Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast URL:Mal Infection


  • Please log in to reply
5 replies to this topic

#1 eelnosaj

eelnosaj

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 29 May 2015 - 11:38 AM

Hi,

 

I'm running Windows 8 and recently, Avast keep popping up the following:

 

Avast Web Shield has blocked a harmful webpage or file.
 
Infection: URL:Mal
Process: C:\Windows\explorer.exe
 
Before I found this site, I followed the advice of some sites and have used the following programs to try to get rid of this infection but to no avail.
 
I've ran: adwcleaner, JRT and HitmanPro.
I've also reset Chrome's settings to default.
 
Please help. Thank you.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,774 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:02 PM

Posted 31 May 2015 - 08:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

The IP address 109.236.91.206 is located in Netherlands is this address from your Internet Provider?
http://whatismyipaddress.com/ip/109.236.91.206

===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


Wait for further instructions.

#3 eelnosaj

eelnosaj
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 31 May 2015 - 12:15 PM

Thanks nasdaq. Your help is very much appreciated.
 
===
109.236.91.206 is not from my Internet Provider
===
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 31/05/2015
Scan Time: 11:52:35 PM
Logfile: malbyte log 31052015.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.05.29.04
Rootkit Database: v2015.05.24.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: jason
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 484786
Time Elapsed: 41 min, 3 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
Trojan.Sathurbot, HKLM\SOFTWARE\CLASSES\CLSID\{3B5B973C-92A4-4855-9D3F-0F3D23332208}, Quarantined, [5612b8e11575d462e17b2f6f62a1b050], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 5
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor, Delete-on-Reboot, [2b3d89103e4ce84e8a45f5eac73c7a86], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache, Quarantined, [2b3d89103e4ce84e8a45f5eac73c7a86], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache\cache, Quarantined, [2b3d89103e4ce84e8a45f5eac73c7a86], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache\data, Quarantined, [2b3d89103e4ce84e8a45f5eac73c7a86], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor\temp, Quarantined, [2b3d89103e4ce84e8a45f5eac73c7a86], 
 
Files: 5
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor\PerformanceMonitor.dll, Delete-on-Reboot, [5612b8e11575d462e17b2f6f62a1b050], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor\SecurityHelper.dll, Delete-on-Reboot, [ce9a80199af0ce682edc5cfa38cae51b], 
Riskware.Keygen, C:\Windows\AutoKMS.exe, Quarantined, [a7c14f4a2a60de5812b38659c13feb15], 
RiskWare.Tool.CK, C:\Windows\KMSEmulator.exe, Quarantined, [95d3ff9a4b3fbe783e4d14c2b25014ec], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache\zepplauncher.mif, Quarantined, [2b3d89103e4ce84e8a45f5eac73c7a86], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
===
 

# AdwCleaner v4.205 - Logfile created 01/06/2015 at 00:54:52
# Updated 21/05/2015 by Xplode
# Database : 2015-05-21.2 [Local]
# Operating system : Windows 8.1 Pro  (x64)
# Username : jason - JASON-PC
# Running from : D:\Downloads\adwcleaner_4.205.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
[x] Not Deleted : C:\ProgramData\KingSoft
[x] Not Deleted : C:\Program Files (x86)\KingSoft
[x] Not Deleted : C:\Program Files (x86)\Common Files\tencent
Folder Deleted : C:\Users\jason\AppData\Roaming\KingSoft
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Mozilla Firefox v33.1.1 (x86 en-US)
 
 
-\\ Google Chrome v43.0.2357.81
 
[C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [7400 bytes] - [29/05/2015 21:46:53]
AdwCleaner[R1].txt - [1228 bytes] - [01/06/2015 00:48:42]
AdwCleaner[S0].txt - [7323 bytes] - [29/05/2015 21:49:55]
AdwCleaner[S1].txt - [1166 bytes] - [01/06/2015 00:54:52]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1225  bytes] ##########
 
