Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting nonstop adware


  • This topic is locked This topic is locked
6 replies to this topic

#1 icychill

icychill

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 15 July 2015 - 08:54 PM

Something wrong with my parents computer. They must have downloaded something. They said they used CCleaner and Super Anti Spyware but the problem persists. I attatched a HijackThis log i ran in safe mode

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:36:23 PM, on 7/15/2015
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17840)


Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\DllHost.exe
C:\Users\Obrien\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [WorkForce 610(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFJA.EXE /FU "C:\Windows\TEMP\E_SC8BB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CCleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\RunOnce: [Application Restart #3] C:\Program Files\Google\Chrome\Application\chrome.exe --flag-switches-begin --manual-enhanced-bookmarks --flag-switches-end --restore-last-session -- http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=brd&Page=&PluID=0&Pos=8956186067215566&EyeblasterID=26689931&clk=0&sct=1&dg=6067425&rtu=http%3A%2F%2Fwww.subway.com%2Fstorelocator%2Fdefault.aspx&di=0&pc=&sessionid=6693617740538154308&usercookie=u2=9362060c-db17-41a9-9430-d0a4fed663e3&OptOut=0&ebReferrer=http%3A%2F%2Fcdn.bitmedianetwork.com%2Fnetwork%2Findex-edge.html%3Ftag%3Dant%26adt%3D5%26browser%3Dchrome%26clientdata%3Dutorrent%257c3%252e4%252e2%252e37754%257c218%26page%3Dtorrent%26site%3D33049
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\system32\IntelCpHeciSvc.exe
O23 - Service: Disc Soft Lite Bus Service - Disc Soft Ltd - C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Intel® HD Graphics Control Panel Service (igfxCUIService1.0.0.0) - Intel Corporation - C:\Windows\system32\igfxCUIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - Unknown owner - C:\Windows\system32\SAgent4.exe (file missing)

--
End of file - 6041 bytes

BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 16 July 2015 - 02:26 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
 
 Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 icychill

icychill
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 16 July 2015 - 09:14 AM

Ok i ran the scanners. Attached the first two and copied the last one 

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVASTarrow-10x10.png Softwarearrow-10x10.png
Run date: 2015-07-16 10:00:21
-----------------------------
10:00:21.865    OS Version: Windows 6.1.7601 Service Packarrow-10x10.png 1
10:00:21.865    Number of processors: 2 586 0x3C03
10:00:21.865    ComputerName: OBRIEN-PC  UserName: Obrien
10:00:31.212    Initialize success
10:00:31.316    VM: initialized successfully
10:00:31.316    VM: Intel CPU supported 
10:00:37.385    VM: disk I/O atapi.sys
10:03:21.759   AVASTarrow-10x10.png engine defs: 15071501
10:03:39.559    The log file has been saved successfully to "C:\Users\Obrien Desktoparrow-10x10.png\aswMBR.txt"
10:04:00.662    Disk 0 bootarrow-10x10.png) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:04:00.678    Disk 0 Vendor:   Size: 0MB BusType: 0
10:04:00.693    Disk 0 MBR read successfully
10:04:00.693    Disk 0 MBR scan
10:04:00.724    Disk 0 Windows 7 default MBR code
10:04:00.740    Disk 0 MBR hidden
10:04:00.756    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS       953767 MB offset 206848
10:04:00.756    Disk 0 default boot code
10:04:00.787    Disk 0 scanning C:\Windows\system32 driversarrow-10x10.png
10:04:10.262    Service scanning
10:04:13.866    Service ehdrv C:\Windows\system32\DRIVERS\ehdrv.sys **LOCKED** 5
10:04:14.318    Service epfw C:\Windows\system32\DRIVERS\epfw.sys **LOCKED** 5
10:04:14.350    Service EpfwLWF C:\Windows\system32\DRIVERS\EpfwLWF.sys **LOCKED** 5
10:04:14.381    Service epfwwfp C:\Windows\system32\DRIVERS\epfwwfp.sys **LOCKED** 5
10:04:25.784    Modules scanning
10:04:25.784    Disk 0 trace - called modules:
10:04:25.816    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x852471f8]<<
10:04:25.831    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8610f648]
10:04:25.831    3 CLASSPNP.SYS[8c43559e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85c29908]
10:04:25.831    \Driver\atapi[0x85c21f38] -> IRP_MJ_CREATE -> 0x852471f8
10:04:26.580   AVASTarrow-10x10.png engine scan C:\Windows
10:04:28.234   AVASTarrow-10x10.png engine scan C:\Windows\system32
10:06:43.239   AVASTarrow-10x10.png engine scan C:\Windows\system32\drivers
10:06:53.747   AVASTarrow-10x10.png engine scan C:\Users\Obrien
10:08:51.682    File: C:\Users\Obrien\Desktop\FRST.exe  **INFECTED** Win32:Dropper-gen [Drp]
10:09:18.269   AVASTarrow-10x10.png engine scan C:\ProgramData
10:09:51.065    Disk 0 statistics 2725838/0/0 @ 6.16 MB/s
10:09:51.085    Scan finished successfully
10:10:00.149    Disk 0 MBR has been saved successfully to "C:\Users\Obrien\Desktop\MBR.dat"
10:10:00.155    The log file has been saved successfully to "C:\Users\Obrien\Desktop\aswMBR.txt"
 
