Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My chrome is infected, ads by "tremendous sale", and redirects constantly :(


  • This topic is locked This topic is locked
9 replies to this topic

#1 pinkyton

pinkyton

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 11 May 2015 - 01:48 AM

Hi! I've obviously downloaded the wrong thing or done something wrong as my Chrome seems to be infected by some sort of adware or hijacker. It's pretty unusable right now. The symptoms are:

  • Ads by Tremendous Sale appear all over any website I go to, including bleeping computer, often changing the formatting of the site by creating large embedded video ads and other animated ads. 
  • Some words in text appear as a highlighted link, kind of like a description I read of the wordfly adware (but I'm not sure if it is wordfly).  
  • When I click on a link in a website, I will be redirected to an ad site. These seem to vary randomly. 
  • Running adw doesnt detect anything.
  • Occasionally adware extensions seem to get spontaneously installed in chrome. I'm sorry I can't remember what they were, it hasnt happened for a couple of days. 
  • Resetting chrome settings seems to help the problem temporarily. I have just done this to enable me to type this post. (I hope the processes are still running so that they can be identified though?)

Any insight into what I can do would be most appreciated! Thankyou!

 

Paul 

 

Here is my FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-05-2015
Ran by Paul (administrator) on PAUL-PC on 11-05-2015 15:58:41
Running from C:\Users\Paul\Desktop\Adware killers
Loaded Profiles: Paul (Available profiles: Paul)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchService.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
() C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
() C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Spotify Ltd) C:\Users\Paul\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(D-Link Corp.) C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files (x86)\EaseUS\EaseUS Partition Master 9.3.0\bin\EpmNews.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Google Inc.) C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5028464 2012-01-12] (VIA)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-27] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-09-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EaseUS EPM tray] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 9.3.0\bin\EpmNews.exe [2081792 2013-03-29] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\RunOnce: [EasyTuneVI] => C:\Program Files (x86)\GIGABYTE\ET6\ETCall.exe [40960 2012-02-01] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4246592776-3161640138-2750102386-1000\...\Run: [Spotify Web Helper] => C:\Users\Paul\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2020920 2015-04-30] (Spotify Ltd)
HKU\S-1-5-21-4246592776-3161640138-2750102386-1000\...\Run: [Spotify] => C:\Users\Paul\AppData\Roaming\Spotify\Spotify.exe [7168568 2015-04-30] (Spotify Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Wireless Connection Manager.lnk [2012-10-15]
ShortcutTarget: Wireless Connection Manager.lnk -> C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe (D-Link Corp.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4246592776-3161640138-2750102386-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4246592776-3161640138-2750102386-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKU\S-1-5-21-4246592776-3161640138-2750102386-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
FireFox:
========
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll [2012-07-25] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2011-12-01] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2011-12-01] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-12-20] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-12-20] (Oracle Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-07-19] (VideoLAN)
FF Plugin-x32: @wacom.com/wacom-plugin,version=1.1.0.5 -> C:\Program Files (x86)\TabletPlugins\npwacom.dll [2010-09-02] (Wacom, Inc.)
FF Plugin HKU\S-1-5-21-4246592776-3161640138-2750102386-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Paul\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin HKU\S-1-5-21-4246592776-3161640138-2750102386-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Paul\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-26]
CHR Extension: (Google Docs) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-26]
CHR Extension: (Google Drive) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-02]
CHR Extension: (YouTube) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-04-26]
CHR Extension: (Google Search) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-04-26]
CHR Extension: (Google Sheets) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-26]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-29]
CHR Extension: (Google Wallet) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-10]
CHR Extension: (Gmail) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-26]
StartMenuInternet: Google Chrome.4SCO4GGUDFQJFMZKCU5D7UP56M - C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R3 ICCS; C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [160256 2011-08-30] (Intel Corporation) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2012-01-11] (VIA Technologies, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WlanWpsSvc; C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [167936 2008-06-26] () [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21616 2011-11-02] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [17480 2013-03-07] () [File not signed]