===
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-05-2015
Ran by jason (administrator) on JASON-PC on 01-06-2015 00:59:44
Running from C:\Users\jason\Desktop\FRST
Loaded Profiles: jason & UpdatusUser (Available Profiles: jason & UpdatusUser & DefaultAppPool)
Platform: Windows 8.1 Pro (X64) OS Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\CHS\ChsIME.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
() C:\Program Files (x86)\Connectify\ConnectifyService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Connectify) C:\Program Files (x86)\Connectify\Connectifyd.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(Pharos Systems International) C:\Program Files (x86)\PharosSystems\Core\CTskMstr.exe
(Chris Pietschmann (http://pietschsoft.com)) C:\Program Files (x86)\Virtual Router\VirtualRouterService.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\BCMWLTRY.EXE
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17477_none_fa2b7d3b9b36c7b4\TiWorker.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Barracuda Networks, Inc.) C:\Users\jason\AppData\Roaming\Copy\CopyAgent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IntelTBRunOnce] => wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1156712 2011-11-15] (Realtek Semiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-01-18] (IvoSoft)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2890056 2014-04-02] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Power Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1829768 2012-02-08] (Acer Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12446824 2012-01-31] (Realtek Semiconductor)
HKLM\...\Run: [BtPreLoad] => C:\Program Files (x86)\Bluetooth Suite\BtPreLoad.exe [64640 2012-09-29] ()
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe [7138816 2013-07-21] (Broadcom Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5223016 2014-11-04] (AVAST Software)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Dolby PCEE4\pcee4.exe [506712 2011-06-02] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\WINDOWS\SYSTEM32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-03-10] (SUPERAntiSpyware)
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\Run: [Copy] => C:\Users\jason\AppData\Roaming\Copy\CopyAgent.exe [15410832 2015-04-10] (Barracuda Networks, Inc.)
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\Run: [MiPhoneManager] => C:\Users\jason\AppData\Local\MiPhoneManager\main\MiPhoneHelper.exe [146224 2015-02-13] ()
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {2c3ce38c-12f8-11e4-bed2-089e011d31da} - "F:\Install.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {679ec80e-c6d6-11e3-bec6-089e011d31da} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {679ec89c-c6d6-11e3-bec6-089e011d31da} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {6a5123a2-2801-11e3-be92-089e011d31da} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {7295d66d-e583-11e3-becd-089e011d31da} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {89cab626-bb46-11e3-bec0-446d57551b1e} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {91563969-b87a-11e3-beb5-446d57fcdefd} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {96fd2df5-9f82-11e4-bef2-089e011d31da} - "F:\HTC_Sync_Manager_PC.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {9e72ace6-3b43-11e4-bedd-089e011d31da} - "F:\HTC_Sync_Manager_PC.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {b873be34-bd67-11e3-bec1-446d57551b1e} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {c8d846c4-5fef-11e4-bee3-089e011d31da} - "G:\LaunchU3.exe" -a
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {e10a0478-9af8-11e4-bef2-089e011d31da} - "F:\LaunchU3.exe" -a
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {e86a4828-bce9-11e3-bec0-446d57551b1e} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {f896cdb5-0c8c-11e3-be8e-089e011d31da} - "F:\AutoRun.exe" 
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\MountPoints2: {f896ce2f-0c8c-11e3-be8e-089e011d31da} - "F:\AutoRun.exe" 
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [168616 2013-09-05] (NVIDIA Corporation)
AppInit_DLLs: , C:\WINDOWS\system32\nvinitx.dll => C:\WINDOWS\system32\nvinitx.dll [168616 2013-09-05] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\WINDOWS\SysWOW64\nvinit.dll => C:\WINDOWS\SysWOW64\nvinit.dll [141336 2013-09-05] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2014-04-02]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-11-16]
ShortcutTarget: Dropbox.lnk -> C:\Users\jason\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
SSODL: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\WINDOWS\system32\SSCbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\WINDOWS\SysWow64\SSCbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2014-10-23] (AVAST Software)
ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} =>  No File
ShellIconOverlayIdentifiers: [1aCopyShExtError] -> {83BEA36E-7680-4598-A4DF-994426F6E78D} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [2aCopyShExtSynced] -> {845B7388-6F85-4F32-9FD5-F02DC7882B89} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [3aCopyShExtSyncing] -> {F6378A7A-F753-449B-AE1B-997A96132E61} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [4aCopyShExtSyncingProg1] -> {3A511828-777D-46F8-82F4-5B530C1B3D9E} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [5aCopyShExtSyncingProg2] -> {C8C88204-5B14-40EC-BA72-8AEBC762047E} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [6aCopyShExtSyncingProg3] -> {ACFF45C3-3EEB-4351-86C2-6696BA264239} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [7aCopyShExtSyncingProg4] -> {29AF997F-488B-46F0-AE78-7146F1B89CC3} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [8aCopyShExtSyncingProg5] -> {03F9AD29-1C78-4B66-8890-B177B5430C53} => C:\Users\jason\AppData\Roaming\Copy\overlay\CopyShExt.dll [2015-01-13] (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {69925D1B-6A0F-4413-861A-81AB98039DB9} => C:\WINDOWS\system32\SSCbFsMntNtf3.dll [2013-01-30] (EldoS Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-01-18] (IvoSoft)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\x64\SugarSyncShellExt_x64.dll [2014-01-23] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\x64\SugarSyncShellExt_x64.dll [2014-01-23] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {39D54CC2-69CF-43b4-B167-577D25E7F496} => C:\Program Files (x86)\SugarSync\x64\SugarSyncShellExt_x64.dll [2014-01-23] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\x64\SugarSyncShellExt_x64.dll [2014-01-23] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncSharedPending] -> {F7395C2E-A5D8-4a32-9536-5C6A9F1DC450} => C:\Program Files (x86)\SugarSync\x64\SugarSyncShellExt_x64.dll [2014-01-23] (SugarSync, Inc.)
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {69925D1B-6A0F-4413-861A-81AB98039DB9} => C:\WINDOWS\SysWow64\SSCbFsMntNtf3.dll [2013-01-30] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-01-18] (IvoSoft)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSERT1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSERT1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?pc=MSERT1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?pc=MSERT1
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://go.microsoft.com/fwlink/?linkid=42826
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = http://go.microsoft.com/fwlink/?linkid=42826
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
HKU\S-1-5-21-3141717527-54564842-4007439130-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
HKU\S-1-5-21-3141717527-54564842-4007439130-1009\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSERT1
URLSearchHook: [S-1-5-21-3141717527-54564842-4007439130-1009] ATTENTION ==> Default URLSearchHook is missing
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3141717527-54564842-4007439130-1009 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-01-18] (IvoSoft)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-09-29] (Qualcomm Atheros Commnucations)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2014-10-23] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-01-18] (IvoSoft)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-01-18] (IvoSoft)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2013-12-18] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-10-23] (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files (x86)\Free Download Manager\iefdm2.dll [2014-11-13] (FreeDownloadManager.ORG)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-06-08] (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2013-12-18] (Oracle Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-01-18] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-01-18] (IvoSoft)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-06-08] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-01-18] (IvoSoft)
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\Windows\System32\urlmon.dll [2015-01-12] (Microsoft Corporation)
Filter-x32: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\Windows\SysWOW64\urlmon.dll [2015-01-12] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.19.0.6 172.19.0.5
Tcpip\..\Interfaces\{893E455F-C094-4C90-BA6F-435786AC4910}: [NameServer] 10.14.0.1
 
