Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Horrible pop ups ads by jabuticaba


  • This topic is locked This topic is locked
34 replies to this topic

#1 lioness8

lioness8

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 13 August 2015 - 02:08 AM

Hi,

 

I have infected my PC and I have run adwcleaner, hitmanpro, malwarebyte and spybot. But I am still getting pop ads and tabs by jabuticaba. This is happening in chrome, IE and firefox. I have also reset the setting, but still no luck.

 

Can you help me get rid of them?


Edited by lioness8, 13 August 2015 - 02:23 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:04 AM

Posted 13 August 2015 - 10:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Wait for further instructions.

#3 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 14 August 2015 - 05:09 AM

Hi Nasdaq,
 
Thanks for your help in advanced. Below is the FRST.txt 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-08-2015
Ran by jhutchinson (administrator) on C000839 (14-08-2015 10:43:04)
Running from C:\Users\jhutchinson.4DI\Downloads
Loaded Profiles: jhutchinson & Administrator &  (Available Profiles: Administrator & jhutchinson & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe
(Paessler AG) C:\Program Files (x86)\PRTG Network Monitor\PRTG Server.exe
(Paessler AG) C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Microsoft Corporation) C:\Windows\System32\snmp.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(UltraVNC) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
(Exclaimer Ltd) C:\Users\JHUTCH~1.4DI\AppData\Local\Temp\ExSync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(UltraVNC) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\Snagit32.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\TscHelp.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\SnagPriv.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\SnagitEditor.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.155\Installer\setup.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(VMware, Inc.) C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2716960 2013-04-19] ()
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [323312 2014-12-10] (Intel Corporation)
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-04-23] (Analog Devices, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [1617704 2014-10-28] (Sophos Limited)
HKLM-x32\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4370976 2014-12-12] (Fitbit, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-4258707457-3743355892-924965443-1198\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-4258707457-3743355892-924965443-500\...\Run: [DesktopSearch] => C:\ProgramData\DesktopSearch\DesktopSearch.exe -ros -tray
HKU\S-1-5-21-995923914-3599557478-2251676825-3768\...\Run: [Line] => C:\Program Files (x86)\Naver\LINE\Line.exe [15623704 2015-07-15] (LINE Corporation)
HKU\S-1-5-21-995923914-3599557478-2251676825-3768\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4370976 2014-12-12] (Fitbit, Inc.)
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL File not found
AppInit_DLLs-x32: c:\progra~2\sophos\sophos~1\sophos~1.dll => c:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [222280 2014-04-23] (Sophos Limited)
Startup: C:\Users\JHutchinson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3CXPhone.lnk [2013-08-12]
ShortcutTarget: 3CXPhone.lnk -> C:\Program Files (x86)\3CXPhone\3CXPhone.exe (3CX Ltd)
BootExecute: autocheck autochk * bootdeletebootdelete
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-4258707457-3743355892-924965443-1198\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-gb/?ocid=iehp
HKU\S-1-5-21-4258707457-3743355892-924965443-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-gb/?ocid=iehp
HKU\S-1-5-21-995923914-3599557478-2251676825-3768\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.co.uk/
HKU\S-1-5-21-995923914-3599557478-2251676825-3768\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://uk.msn.com/
HKU\S-1-5-21-995923914-3599557478-2251676825-4731\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://uk.msn.com/
HKU\S-1-5-21-995923914-3599557478-2251676825-4732\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://uk.msn.com/
HKU\S-1-5-21-995923914-3599557478-2251676825-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://uk.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-995923914-3599557478-2251676825-6129 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitBHO64.dll [2009-10-15] (TechSmith Corporation)
BHO: youtubeadblocker -> {f6fe4214-39b6-4eeb-b9c1-0655214a425e} -> C:\Program Files (x86)\youtubeadblocker\qvIb2ZvMMNGWBr.x64.dll No File
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 9\SnagitBHO.dll [2009-10-15] (TechSmith Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-07-09] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-07-09] (Oracle Corporation)
Toolbar: HKLM-x32 - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitIEAddin.dll [2009-10-15] (TechSmith Corporation)
Toolbar: HKU\S-1-5-21-4258707457-3743355892-924965443-500 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [87616 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Winsock: Catalog9-x64 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [127040 2013-06-11] (Sophos Limited)
Tcpip\..\Interfaces\{2365A1B9-AB3D-4EBC-8BCA-4D9412B31A32}: [NameServer] 10.11.32.11,10.10.32.11
 