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [13896 2013-03-07] () [File not signed]
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [9800 2013-03-07] () [File not signed]
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [9160 2013-03-07] () [File not signed]
R3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2015-05-11] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-11 15:58 - 2015-05-11 15:58 - 00000000 ____D () C:\FRST
2015-05-11 01:01 - 2015-05-11 01:05 - 00000000 ____D () C:\Users\Paul\Desktop\temp photos
2015-05-11 00:53 - 2015-05-11 00:51 - 00005555 ____N () C:\Users\Paul\Desktop\passdroid_db.xml
2015-05-09 20:31 - 2015-05-11 01:14 - 00000000 ____D () C:\Users\Paul\Desktop\RSU poster
2015-05-09 13:53 - 2015-05-11 15:25 - 00000004 _____ () C:\Windows\SysWOW64\GVTunner.ref
2015-05-06 16:29 - 2015-05-06 16:29 - 00014816 _____ () C:\ComboFix.txt
2015-05-04 23:55 - 2015-05-11 15:30 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-04 23:55 - 2015-05-04 23:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-05-04 23:55 - 2015-05-04 23:55 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-05-04 23:55 - 2015-05-04 23:55 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-05-04 23:55 - 2015-04-14 09:47 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-05-04 23:55 - 2015-04-14 09:46 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-05-04 23:55 - 2015-04-14 09:46 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-04-27 07:24 - 2015-05-11 15:58 - 00000000 ____D () C:\Users\Paul\Desktop\Adware killers
2015-04-26 00:36 - 2015-05-11 15:23 - 00000000 ____D () C:\AdwCleaner
2015-04-26 00:34 - 2015-04-26 00:34 - 02224640 _____ () C:\Users\Paul\Downloads\adwcleaner_4.202.exe
2015-04-26 00:33 - 2015-04-26 00:34 - 21547816 _____ (Malwarebytes Corporation ) C:\Users\Paul\Downloads\mbam-setup.exe
2015-04-26 00:06 - 2015-05-06 16:29 - 00000000 ____D () C:\Qoobox
2015-04-26 00:06 - 2015-04-26 00:11 - 00000000 ____D () C:\Windows\erdnt
2015-04-26 00:06 - 2011-06-26 16:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-04-26 00:06 - 2010-11-08 03:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-04-26 00:06 - 2009-04-20 14:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-04-26 00:06 - 2000-08-31 10:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-04-26 00:06 - 2000-08-31 10:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-04-26 00:06 - 2000-08-31 10:00 - 00098816 _____ () C:\Windows\sed.exe
2015-04-26 00:06 - 2000-08-31 10:00 - 00080412 _____ () C:\Windows\grep.exe
2015-04-26 00:06 - 2000-08-31 10:00 - 00068096 _____ () C:\Windows\zip.exe
2015-04-25 23:57 - 2015-04-25 23:59 - 05619466 _____ (Swearware) C:\Users\Paul\Downloads\ComboFix.exe
2015-04-17 21:53 - 2015-04-17 22:15 - 00000000 ____D () C:\Users\Paul\Downloads\backups
2015-04-17 21:47 - 2015-04-17 21:49 - 00010327 _____ () C:\Users\Paul\Downloads\hijackthis.log
2015-04-17 21:47 - 2015-04-17 21:47 - 00003120 _____ () C:\Windows\System32\Tasks\{E4792BF5-63A2-4AEA-89E9-86DA41585041}
2015-04-13 02:48 - 2015-04-13 02:48 - 00003200 _____ () C:\Windows\System32\Tasks\{01EC2755-717E-4153-9021-B742B7AF79EE}
2015-04-13 02:28 - 2015-04-13 02:28 - 00226566 _____ () C:\Users\Paul\AppData\Local\census.cache
2015-04-13 02:28 - 2015-04-13 02:28 - 00102972 _____ () C:\Users\Paul\AppData\Local\ars.cache
2015-04-13 02:12 - 2015-04-13 02:12 - 02406064 _____ (Trend Micro Inc.) C:\Users\Paul\Downloads\HousecallLauncher64.exe
2015-04-13 02:12 - 2015-04-13 02:12 - 00000036 _____ () C:\Users\Paul\AppData\Local\housecall.guid.cache
2015-04-12 15:49 - 2015-05-09 20:18 - 00000020 _____ () C:\Users\Paul\AppData\Roaming\appdataFr3.bin
2015-04-12 15:22 - 2015-04-13 02:30 - 00000000 ____D () C:\Program Files (x86)\IncludeMaker
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-11 15:32 - 2009-07-14 14:45 - 00021856 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-11 15:32 - 2009-07-14 14:45 - 00021856 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-11 15:28 - 2012-07-25 14:04 - 01257863 _____ () C:\Windows\WindowsUpdate.log
2015-05-11 15:26 - 2014-07-09 23:10 - 00000000 ____D () C:\Users\Paul\AppData\Roaming\Spotify
2015-05-11 15:26 - 2014-07-09 23:10 - 00000000 ____D () C:\Users\Paul\AppData\Local\Spotify
2015-05-11 15:25 - 2012-07-25 14:55 - 00030528 _____ () C:\Windows\GVTDrv64.sys
2015-05-11 15:25 - 2012-07-25 14:55 - 00025640 _____ (Windows ® Server 2003 DDK provider) C:\Windows\gdrv.sys
2015-05-11 15:25 - 2009-07-14 15:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-11 15:25 - 2009-07-14 14:51 - 00108209 _____ () C:\Windows\setupact.log
2015-05-11 15:20 - 2012-08-17 18:19 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246592776-3161640138-2750102386-1000UA.job
2015-05-11 02:00 - 2012-07-25 14:27 - 00000000 ____D () C:\Users\Paul\AppData\Local\Adobe
2015-05-10 20:32 - 2009-07-14 15:13 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-05-09 13:53 - 2010-11-21 13:47 - 00013456 _____ () C:\Windows\PFRO.log
2015-05-06 17:53 - 2012-09-16 03:46 - 00000000 ____D () C:\Users\Paul\AppData\Roaming\vlc
2015-05-06 16:28 - 2009-07-14 12:34 - 00000215 _____ () C:\Windows\system.ini
2015-05-06 15:54 - 2012-08-17 18:19 - 00000000 ____D () C:\Users\Paul\AppData\Local\Google
2015-05-05 00:19 - 2015-03-05 00:19 - 00000000 ____D () C:\Users\Paul\AppData\Roaming\DVDVideoSoft
2015-04-26 23:40 - 2013-10-17 09:06 - 00000000 ____D () C:\Users\Paul\AppData\Local\CutePDF Writer
2015-04-26 19:20 - 2012-08-17 18:19 - 00000852 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246592776-3161640138-2750102386-1000Core.job
2015-04-26 00:12 - 2009-07-14 13:20 - 00000000 __RHD () C:\Users\Default
2015-04-17 21:45 - 2012-07-25 14:03 - 00000000 ____D () C:\Users\Paul\AppData\Local\VirtualStore
 