FireFox:
========
FF ProfilePath: C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\pu1s1oxc.default
FF Homepage: https://mail.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll [2013-07-27] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll [2013-07-27] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2013-12-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2013-12-18] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @qq.com/npqscall -> C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll [2013-07-19] (Tencent)
FF Plugin-x32: @qq.com/QQlive -> C:\Program Files (x86)\Tencent\QQLive\9.2.283.0\npQQLive.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-18] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-18] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2013-04-15] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-12-21] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3141717527-54564842-4007439130-1001: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\jason\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-3141717527-54564842-4007439130-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
FF Extension: SaveFrom.net helper - C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\pu1s1oxc.default\Extensions\helper@savefrom.net.xpi [2015-01-30]
FF Extension: DVDVideoSoft YouTube MP3 and Video Download - C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\pu1s1oxc.default\Extensions\{B64D9B05-48E1-4CEB-BF58-E0643994E900}.xpi [2015-01-13]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-10-23]
FF HKLM-x32\...\Firefox\Extensions: [fdm_ffext@freedownloadmanager.org] - C:\Program Files (x86)\Free Download Manager\Firefox\Extension
FF Extension: Free Download Manager plugin - C:\Program Files (x86)\Free Download Manager\Firefox\Extension [2014-12-05]
FF HKU\S-1-5-21-3141717527-54564842-4007439130-1001\...\Firefox\Extensions: [fdm_ffext@freedownloadmanager.org] - C:\ProgramData\Free Download Manager\Firefox\Extensions\1.7.3.1
FF Extension: Free Download Manager plugin - C:\ProgramData\Free Download Manager\Firefox\Extensions\1.7.3.1 [2015-04-13]
 