 

frst log and addition log

Attached Files


Edited by icychill, 16 July 2015 - 09:15 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 17 July 2015 - 04:03 AM

Disable CD Emulation with DeFogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
 

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Full System Scan with Malwarebytes Antimalware



  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 icychill

icychill
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 17 July 2015 - 11:04 AM

Fixlog

 

Fix result of Farbar Recovery Scan Toolarrow-10x10.png (x86) Version: 12-07-2015
Ran by Obrien at 2015-07-17 09:50:05 Run:1
Running from C:\Users\Obrien Desktoparrow-10x10.png
Loaded Profiles: Obrien (Available Profiles: Obrien)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
Task: {194B0DD7-08E3-4642-8AFB-2E20EB585D29} - \RealDownloaderRealUpgradeLogonTaskS-1-5-21-644934550-1969336876-3547299378-1001 No Task File <==== ATTENTION
Task: {2A598CF6-05B2-4EB3-BBE7-265A0357FCE0} - \RealDownloaderRealUpgradeScheduledTaskS-1-5-21-644934550-1969336876-3547299378-1001 No Task File <==== ATTENTION
Task: {66939F77-AD08-4B0C-97DD-09F0EA004D6A} - \c527a1a1-c8cb-4997-bef6-7b2f1be04ec0-1-6 No Task File <==== ATTENTION
Task: {7E39B3E9-E821-4E84-BEDF-9061F4D0E21D} - \{CE1E396D-1B8F-4FA3-90BA-9ECA8C5FFC99} No Task File <==== ATTENTION
2015-07-09 12:11 - 2015-07-14 12:29 - 0000024 _____ () C:\Users\Obrien\AppData\Roaming\appdataFr25.bin
2015-06-18 12:57 - 2015-06-23 20:33 - 00000000 ____D C:\Program Files\Stylish
2015-06-18 12:57 - 2015-06-23 20:18 - 00000000 ____D C:\Program Files\PragmaEdit
2015-06-18 12:56 - 2015-06-18 12:57 - 00000000 ____D C:\ProgramData\15672408905895638278
2015-06-18 12:55 - 2015-06-23 20:30 - 00000000 ____D C:\ProgramData\{12396b25-a21b-2bde-1239-96b25a21ac96}
2015-06-24 02:22 - 2015-06-24 02:22 - 00723165 _____ C:\Users\Obrien\Downloads SpyHunterarrow-10x10.png 4 Key Generator.rar
CHR HKLM SOFTWAREarrow-10x10.png\Policies\Google: Policy restriction <======= ATTENTION
 