==================== Files in the root of some directories =======
 
2014-08-25 02:28 - 2014-08-25 02:33 - 0000132 _____ () C:\Users\Paul\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-04-12 15:49 - 2015-05-09 20:18 - 0000020 _____ () C:\Users\Paul\AppData\Roaming\appdataFr3.bin
2012-09-22 03:03 - 2012-09-22 03:03 - 0001456 _____ () C:\Users\Paul\AppData\Local\Adobe Save for Web 12.0 Prefs
2015-04-13 02:28 - 2015-04-13 02:28 - 0102972 _____ () C:\Users\Paul\AppData\Local\ars.cache
2015-04-13 02:28 - 2015-04-13 02:28 - 0226566 _____ () C:\Users\Paul\AppData\Local\census.cache
2015-04-13 02:12 - 2015-04-13 02:12 - 0000036 _____ () C:\Users\Paul\AppData\Local\housecall.guid.cache
2015-04-13 02:49 - 2015-04-13 02:49 - 0011732 _____ () C:\Users\Paul\AppData\Local\Temp-log.txt
 
Some content of TEMP:
====================
C:\Users\Paul\AppData\Local\Temp\Quarantine.exe
C:\Users\Paul\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-26 04:23
 
==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:23 PM

Posted 11 May 2015 - 07:46 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

STEP 1

 

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION

 

We need to downgrade Google Chrome to the latest stable release. The adware has updated your browser to the developer version where Chrome internal checks are disabled and the adware will reinstall the malicious extensions periodically again if not downgraded...