Chrome: 
=======
CHR Profile: C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-01-21]
CHR Extension: (Google Drive) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-01-21]
CHR Extension: (YouTube) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-01-21]
CHR Extension: (APK Downloader) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgihflhdpokeobcfimliamffejfnmfii [2014-08-28]
CHR Extension: (Google Search) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-01-21]
CHR Extension: (Bookmark Manager) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-05-19]
CHR Extension: (Avast Online Security) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-10-24]
CHR Extension: (Kindle Cloud Reader) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2013-09-10]
CHR Extension: (Pocket Website) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\jijgclgmgjipgefcnnnibgllfonlfdap [2013-08-06]
CHR Extension: (Secure Mail for Gmail (by Streak)) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\jngdnjdobadbdemillgljnnbpomnfokn [2013-12-29]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-07]
CHR Extension: (Google Wallet) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-08]
CHR Extension: (APK Downloader) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\obhlfmheblhjhkmacldlhdnbgbaiigba [2014-11-20]
CHR Extension: (No Name) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnfnkhpgegpcingjbfihlkjeighnddk [2015-02-16]
CHR Extension: (Gmail) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-01-21]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-10-23]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-09-11] (SUPERAntiSpyware.com)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [220288 2012-09-29] (Qualcomm Atheros Commnucations) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-10-23] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2014-10-23] (Avast Software)
R2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2252088 2014-04-02] (Broadcom Corporation.)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [402192 2014-04-13] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [385808 2014-04-13] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [770832 2014-04-13] (BlueStack Systems, Inc.)
R2 Connectify; C:\Program Files (x86)\Connectify\ConnectifyService.exe [65536 2012-08-10] () [File not signed]
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [101192 2014-04-02] (ELAN Microelectronics Corp.)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.0\App Certification Kit\fussvc.exe [139776 2012-07-25] (Microsoft Corporation) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-07] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
S3 KSafeSvc; C:\Program files (x86)\Kingsoft\PCDoctor\KSafeSvc.exe [290720 2012-04-11] (Kingsoft Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 MSMQ; C:\Windows\system32\mqsvc.exe [25600 2014-03-30] (Microsoft Corporation)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [256536 2012-01-06] (NTI Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
R2 Pharos Systems ComTaskMaster; C:\Program Files (x86)\PharosSystems\Core\CTskMstr.exe [290816 2009-08-12] (Pharos Systems International) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [126976 2012-07-25] (Microsoft Corporation) [File not signed]
R2 Virtual Router; C:\Program Files (x86)\Virtual Router\VirtualRouterService.exe [12288 2013-02-10] (Chris Pietschmann (http://pietschsoft.com)) [File not signed]
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-03-30] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [546304 2014-03-30] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe [5824512 2013-07-21] (Broadcom Corporation) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-10-23] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-11-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-10-23] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-10-23] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-11-22] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-10-23] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-10-23] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-10-23] ()
R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [165688 2014-04-02] (Broadcom Corporation.)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [8536752 2013-07-02] (Broadcom Corporation)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [121616 2014-04-13] (BlueStack Systems)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-09-29] (Qualcomm Atheros)
S3 BthA2DP; C:\Windows\system32\drivers\BthA2DP.sys [131584 2013-08-22] (Microsoft Corporation)
S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-05] (Microsoft Corporation)
R1 cnnctfy2; C:\Windows\system32\DRIVERS\cnnctfy2.sys [31344 2013-01-22] (Connectify)
U5 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [246224 2009-12-07] (Huawei Technologies Co., Ltd.)
S3 HtcVCom32; C:\Windows\system32\DRIVERS\HtcVComV64.sys [121800 2010-03-09] (QUALCOMM Incorporated)
S3 hwusbdev; C:\Windows\system32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
R3 MQAC; C:\Windows\System32\drivers\mqac.sys [173568 2014-03-30] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SSCBFS3; C:\Windows\System32\drivers\sscbfs3.sys [347904 2013-01-30] (EldoS Corporation)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [270728 2014-10-23] (Avast Software)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
