-4941-94D3-275298B7B427}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KwRunAsStdUser Task29865" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4808BCB5-C544-4740-899C-02B2106D5179}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4808BCB5-C544-4740-899C-02B2106D5179}" => Key deleted successfully.
C:\Windows\System32\Tasks\UpdateAdmin => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdateAdmin" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{54BBCD56-59FC-43DB-9B98-08E803706D65}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{54BBCD56-59FC-43DB-9B98-08E803706D65}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KwRunAsStdUser Task859" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{93E4689E-992C-46D6-A8E5-D884AAD7883E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{93E4689E-992C-46D6-A8E5-D884AAD7883E}" => Key deleted successfully.
C:\Windows\System32\Tasks\LaunchSignup => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchSignup" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9868366A-321D-43C8-83FE-EAC97553BB5D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9868366A-321D-43C8-83FE-EAC97553BB5D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KwRunAsStdUser Task29209" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CA26DC86-3D83-4A36-8410-37F066ABD8B1}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA26DC86-3D83-4A36-8410-37F066ABD8B1}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KwRunAsStdUser Task29872" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EF5291DD-4846-458D-A323-1C7E6DAF842E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF5291DD-4846-458D-A323-1C7E6DAF842E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KwRunAsStdUser Task29215" => Key deleted successfully.
EmptyTemp: => Removed 978.1 MB temporary data.

The system needed a reboot.

==== End of Fixlog 10:46:37 ====

 

# AdwCleaner v4.201 - Logfile created 18/04/2015 at 10:53:40
# Updated 08/04/2015 by Xplode
# Database : 2015-04-18.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Howard - HOWARD-PC
# Running from : C:\Users\Howard\Desktop\adwcleaner_4.201.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : bd0001
[#] Service Deleted : bd0004
Service Deleted : BDSGRTP

***** [ Files / Folders ] *****

Folder Deleted : C:\CrimeWatch
Folder Deleted : C:\ProgramData\baidu
Folder Deleted : C:\ProgramData\Browser
Folder Deleted : C:\ProgramData\NetEngine
Folder Deleted : C:\ProgramData\2b89e07c00005e43
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\speed browser
Folder Deleted : C:\Program Files (x86)\baidu
Folder Deleted : C:\Program Files (x86)\speed browser
[!] Folder Deleted : C:\Program Files (x86)\Common Files\baidu
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\baidu
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\StormWatch
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\speed browser
Folder Deleted : C:\Users\Howard\AppData\Local\speed browser
Folder Deleted : C:\Users\Howard\AppData\LocalLow\baidu
Folder Deleted : C:\Users\Howard\AppData\LocalLow\iac
Folder Deleted : C:\Users\Howard\AppData\Roaming\baidu
File Deleted : C:\Users\Howard\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\speed browser.lnk
File Deleted : C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url

***** [ Scheduled tasks ] *****

Task Deleted : gameo_update

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\VideoDownloadConverter_4z.ToolbarProtector
Key Deleted : HKLM\SOFTWARE\Classes\VideoDownloadConverter_4z.ToolbarProtector.1
Key Deleted : HKLM\SOFTWARE\0664f92f-5a0c-d8cb-cda3-18ed85216153
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3719959C-1CCD-4FA7-8EBB-7D9DED86FCCB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{37923200-6887-4B44-95D4-CAE8F83ECFEE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A86782D8-7B41-452F-A217-1854F72DBA54}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38122A36-83B2-46B8-B39A-EC72A4614A07}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{38122A36-83B2-46B8-B39A-EC72A4614A07}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1AD2049E-E483-4425-8555-8E0775ACB631}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2D73F2D0-2FAB-458E-977D-2F9050E0ED60}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3E9469AF-E866-4476-B767-810630F1F6E7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{47700C35-9E3E-4DAD-934C-0CE28A87237C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{716E443D-7CAA-44F1-866B-F45D00E712CC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{72063D77-7590-4DA9-A7F8-F5ECAF3632C4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{7FC87AC5-FA93-476E-A32C-A941229DED0B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{CA021789-C8CD-4676-BC40-90077A19D5CD}
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\gameo
Key Deleted : HKCU\Software\Baidu
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Baidu
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\SpeedBrowser
Key Deleted : HKLM\SOFTWARE\Baidu
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\search.tb.ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\videodownloadconverter.dl.tb.ask.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17728

-\\ Mozilla Firefox v34.0.5 (x86 en-US)

-\\ Google Chrome v41.0.2272.101

[C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : gaklecphgkijookgheachpgdkeminped
[C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : aeljlhkkoipjimklndofjoafhpccdfjo
[C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Default_Search_Provider_Data] : hxxps://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}",
         "usage_count": 0
      }
   },
   "extensions": {
      "settings": {
         "aapocclcgogkmnckokdopfmhonfmgoek": {
            "ack_external": true,
            "active_permissions": {
               "api": [  ],
               "manifest_permissions": [  ]
            },
            "app_launcher_ordinal": "zs",
            "commands": {

            },
            "content_settings": [  ],
            "creation_flags": 137,
            "events": [  ],
            "from_bookmark": false,
            "from_webstore": true,
            "granted_permissions": {
               "api": [  ],
               "manifest_permissions": [  ]
            },
            "incognito_content_settings": [  ],
            "incognito_preferences": {

            },
            "initial_keybindings_set": true,
            "install_time": "13067498220900405",
            "lastpingday": "13072777205343267",
            "location": 1,
            "manifest": {
               "api_console_project_id": "889782162350",
               "app": {
                  "launch": {
                     "local_path": "main.html"
                  }
               },
               "container": "GOOGLE_DRIVE",
               "current_locale": "en_US",
               "default_locale": "en_US",
               "description": "Create and edit presentations ",
               "icons": {
                  "128": "icon_128.png",
                  "16": "icon_16.png"
               },
               "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB",
               "manifest_version": 2,
               "name": "Google Slides",
               "offline_enabled": true,
               "update_url": "hxxps://clients2.google.com/service/update2/crx",
               "version": "0.9"
            },
            "page_ordinal": "n",
            "path": "aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0",
            "preferences": {

            },
            "regular_only_preferences": {

            },
            "state": 1,
            "was_installed_by_default": true,
            "was_installed_by_oem": false
         },
         "aeljlhkkoipjimklndofjoafhpccdfjo": {
            "active_permissions": {
               "api": [ "contextMenus", "cookies", "downloads", "downloadsInternal", "history", "management", "tabs" ],
               "explicit_host": [ "chrome://favicon/*", "hxxp://*/*", "hxxp://127.0.0.1/*", "hxxp://localhost/*", "hxxps://*/*" ],
               "manifest_permissions": [  ],
               "scriptable_host": [ "hxxp://*/*", "hxxp://ak.imgfarm.com/images/toolbar/radio/radioWrapper.html", "hxxp://videodownloadconverter.dl.tb.ask.com/blank.jhtml

*************************

AdwCleaner[R0].txt - [8244 bytes] - [18/04/2015 10:51:53]
AdwCleaner[S0].txt - [8140 bytes] - [18/04/2015 10:53:40]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8199  bytes] ##########



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 AM

Posted 18 April 2015 - 12:44 PM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 AM

Posted 24 April 2015 - 10:50 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users