FireFox:
========
FF ProfilePath: C:\Users\jhutchinson.4DI\AppData\Roaming\Mozilla\Firefox\Profiles\3y5x17ud.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_232.dll [2015-08-12] ()
FF Plugin: @java.com/DTPlugin,version=10.9.2 -> C:\Windows\system32\npDeployJava1.dll [2013-06-11] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-14] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-12] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1203133.dll [2013-06-26] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2013-06-12] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-07-09] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Reader 3\npnitromozilla.dll [2013-07-26] (Nitro PDF)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-31] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-31] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: @vmware.com/vmrc,version=2.5.0.00000 -> C:\Program Files (x86)\Common Files\VMware\VMware VMRC Plug-in\Firefox\np-vmware-vmrc.dll [2012-01-28] (VMware, Inc.)
FF Plugin-x32: @vmware.com/vmrc,version=5.1.0.00000 -> C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.1\Firefox\np-vmware-vmrc.dll [2013-03-19] (VMware, Inc.)
FF Plugin-x32: @vmware.com/vmrc,version=5.5.0.00000 -> C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Firefox\np-vmware-vmrc.dll [2014-10-30] (VMware, Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-09-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-995923914-3599557478-2251676825-3768: @citrixonline.com/appdetectorplugin -> C:\Users\JHutchinson\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-10-18] (Citrix Online)
 