U3 idsvc; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-01 00:59 - 2015-06-01 00:59 - 00000000 ____D () C:\FRST
2015-06-01 00:58 - 2015-06-01 00:58 - 00001305 _____ () C:\Users\jason\Desktop\AdwCleaner[S1].txt
2015-05-31 23:50 - 2015-06-01 00:59 - 00000000 ____D () C:\Users\jason\Desktop\FRST
2015-05-30 00:55 - 2015-06-01 00:45 - 00136408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-05-30 00:54 - 2015-05-30 00:54 - 00001078 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-05-30 00:54 - 2015-05-30 00:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-05-30 00:54 - 2015-05-30 00:54 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-05-30 00:54 - 2015-05-30 00:54 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-05-30 00:54 - 2015-04-14 09:38 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-05-30 00:54 - 2015-04-14 09:37 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-05-30 00:54 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-05-29 22:18 - 2015-05-29 22:46 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-05-29 22:11 - 2015-05-29 22:11 - 00002873 _____ () C:\Users\jason\Desktop\JRT.txt
2015-05-29 22:02 - 2015-05-29 22:02 - 00000207 _____ () C:\WINDOWS\tweaking.com-regbackup-JASON-PC-Windows-8.1-Pro-(64-bit).dat
2015-05-29 22:02 - 2015-05-29 22:02 - 00000000 ____D () C:\RegBackup
2015-05-29 21:46 - 2015-06-01 00:54 - 00000000 ____D () C:\AdwCleaner
2015-05-27 08:31 - 2015-05-28 18:17 - 00000000 ____D () C:\Users\jason\Desktop\CWF KM Training
2015-05-27 08:29 - 2015-05-27 08:29 - 00000000 ____D () C:\Users\jason\Desktop\HDR-CX180
2015-05-22 18:37 - 2015-05-04 16:30 - 00524288 _____ (Simon Tatham) C:\Users\jason\Desktop\putty.exe
2015-05-22 14:28 - 2015-05-22 14:31 - 00014163 ____H () C:\Users\jason\Desktop\~WRL2449.tmp
2015-05-22 14:00 - 2015-05-22 14:00 - 00015622 ____H () C:\Users\jason\Desktop\~WRL2534.tmp
2015-05-18 15:56 - 2015-05-22 18:39 - 00000600 _____ () C:\Users\jason\AppData\Local\PUTTY.RND
2015-05-18 15:33 - 2015-05-18 15:33 - 00000000 ____H () C:\Users\jason\Documents\Default.rdp
2015-05-18 12:15 - 2015-05-18 12:15 - 00013047 ____H () C:\Users\jason\Desktop\~WRL0006.tmp
2015-05-03 20:01 - 2015-05-03 21:10 - 00000000 ____D () C:\CWF Mod 1 ZZ
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-01 01:00 - 2013-08-22 23:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-06-01 00:58 - 2014-10-23 17:26 - 00004182 _____ () C:\WINDOWS\System32\Tasks\avast! Emergency Update
2015-06-01 00:58 - 2014-03-29 23:30 - 01184805 _____ () C:\WINDOWS\WindowsUpdate.log
2015-06-01 00:58 - 2014-02-15 13:09 - 00000000 ____D () C:\Users\jason\AppData\Roaming\Copy
2015-06-01 00:56 - 2013-01-21 22:35 - 00000920 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-01 00:56 - 2013-01-03 08:52 - 00000828 _____ () C:\WINDOWS\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-06-01 00:55 - 2014-12-16 21:56 - 00052892 _____ () C:\WINDOWS\setupact.log
2015-06-01 00:55 - 2013-11-14 12:34 - 00073388 _____ () C:\WINDOWS\PFRO.log
2015-06-01 00:55 - 2013-08-22 22:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-06-01 00:48 - 2014-03-30 01:29 - 00000000 ____D () C:\Users\jason\AppData\Roaming\ClassicShell
2015-06-01 00:40 - 2013-01-23 11:36 - 00000000 ____D () C:\Users\jason\AppData\Roaming\uTorrent
2015-06-01 00:04 - 2013-01-21 22:35 - 00000924 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-05-31 23:44 - 2013-01-23 00:45 - 00000000 ____D () C:\Users\jason\AppData\Roaming\vlc
2015-05-31 23:22 - 2014-05-14 10:58 - 00003926 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{DC207418-9495-46AF-A8AA-BFBA47A2CED2}
2015-05-31 23:01 - 2013-10-05 22:52 - 00000946 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3141717527-54564842-4007439130-1001UA.job
2015-05-31 23:01 - 2013-10-05 22:52 - 00000924 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3141717527-54564842-4007439130-1001Core.job
2015-05-31 20:45 - 2014-12-05 22:03 - 00000000 ____D () C:\Users\jason\AppData\Roaming\Free Download Manager
2015-05-31 16:57 - 2013-12-05 16:47 - 00000000 ____D () C:\Users\jason\AppData\Roaming\ExpressVPN
2015-05-31 07:47 - 2013-11-14 20:43 - 00994064 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-05-30 23:34 - 2013-08-22 23:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
2015-05-30 16:46 - 2013-01-03 08:52 - 00000830 _____ () C:\WINDOWS\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2015-05-30 12:26 - 2013-02-28 15:16 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3141717527-54564842-4007439130-1001
2015-05-30 11:37 - 2013-08-22 23:36 - 00000000 ____D () C:\WINDOWS\Performance
2015-05-29 22:02 - 2013-08-22 23:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-05-29 21:11 - 2013-08-22 21:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-05-28 18:03 - 2013-02-16 23:34 - 00000020 ____H () C:\ProgramData\PKP_DLev.DAT
2015-05-28 16:42 - 2013-01-21 11:48 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-05-23 18:37 - 2014-09-20 23:10 - 00000000 ____D () C:\Users\jason\Desktop\LWS
2015-05-18 12:15 - 2014-03-29 23:40 - 00000000 ____D () C:\Users\jason
2015-05-18 10:59 - 2013-01-21 22:35 - 00003896 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-05-18 10:59 - 2013-01-21 22:35 - 00003660 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-03 21:51 - 2014-11-06 19:02 - 00000000 ____D () C:\Users\jason\Desktop\To Read
 