CloseProcesses:
EmptyTemp:
Reboot:
*****************
 
"HKLM\SOFTWARE Microsoftarrow-10x10.png\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{194B0DD7-08E3-4642-8AFB-2E20EB585D29}" => key removed successfully.
"HKLM\SOFTWARE Microsoftarrow-10x10.png\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{194B0DD7-08E3-4642-8AFB-2E20EB585D29}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealDownloaderRealUpgradeLogonTaskS-1-5-21-644934550-1969336876-3547299378-1001" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2A598CF6-05B2-4EB3-BBE7-265A0357FCE0}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A598CF6-05B2-4EB3-BBE7-265A0357FCE0}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-644934550-1969336876-3547299378-1001" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{66939F77-AD08-4B0C-97DD-09F0EA004D6A}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{66939F77-AD08-4B0C-97DD-09F0EA004D6A}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\c527a1a1-c8cb-4997-bef6-7b2f1be04ec0-1-6" => key removed successfully.
"HKLM SOFTWAREarrow-10x10.png Microsoftarrow-10x10.png\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7E39B3E9-E821-4E84-BEDF-9061F4D0E21D}" => key removed successfully.
"HKLM\SOFTWARE Microsoftarrow-10x10.png\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7E39B3E9-E821-4E84-BEDF-9061F4D0E21D}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{CE1E396D-1B8F-4FA3-90BA-9ECA8C5FFC99}" => key removed successfully.
C:\Users\Obrien\AppData\Roaming\appdataFr25.bin => moved successfully.
C: Programarrow-10x10.png Files\Stylish => moved successfully.
C: Programarrow-10x10.png Files\PragmaEdit => moved successfully.
C:\ProgramData\15672408905895638278 => moved successfully.
C:\ProgramData\{12396b25-a21b-2bde-1239-96b25a21ac96} => moved successfully.
C:\Users\Obrien\Downloads SpyHunterarrow-10x10.png 4 Key Generator.rar => moved successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
Processes closed successfully.
EmptyTemp: => 287.5 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 09:50:08 ====
 