Chrome: 
=======
CHR Profile: C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-27]
CHR Extension: (Google Docs) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-27]
CHR Extension: (Google Drive) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-27]
CHR Extension: (YouTube) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-07-27]
CHR Extension: (Google Search) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-07-27]
CHR Extension: (Google Sheets) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-07-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-27]
CHR Extension: (Gmail) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-27]
CHR Profile: C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3
CHR Extension: (Google Slides) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-28]
CHR Extension: (Google Docs) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-28]
CHR Extension: (Google Drive) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-28]
CHR Extension: (YouTube) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-07-28]
CHR Extension: (Google Search) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-07-28]
CHR Extension: (Google Sheets) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-28]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-07-28]
CHR Extension: (Google Wallet) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-28]
CHR Extension: (Gmail) - C:\Users\jhutchinson.4DI\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-28]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [5738528 2014-12-12] (Fitbit, Inc.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-08-05] (SurfRight B.V.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [19184 2014-12-10] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-07-31] (Hewlett-Packard) [File not signed]
R2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2013-07-26] (Nitro PDF Software)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-07-31] (Hewlett-Packard) [File not signed]
R2 PRTGCoreService; C:\Program Files (x86)\PRTG Network Monitor\PRTG Server.exe [7232736 2013-09-18] (Paessler AG)
R2 PRTGProbeService; C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe [8813280 2013-09-18] (Paessler AG)
R2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [215848 2014-04-23] (Sophos Limited)
R2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [139048 2014-04-23] (Sophos Limited)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-21] (Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-21] (Microsoft Corporation)
R2 Sophos Agent; C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [289856 2013-06-11] (Sophos Limited)
R2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [341800 2014-10-28] (Sophos Limited)
R2 Sophos Message Router; C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [818240 2013-06-11] (Sophos Limited)
R2 Sophos Web Control Service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [357400 2013-06-11] (Sophos Limited)
R2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2869824 2013-06-11] (Sophos Limited)
S2 swi_update_64; C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [1998400 2013-06-11] (Sophos Limited)
R2 uvnc_service; C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe [2190584 2012-11-23] (UltraVNC)
R2 vmware-converter-agent; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [423536 2011-08-19] (VMware, Inc.)
R2 vmware-converter-server; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [423536 2011-08-19] (VMware, Inc.)
R2 vmware-converter-worker; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [423536 2011-08-19] (VMware, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 bmdrvr; C:\Windows\SysWow64\drivers\bmdrvr.sys [74352 2011-03-15] (VMware, Inc.)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [30960 2014-12-10] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-08-05] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
R3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12904 2012-09-10] (UVNC BVBA)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [144672 2013-06-11] (Sophos Limited)
S3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [36640 2013-06-11] (Sophos Limited)
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [25608 2013-06-11] (Sophos Plc)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [35344 2015-08-06] ()
R4 hitmanpro37; \??\C:\Windows\system32\drivers\hitmanpro37.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-14 10:43 - 2015-08-14 10:43 - 00025004 _____ C:\Users\jhutchinson.4DI\Downloads\FRST.txt
2015-08-14 10:42 - 2015-08-14 10:43 - 00000000 ____D C:\FRST