==================== Files in the root of some directories =======
 
2013-02-16 23:22 - 2015-03-05 17:06 - 0000000 _____ () C:\Users\jason\AppData\Roaming\Filters
2013-02-16 23:33 - 2015-03-05 17:16 - 0000268 ___RH () C:\Users\jason\AppData\Roaming\Font Book
2015-03-05 17:16 - 2015-03-05 17:16 - 0000268 ___RH () C:\Users\jason\AppData\Roaming\Fonts
2013-02-16 23:34 - 2015-03-05 17:16 - 0000268 ___RH () C:\Users\jason\AppData\Roaming\Framework
2015-03-05 17:15 - 2015-03-05 17:15 - 0000268 ___RH () C:\Users\jason\AppData\Roaming\Guides
2014-11-18 18:17 - 2014-12-06 08:30 - 0099384 _____ () C:\Users\jason\AppData\Roaming\inst.exe
2014-11-18 18:17 - 2014-12-06 08:30 - 0007859 _____ () C:\Users\jason\AppData\Roaming\pcouffin.cat
2014-11-18 18:17 - 2014-12-06 08:30 - 0001167 _____ () C:\Users\jason\AppData\Roaming\pcouffin.inf
2014-11-18 18:17 - 2014-12-06 08:30 - 0000055 _____ () C:\Users\jason\AppData\Roaming\pcouffin.log
2014-11-18 18:17 - 2014-12-06 08:30 - 0082816 _____ (VSO Software) C:\Users\jason\AppData\Roaming\pcouffin.sys
2014-08-01 11:03 - 2014-10-24 23:42 - 0003072 _____ () C:\Users\jason\AppData\Roaming\Photobook Designer Prefsv3
2014-10-09 22:06 - 2014-10-09 22:06 - 0003584 _____ () C:\Users\jason\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-21 11:40 - 2014-04-02 12:17 - 0022523 _____ () C:\Users\jason\AppData\Local\HWVendorDetection.log
2015-05-18 15:56 - 2015-05-22 18:39 - 0000600 _____ () C:\Users\jason\AppData\Local\PUTTY.RND
2014-10-03 23:53 - 2014-12-13 14:57 - 0007598 _____ () C:\Users\jason\AppData\Local\Resmon.ResmonCfg
2013-03-01 18:04 - 2013-03-01 18:40 - 0000033 _____ () C:\Users\jason\AppData\Local\rssbuilder.config
2013-01-03 09:19 - 2013-01-03 09:21 - 0002454 _____ () C:\ProgramData\clear.fiSDK20.log
2015-03-05 17:06 - 2015-03-05 17:07 - 0000000 _____ () C:\ProgramData\Error Handlers
2015-03-05 17:07 - 2015-03-05 17:07 - 0000000 _____ () C:\ProgramData\Folder Actions Handlers
2015-03-05 17:07 - 2015-03-05 17:07 - 0000000 _____ () C:\ProgramData\Fonts
2015-03-05 17:16 - 2015-03-05 17:16 - 0000268 ___RH () C:\ProgramData\Fruit
2015-03-05 17:16 - 2015-03-05 17:16 - 0000268 ___RH () C:\ProgramData\Funk Animals
2014-07-11 20:00 - 2014-07-11 20:00 - 0000452 _____ () C:\ProgramData\GADump.txt
2015-03-05 17:16 - 2015-03-05 17:16 - 0000268 ___RH () C:\ProgramData\Galactic Static
2015-03-05 17:15 - 2015-03-05 17:16 - 0000012 ___RH () C:\ProgramData\Halftone
2015-03-05 17:16 - 2015-03-05 17:16 - 0000012 ___RH () C:\ProgramData\Helper Scripts
2015-03-05 17:16 - 2015-03-05 17:16 - 0000012 ___RH () C:\ProgramData\Home
2015-03-05 17:15 - 2015-03-05 17:15 - 0000012 ___RH () C:\ProgramData\Jingles
2013-02-16 23:22 - 2015-03-05 17:06 - 0000000 ____H () C:\ProgramData\PKP_DLdu.DAT
2015-03-05 17:15 - 2015-03-05 17:15 - 0000020 ____H () C:\ProgramData\PKP_DLeo.DAT
2013-02-16 23:36 - 2015-03-05 17:16 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2013-02-16 23:33 - 2015-03-28 23:22 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2013-02-16 23:34 - 2015-05-28 18:03 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
2013-01-03 09:20 - 2013-01-03 09:20 - 0000032 _____ () C:\ProgramData\PS.log
 