ESET
C:\Users\Obrien\AppData\Roaming\uTorrent\updates\3.3.2_30303.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Obrien\AppData\Roaming\uTorrent\updates\3.4.2_37754.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Users\Obrien\Downloads\ccsetup507 (1).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Obrien\Downloads\ccsetup507 (2).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Obrien\Downloads\ccsetup507.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Obrien\Downloads\MicrosoftWord.exe a variant of Win32/DownloadAssistant.A potentially unwanted application
C:\Users\Obrien\Downloads\uTorrent Setup [1].exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Obrien\Downloads\Microsoft word 2010- 32 bit + Crack\ACTIVATION V3.2 {LCD}.exe Win32/HackKMS.A potentially unsafe application
C:\Windows.old\$Recycle.Bin\S-1-5-21-3375169219-1989868155-890746878-1000\$R0XOOQC.exe multiple threats
C:\Windows.old\$Recycle.Bin\S-1-5-21-3375169219-1989868155-890746878-1000\$RIRMFAL.exe multiple threats
C:\Windows.old\$Recycle.Bin\S-1-5-21-3375169219-1989868155-890746878-1000\$RSTO63R.exe multiple threats
C:\Windows.old\$Recycle.Bin\S-1-5-21-3375169219-1989868155-890746878-1000\$RV7SNCD.exe NSIS/TrojanDownloader.Adload.AP trojan
C:\Windows.old\$Recycle.Bin\S-1-5-21-3375169219-1989868155-890746878-1000\$RW5O05X.exe multiple threats
C:\Windows.old\$Recycle.Bin\S-1-5-21-3375169219-1989868155-890746878-1000\$RWKSHLL.exe multiple threats
C:\Windows.old\Documents and Settings\All Users\ldoefilhaefhmodiianmnpjaihamklki\X.js JS/Kryptik.ATB trojan
C:\Windows.old\Documents and Settings\All Users\{444677dd-4647-14fd-4446-677dd464df75}\open subtitles player.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Documents and Settings\home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\2bd3A61c3c8.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\google language translator software__10924_i1460734657_il1689804.exe a variant of Win32/Amonetize.DE potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\spr7DCB.tmp Win32/Adware.Similagro.A application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\4A709\temp\open subtitles player.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\4A709\temp\putfu.xyz a variant of Win32/Adware.MultiPlug.LI application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\nslD46E.tmp\CommonsDll.dll a variant of Win32/Amonetize.DQ potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\nslD46E.tmp\google language translator software_10924_i23816709_il345.exe a variant of Win32/Amonetize.DI potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\background.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\bootstrap.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\newtab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\opentab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Local\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Documents and Settings\home\AppData\Roaming\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\4NlAaUOLy@0.com\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Documents and Settings\home\AppData\Roaming\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\E33q@w43.org\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Documents and Settings\home\AppData\Roaming\uTorrent\updates\3.4.2_37594.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\4NlAaUOLy@0.com\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\E33q@w43.org\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Documents and Settings\home\Application Data\uTorrent\updates\3.4.2_37594.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Documents and Settings\home\Downloads\avc-free.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Documents and Settings\home\Downloads\SoftwareUpdater.exe Win32/Packed.VMDetector.O potentially unwanted application
C:\Windows.old\Documents and Settings\home\Downloads\The_Woman_in_Black_2_Angels_of_Death_(2015) (3).exe multiple threats
C:\Windows.old\Documents and Settings\home\Downloads\uTorrent.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Documents and Settings\home\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\2bd3A61c3c8.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\google language translator software__10924_i1460734657_il1689804.exe a variant of Win32/Amonetize.DE potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\spr7DCB.tmp Win32/Adware.Similagro.A application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\4A709\temp\open subtitles player.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\4A709\temp\putfu.xyz a variant of Win32/Adware.MultiPlug.LI application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\nslD46E.tmp\CommonsDll.dll a variant of Win32/Amonetize.DQ potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\nslD46E.tmp\google language translator software_10924_i23816709_il345.exe a variant of Win32/Amonetize.DI potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\background.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\bootstrap.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\newtab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\opentab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Documents and Settings\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\icncamkooinmbehmkeilcccmoljfkdhp\207\yLvWthxSf.js JS/Kryptik.ATB trojan
C:\Windows.old\Documents and Settings\John\Local Settings\Google\Chrome\User Data\Default\Extensions\icncamkooinmbehmkeilcccmoljfkdhp\207\yLvWthxSf.js JS/Kryptik.ATB trojan
C:\Windows.old\ProgramData\ldoefilhaefhmodiianmnpjaihamklki\X.js JS/Kryptik.ATB trojan
C:\Windows.old\ProgramData\{444677dd-4647-14fd-4446-677dd464df75}\open subtitles player.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Users\All Users\ldoefilhaefhmodiianmnpjaihamklki\X.js JS/Kryptik.ATB trojan