2015-08-14 10:41 - 2015-08-14 10:42 - 02173952 _____ (Farbar) C:\Users\jhutchinson.4DI\Downloads\FRST64.exe
2015-08-13 14:41 - 2015-08-13 14:41 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\vlc
2015-08-13 14:40 - 2015-08-13 14:40 - 00000000 ____D C:\Users\jhutchinson.4DI\Documents\License
2015-08-12 11:26 - 2015-08-12 11:26 - 00244478 _____ C:\Users\jhutchinson.4DI\Documents\Letter head template.dotx
2015-08-12 09:33 - 2015-08-12 09:33 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2015-08-12 09:33 - 2015-08-12 09:33 - 00000278 _____ C:\Windows\system32\bootdelete.lst
2015-08-10 17:26 - 2015-08-10 17:26 - 00224256 _____ C:\Users\jhutchinson.4DI\Downloads\4D Password.xlsx
2015-08-10 16:00 - 2015-08-10 16:00 - 00000000 ____D C:\Program Files\Common Files\AV
2015-08-10 16:00 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2015-08-10 15:50 - 2015-08-10 15:50 - 00001391 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-08-10 15:50 - 2015-08-10 15:50 - 00001379 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-08-10 15:50 - 2015-08-10 15:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-08-10 15:50 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-08-10 15:48 - 2015-08-10 15:48 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\jhutchinson.4DI\Downloads\spybot-2.4.exe
2015-08-10 11:44 - 2015-08-10 11:44 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\Macromedia
2015-08-10 11:08 - 2015-08-10 11:08 - 00000000 ____D C:\Users\jhutchinson.4DI\Documents\Global VPN Client
2015-08-10 11:05 - 2015-07-23 17:17 - 36595961 _____ C:\Users\jhutchinson.4DI\Documents\Global VPN Client.zip
2015-08-06 21:08 - 2015-08-06 21:08 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\Macromedia
2015-08-06 19:40 - 2015-08-06 19:40 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\UltraVNC
2015-08-06 19:36 - 2015-08-06 21:56 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\VMware
2015-08-06 19:36 - 2015-08-06 19:36 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\Intel Corporation
2015-08-06 19:35 - 2015-08-06 19:35 - 00001413 _____ C:\Users\administrator.4DI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-06 19:35 - 2015-08-06 19:35 - 00000000 ___RD C:\Users\administrator.4DI\Virtual Machines
2015-08-06 19:35 - 2015-08-06 19:35 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\Apple Computer
2015-08-06 19:35 - 2015-08-06 19:35 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\Adobe
2015-08-06 19:35 - 2015-08-06 19:35 - 00000000 ____D C:\Users\administrator.4DI\AppData\Local\VMware
2015-08-06 19:35 - 2015-08-06 19:35 - 00000000 ____D C:\Users\administrator.4DI\AppData\Local\Google
2015-08-06 17:58 - 2015-08-06 17:58 - 00096784 _____ (CACE Technologies) C:\Windows\SysWOW64\WPRO_41_2001woem.tmp
2015-08-06 14:05 - 2015-08-06 17:58 - 00035344 _____ C:\Windows\system32\Drivers\WPRO_41_2001.sys
2015-08-05 17:20 - 2015-08-05 17:20 - 02248704 _____ C:\Users\jhutchinson.4DI\Downloads\adwcleaner_4.208.exe
2015-08-05 14:44 - 2015-08-05 14:44 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\TechSmith
2015-08-05 11:43 - 2015-08-05 11:43 - 00023114 _____ C:\Windows\system32\.crusader
2015-08-05 11:23 - 2015-08-05 12:12 - 00003678 __RSH C:\ProgramData\ntuser.pol
2015-08-05 10:30 - 2015-08-05 10:30 - 00001893 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-08-05 10:30 - 2015-08-05 10:30 - 00000000 ____D C:\Program Files\HitmanPro
2015-08-05 10:28 - 2015-08-05 11:42 - 00000000 ____D C:\ProgramData\HitmanPro
2015-08-05 10:28 - 2015-08-05 10:28 - 11032736 _____ (SurfRight B.V.) C:\Users\jhutchinson.4DI\Downloads\HitmanPro_x64.exe
2015-08-05 09:26 - 2015-08-05 09:26 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\Remove_Empty_Directories
2015-08-04 16:33 - 2015-07-30 17:22 - 02248704 _____ C:\Users\jhutchinson.4DI\Desktop\adwcleaner_4.208.exe
2015-08-04 16:12 - 2015-08-04 16:12 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\UltraVNC
2015-08-04 12:27 - 2015-08-05 11:16 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-04 12:26 - 2015-08-04 12:26 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-08-04 12:26 - 2015-08-04 12:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-04 12:26 - 2015-08-04 12:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-08-04 12:26 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-08-04 12:26 - 2015-06-18 08:41 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-08-04 12:26 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-08-03 11:07 - 2015-08-04 09:54 - 00000000 ____D C:\Users\jhutchinson.4DI\Documents\_Bill
2015-08-03 09:56 - 2015-08-14 10:39 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\VMware