Some files in TEMP:
====================
C:\Users\jason\AppData\Local\Temp\bassmod.dll
C:\Users\jason\AppData\Local\Temp\DataCard_Setup64.exe
C:\Users\jason\AppData\Local\Temp\Free3DVideoMaker.exe
C:\Users\jason\AppData\Local\Temp\FreeAudioCDToMP3Converter.exe
C:\Users\jason\AppData\Local\Temp\FreeAudioEditor.exe
C:\Users\jason\AppData\Local\Temp\FreeAVIVideoConverter.exe
C:\Users\jason\AppData\Local\Temp\FreeDVDVideoBurner.exe
C:\Users\jason\AppData\Local\Temp\FreeDVDVideoConverter.exe
C:\Users\jason\AppData\Local\Temp\FreeStudio.exe
C:\Users\jason\AppData\Local\Temp\FreeVideoCallRecorder.exe
C:\Users\jason\AppData\Local\Temp\FreeVideoEditor.exe
C:\Users\jason\AppData\Local\Temp\FreeVideoFlipAndRotate.exe
C:\Users\jason\AppData\Local\Temp\FreeVideoToMP3Converter.exe
C:\Users\jason\AppData\Local\Temp\Quarantine.exe
C:\Users\jason\AppData\Local\Temp\ResetDevice.exe
C:\Users\jason\AppData\Local\Temp\SkypeSetup.exe
C:\Users\jason\AppData\Local\Temp\sqlite3.dll
C:\Users\jason\AppData\Local\Temp\tmp137C.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-05-30 11:49
 
==================== End of log ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,774 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:02 PM

Posted 31 May 2015 - 01:18 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} =>  No File
URLSearchHook: [S-1-5-21-3141717527-54564842-4007439130-1009] ATTENTION ==> Default URLSearchHook is missing
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
FF Plugin-x32: @qq.com/npqscall -> C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll [2013-07-19] (Tencent)
FF Plugin-x32: @qq.com/QQlive -> C:\Program Files (x86)\Tencent\QQLive\9.2.283.0\npQQLive.dll No File
FF Plugin HKU\S-1-5-21-3141717527-54564842-4007439130-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
FF Extension: DVDVideoSoft YouTube MP3 and Video Download - C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\pu1s1oxc.default\Extensions\{B64D9B05-48E1-4CEB-BF58-E0643994E900}.xpi [2015-01-13]
CHR Extension: (Avast Online Security) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-10-24]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-10-23]
U3 idsvc; No ImagePath
AlternateDataStreams: C:\Users\jason\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\jason\SkyDrive (2).old:ms-properties
AlternateDataStreams: C:\Users\jason\AppData\Local:7ufcY9cRcV56YlLxBVPDLrDXd
AlternateDataStreams: C:\Users\jason\AppData\Local\Temp:pd8VywFsi31uVfYqmjT

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

If the problem persists with the IP address it may be that you router is compromised.


Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

How is the computer running now?

#5 eelnosaj

eelnosaj
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 01 June 2015 - 02:04 AM

Thanks a lot nasdaq. It is working fine now. There are no more pop-ups from Avast about the URL: Mal infection.

 

===

 

When i first ran TFC, I received a blue screen with a sad emoticon, and the words "Your PC ran into a problem and needs to restart. We're just collection some error info, and then we'll restart for you. (100% complete) If you'd like to know more, you can search online later for this error: CRITICAL_PROCESS_DIED"

 

I restarted and ran TFC again and it's fine. After the reboot, there seems to be no more pop-ups from Avast.

 

===

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-05-2015
Ran by jason at 2015-06-01 12:59:55 Run:1
Running from C:\Users\jason\Desktop\FRST
Loaded Profiles: jason & UpdatusUser (Available Profiles: jason & UpdatusUser & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} =>  No File
URLSearchHook: [S-1-5-21-3141717527-54564842-4007439130-1009] ATTENTION ==> Default URLSearchHook is missing
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
FF Plugin-x32: @qq.com/npqscall -> C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll [2013-07-19] (Tencent)
FF Plugin-x32: @qq.com/QQlive -> C:\Program Files (x86)\Tencent\QQLive\9.2.283.0\npQQLive.dll No File
FF Plugin HKU\S-1-5-21-3141717527-54564842-4007439130-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
FF Extension: DVDVideoSoft YouTube MP3 and Video Download - C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\pu1s1oxc.default\Extensions\{B64D9B05-48E1-4CEB-BF58-E0643994E900}.xpi [2015-01-13]
CHR Extension: (Avast Online Security) - C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-10-24]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-10-23]
U3 idsvc; No ImagePath
AlternateDataStreams: C:\Users\jason\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\jason\SkyDrive (2).old:ms-properties
AlternateDataStreams: C:\Users\jason\AppData\Local:7ufcY9cRcV56YlLxBVPDLrDXd
AlternateDataStreams: C:\Users\jason\AppData\Local\Temp:pd8VywFsi31uVfYqmjT
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0PerformanceMonitor" => key Removed successfully
HKCR\CLSID\{3B5B973C-92A4-4855-9D3F-0F3D23332208} => key not found. 
Could not restore Default URLSearchHook.
"HKCR\PROTOCOLS\Handler\gopher" => key Removed successfully
HKCR\CLSID\{79eac9e4-baf9-11ce-8c82-00aa004ba90b} => key not found. 
"HKCR\PROTOCOLS\Filter\deflate" => key Removed successfully
HKCR\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311} => key not found. 
"HKCR\PROTOCOLS\Filter\gzip" => key Removed successfully
HKCR\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311} => key not found. 
"HKCR\PROTOCOLS\Filter\lzdhtml" => key Removed successfully
HKCR\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311} => key not found. 
"HKLM\Software\Wow6432Node\MozillaPlugins\@qq.com/npqscall" => key Removed successfully
C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll => Moved successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@qq.com/QQlive" => key Removed successfully
"HKU\S-1-5-21-3141717527-54564842-4007439130-1001\Software\MozillaPlugins\ubisoft.com/uplaypc" => key Removed successfully
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll not found.
C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\pu1s1oxc.default\Extensions\{B64D9B05-48E1-4CEB-BF58-E0643994E900}.xpi => Moved successfully.
C:\Users\jason\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key Removed successfully
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
idsvc => Service Removed successfully
"C:\Users\jason\SkyDrive" => ":ms-properties" ADS not found.
"C:\Users\jason\SkyDrive (2).old" => ":ms-properties" ADS not found.
C:\Users\jason\AppData\Local => ":7ufcY9cRcV56YlLxBVPDLrDXd" ADS Removed successfully.
C:\Users\jason\AppData\Local\Temp => ":pd8VywFsi31uVfYqmjT" ADS Removed successfully.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-06-01 13:03:54)<=
 
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Could not move
 
==== End of Fixlog 13:03:54 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,774 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:02 PM

Posted 01 June 2015 - 06:52 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users