Make sure that you export your passwords and favorites/bookmarks if you have any before you proceed with the steps below.

Check the links below for more information:

How to Export Bookmarks from Chrome

How To Backup Saved Passwords In Google Chrome Browse

 

Create a new Restore Point before you proceed just in case.

Now please download and install Revo Uninstaller 1.95.
Then please run Revo Uninstaller and select Google Chrome.
Please click Uninstall icon to uninstall the selected program.
Please choose Advanced.
Then click Next and follow the prompts.
Please click Select All and Delete to delete all registry items, folders and files listed by Revo.
If asked to restart the computer, please do so.

 

 

 

STEP 2

 

 

Now you can reinstall Google Chrome to the latest stable build Google Chrome 42.0.2311.135 Stable and let me know are things now.

 

 

 

STEP 3

 

 

Run a new scan with FRST (make sure that Addition.txt is checked before you press the SCAN button) and then post both logs in your next reply for my review.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:23 PM

Posted 13 May 2015 - 11:46 AM

Hi,

It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.

Thank you for your understanding.


Regards,
Georgi


cXfZ4wS.png


#4 pinkyton

pinkyton
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 14 May 2015 - 12:01 PM

Hi Georgi, sorry for the slow response I have been offline since tuesday morning. I appreciate your help, the problem still exists. I will do the steps above right now and post the log below. 

 

thanks

Paul 



#5 pinkyton

pinkyton
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 14 May 2015 - 12:25 PM

Hi Georgi, here are my new FRST logs:

 

Attached File  Addition.txt   29.51KB   1 downloadsAttached File  FRST.txt.txt   21.68KB   1 downloads



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:23 PM

Posted 14 May 2015 - 05:09 PM

Hi Paul,

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Let me know how are things after the fix above.

 

 

Regards,

Georgi


cXfZ4wS.png


#7 pinkyton

pinkyton
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 15 May 2015 - 05:24 AM

Hi Georgi, Ok I have run Fix in FRST and it seems that the computer is running much better. In fact I am getting none of the problems I mentioned in the original post! :)

 

Thank you very much for your help so far, you have helped me out so much. I have attached the fixlog below:

 

 

Attached File  Fixlog.txt   19.22KB   2 downloads

 

Is there anything else I should do?

 

Thanks

Paul 



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:23 PM

Posted 15 May 2015 - 07:28 AM

Hi,

 

Let's check for malware leftovers:

 

 

STEP 1

 

 

Please download Malwarebytes Anti-Malware 2.1.6.1022 Final to your desktop.
 

  • Double-click mbam-setup-2.1.6.1022.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 2

 

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

 

6-scanfin-choose.jpg
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

Note: Programdata is hidden by default. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

 

 

 

STEP 3

 

 

emsisoft_emergency_kit.pnglogo.png

  • Download EmsisoftEmergencyKit, run the exe and extract the content in a folder of your choice like (C:\EEK) by clicking the Extract button.
  • Double-click the desktop-shortcut called Start Emsisoft Emergency Kit to start the tool.
  • Click on the "Yes" button when asked to obtain the latest malware definitions.
  • Once the update is complete click "Scan".
  • Click on the "Yes" button when asked to enable the scan for Potentially Unwanted Applications.
  • Next click on the Full Scan. When the scan complete, click on the View Report button (don't delete or quarantine anything).
  • Please copy and paste the content of the report in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:23 PM

Posted 20 May 2015 - 12:55 AM

Hi,

It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.
Thank you for your understanding!


Regards,
Georgi


cXfZ4wS.png


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:23 PM

Posted 25 May 2015 - 03:33 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users