2015-08-03 09:43 - 2015-08-03 09:43 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\VMware
2015-07-31 10:36 - 2015-07-31 10:36 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\Nitro
2015-07-31 10:36 - 2015-07-31 10:36 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\FileOpen
2015-07-31 10:12 - 2015-08-12 19:18 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-07-31 10:12 - 2015-07-31 10:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-07-31 10:09 - 2015-08-14 10:14 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-31 10:09 - 2015-08-14 10:14 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-31 10:09 - 2015-07-31 10:09 - 00003904 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-07-31 10:09 - 2015-07-31 10:09 - 00003652 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-07-31 10:08 - 2015-07-31 10:08 - 00931408 _____ (Google Inc.) C:\Users\jhutchinson.4DI\Downloads\ChromeSetup.exe
2015-07-30 18:28 - 2015-07-30 18:28 - 00001708 _____ C:\Users\Administrator.C000839\Desktop\JRT.txt
2015-07-30 17:26 - 2015-07-30 17:41 - 00000000 ____D C:\AdwCleaner
2015-07-30 16:00 - 2015-07-30 16:00 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2015-07-30 15:54 - 2015-08-11 12:45 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-07-30 15:53 - 2015-08-10 16:28 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-07-30 15:53 - 2015-07-30 14:35 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Administrator.C000839\Desktop\spybot-2-4.exe
2015-07-30 15:51 - 2015-07-30 15:51 - 00000000 ____D C:\Users\Administrator.C000839\AppData\Roaming\Mozilla
2015-07-30 15:51 - 2015-07-30 15:51 - 00000000 ____D C:\Users\Administrator.C000839\AppData\Local\Mozilla
2015-07-30 14:43 - 2015-07-30 14:43 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-30 12:11 - 2015-07-30 12:11 - 00000000 ____D C:\Users\Administrator.C000839\AppData\Roaming\Macromedia
2015-07-30 11:38 - 2015-07-30 11:38 - 00000000 ____D C:\Users\Administrator.C000839\AppData\Roaming\Notepad++
2015-07-30 10:51 - 2015-07-30 10:51 - 00003264 _____ C:\Windows\System32\Tasks\{FBEE8065-C1D5-4246-A073-974040D4CD21}
2015-07-30 09:42 - 2015-07-30 09:42 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\Sophos
2015-07-30 09:28 - 2015-07-30 09:28 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\Mozilla
2015-07-30 09:28 - 2015-07-30 09:28 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\Mozilla
2015-07-29 15:57 - 2015-07-31 10:13 - 00000295 _____ C:\Windows\wininit.ini
2015-07-29 15:57 - 2015-07-29 15:57 - 00000000 ____D C:\Windows\system32\iule
2015-07-29 15:42 - 2015-07-29 15:42 - 00012168 _____ C:\ChromePasswordList.html
2015-07-29 15:37 - 2009-06-10 22:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-07-28 11:15 - 2015-07-28 11:15 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\LINE
2015-07-28 11:10 - 2015-07-28 11:10 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\Macromedia
2015-07-28 11:04 - 2015-07-28 11:04 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\Notepad++
2015-07-27 16:07 - 2015-08-07 02:10 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\Nitro PDF
2015-07-27 16:07 - 2015-07-27 16:07 - 00000000 ____D C:\Users\administrator.4DI\AppData\Roaming\Softland
2015-07-27 15:31 - 2015-07-27 15:31 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\2BrightSparks
2015-07-27 15:31 - 2015-07-27 15:31 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\2BrightSparks
2015-07-27 15:21 - 2015-08-12 16:15 - 00002192 ____H C:\Users\jhutchinson.4DI\Documents\Default.rdp
2015-07-27 15:18 - 2015-08-06 19:35 - 00067048 _____ C:\Users\administrator.4DI\AppData\Local\GDIPFONTCACHEV1.DAT
2015-07-27 15:18 - 2015-08-06 19:35 - 00000000 ____D C:\Users\administrator.4DI
2015-07-27 15:18 - 2015-07-27 15:18 - 00000020 ___SH C:\Users\administrator.4DI\ntuser.ini
2015-07-27 15:18 - 2013-07-09 03:11 - 00000000 ____D C:\Users\administrator.4DI\Documents\Visual Studio 2008
2015-07-27 15:18 - 2013-07-09 03:03 - 00000000 ____D C:\Users\administrator.4DI\Documents\Visual Studio 2005
2015-07-27 15:18 - 2013-07-09 03:03 - 00000000 ____D C:\Users\administrator.4DI\AppData\Local\Microsoft Help
2015-07-27 15:18 - 2009-07-14 05:54 - 00000000 ___RD C:\Users\administrator.4DI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-07-27 15:18 - 2009-07-14 05:49 - 00000000 ___RD C:\Users\administrator.4DI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-07-27 15:14 - 2015-07-27 15:14 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\Intel Corporation
2015-07-27 15:13 - 2015-07-27 15:13 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\Apple Computer