C:\Windows.old\Users\All Users\{444677dd-4647-14fd-4446-677dd464df75}\open subtitles player.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Users\home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temp\2bd3A61c3c8.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Users\home\AppData\Local\Temp\google language translator software__10924_i1460734657_il1689804.exe a variant of Win32/Amonetize.DE potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temp\spr7DCB.tmp Win32/Adware.Similagro.A application
C:\Windows.old\Users\home\AppData\Local\Temp\4A709\temp\open subtitles player.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Users\home\AppData\Local\Temp\4A709\temp\putfu.xyz a variant of Win32/Adware.MultiPlug.LI application
C:\Windows.old\Users\home\AppData\Local\Temp\nslD46E.tmp\CommonsDll.dll a variant of Win32/Amonetize.DQ potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temp\nslD46E.tmp\google language translator software_10924_i23816709_il345.exe a variant of Win32/Amonetize.DI potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\background.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\bootstrap.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\newtab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\opentab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Users\home\AppData\Local\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\4NlAaUOLy@0.com\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\E33q@w43.org\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Users\home\AppData\Roaming\uTorrent\updates\3.4.2_37594.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Users\home\Application Data\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\4NlAaUOLy@0.com\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Users\home\Application Data\Mozilla\Firefox\Profiles\c49wz2zj.default\extensions\E33q@w43.org\content\bg.js JS/Kryptik.ATB trojan
C:\Windows.old\Users\home\Application Data\uTorrent\updates\3.4.2_37594.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Users\home\Downloads\avc-free.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Users\home\Downloads\SoftwareUpdater.exe Win32/Packed.VMDetector.O potentially unwanted application
C:\Windows.old\Users\home\Downloads\The_Woman_in_Black_2_Angels_of_Death_(2015) (3).exe multiple threats
C:\Windows.old\Users\home\Downloads\uTorrent.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows.old\Users\home\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temp\2bd3A61c3c8.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Users\home\Local Settings\Temp\google language translator software__10924_i1460734657_il1689804.exe a variant of Win32/Amonetize.DE potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temp\spr7DCB.tmp Win32/Adware.Similagro.A application
C:\Windows.old\Users\home\Local Settings\Temp\4A709\temp\open subtitles player.exe a variant of Win32/Adware.MultiPlug.EP application
C:\Windows.old\Users\home\Local Settings\Temp\4A709\temp\putfu.xyz a variant of Win32/Adware.MultiPlug.LI application
C:\Windows.old\Users\home\Local Settings\Temp\nslD46E.tmp\CommonsDll.dll a variant of Win32/Amonetize.DQ potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temp\nslD46E.tmp\google language translator software_10924_i23816709_il345.exe a variant of Win32/Amonetize.DI potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\background.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\bootstrap.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\newtab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temp\scoped_dir_4748_20786\CRX_INSTALL\js\opentab.js JS/Astromenda.A potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temporary Internet Files\Content.IE5\Q0VYC1EA\2474s[1].exe a variant of Win32/Toolbar.CrossRider.BU potentially unwanted application
C:\Windows.old\Users\home\Local Settings\Temporary Internet Files\Content.IE5\Q0VYC1EA\Setup[1].exe Win32/Verti.O potentially unwanted application
C:\Windows.old\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\icncamkooinmbehmkeilcccmoljfkdhp\207\yLvWthxSf.js JS/Kryptik.ATB trojan
C:\Windows.old\Users\John\Local Settings\Google\Chrome\User Data\Default\Extensions\icncamkooinmbehmkeilcccmoljfkdhp\207\yLvWthxSf.js JS/Kryptik.ATB trojan
C:\Windows.old\Windows\System32\ColorMedia.dll a variant of Win32/Komodia.A potentially unsafe application
 

 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 19 July 2015 - 04:00 AM

C:\Users\Obrien\AppData\Roaming\uTorrent\updates\3.3.2_30303.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Obrien\AppData\Roaming\uTorrent\updates\3.4.2_37754.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Users\Obrien\Downloads\ccsetup507 (1).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Obrien\Downloads\ccsetup507 (2).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Obrien\Downloads\ccsetup507.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Obrien\Downloads\MicrosoftWord.exe a variant of Win32/DownloadAssistant.A potentially unwanted application
C:\Users\Obrien\Downloads\uTorrent Setup [1].exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Obrien\Downloads\Microsoft word 2010- 32 bit + Crack\ACTIVATION V3.2 {LCD}.exe Win32/HackKMS.A potentially unsafe application

These files aren´t malware but contain security risks. I´d delete them immediately - your choice.

 

 

Also, delete  C:\windows.old

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.



Tell me: Are any problems left now or may I post the final reply? :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 04 August 2015 - 02:03 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users