2015-07-27 15:12 - 2015-07-31 10:09 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\Google
2015-07-27 15:12 - 2015-07-27 15:12 - 00001413 _____ C:\Users\jhutchinson.4DI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-27 15:12 - 2015-07-27 15:12 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Roaming\Adobe
2015-07-27 15:11 - 2015-08-11 13:40 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\Microsoft Help
2015-07-27 15:11 - 2015-07-27 15:59 - 00000000 ____D C:\Users\jhutchinson.4DI\Documents\Visual Studio 2008
2015-07-27 15:11 - 2015-07-27 15:59 - 00000000 ____D C:\Users\jhutchinson.4DI\Documents\Visual Studio 2005
2015-07-27 15:11 - 2015-07-27 15:14 - 00067048 _____ C:\Users\jhutchinson.4DI\AppData\Local\GDIPFONTCACHEV1.DAT
2015-07-27 15:11 - 2015-07-27 15:12 - 00000000 ___RD C:\Users\jhutchinson.4DI\Virtual Machines
2015-07-27 15:11 - 2015-07-27 15:11 - 00000020 ___SH C:\Users\jhutchinson.4DI\ntuser.ini
2015-07-27 15:11 - 2015-07-27 15:11 - 00000000 ____D C:\Users\jhutchinson.4DI\AppData\Local\VirtualStore
2015-07-27 15:11 - 2015-07-27 15:11 - 00000000 ____D C:\Users\jhutchinson.4DI
2015-07-27 15:11 - 2009-07-14 05:54 - 00000000 ___RD C:\Users\jhutchinson.4DI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-07-27 15:11 - 2009-07-14 05:49 - 00000000 ___RD C:\Users\jhutchinson.4DI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-07-27 14:44 - 2015-07-27 14:44 - 00000000 ____D C:\Users\Administrator.C000839\AppData\Roaming\Intel Corporation
2015-07-27 14:43 - 2015-08-06 19:35 - 00257265 _____ C:\Windows\SysWOW64\debug.log
2015-07-27 14:43 - 2015-07-27 14:43 - 00000000 ____D C:\Users\Administrator.C000839\AppData\Local\Google
2015-07-16 14:45 - 2015-07-16 14:47 - 93650296 _____ C:\Users\JHutchinson\Desktop\Nautilus_efi_A13_ZPE.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-14 10:22 - 2013-06-11 12:28 - 00000112 _____ C:\Windows\system32\config\netlogon.ftl
2015-08-14 10:15 - 2009-07-14 05:45 - 00020704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-14 10:15 - 2009-07-14 05:45 - 00020704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-14 10:12 - 2013-09-30 11:46 - 00000000 ____D C:\ProgramData\TEMP
2015-08-14 10:07 - 2013-06-11 16:14 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-14 09:05 - 2013-06-11 12:05 - 01718528 _____ C:\Windows\WindowsUpdate.log
2015-08-13 11:45 - 2013-11-04 12:51 - 00000542 _____ C:\Windows\Tasks\Daily scheduled scan.job
2015-08-12 04:07 - 2013-06-11 16:14 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-08-12 04:07 - 2013-06-11 16:14 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-08-12 04:07 - 2013-06-11 16:14 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-08-11 16:10 - 2013-07-03 12:18 - 00000000 ____D C:\Users\jhutchinson.4DI\Documents\SQL Server Management Studio
2015-08-10 11:59 - 2014-08-05 12:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-08-10 11:05 - 2014-07-25 10:31 - 00000000 ____D C:\Users\jhutchinson.4DI\Documents\New folder
2015-08-06 19:35 - 2009-07-14 05:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-08-06 18:07 - 2009-07-14 06:13 - 00788478 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-06 17:58 - 2013-09-30 11:45 - 00000000 ____D C:\Program Files (x86)\PRTG Network Monitor
2015-08-06 17:58 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-06 17:57 - 2010-11-21 04:47 - 00274344 _____ C:\Windows\PFRO.log
2015-08-06 17:57 - 2009-07-14 05:51 - 00051617 _____ C:\Windows\setupact.log
2015-08-06 14:03 - 2009-07-14 05:45 - 00329952 _____ C:\Windows\system32\FNTCACHE.DAT
2015-08-04 17:15 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\Registration
2015-07-31 10:12 - 2013-07-01 12:41 - 00000000 ____D C:\Program Files (x86)\Google
2015-07-30 17:29 - 2009-07-14 04:20 - 00000000 ____D C:\Program Files\Common Files\System
2015-07-30 10:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
2015-07-29 16:13 - 2013-10-15 04:04 - 00000000 _____ C:\Windows\system32\vireng.log
2015-07-29 15:58 - 2013-06-11 17:08 - 00270336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2015-07-29 15:57 - 2013-06-11 17:08 - 00357888 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2015-07-29 15:45 - 2015-03-30 15:46 - 00002329 _____ C:\Users\JHutchinson\Desktop\Chrome App Launcher.lnk
2015-07-29 15:17 - 2014-07-23 10:11 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-27 14:44 - 2013-07-01 12:27 - 00067048 _____ C:\Users\Administrator.C000839\AppData\Local\GDIPFONTCACHEV1.DAT
2015-07-27 14:43 - 2013-07-01 12:25 - 00000000 ___RD C:\Users\Administrator.C000839\Virtual Machines
2015-07-27 12:17 - 2015-04-16 02:47 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Nitro PDF
2015-07-25 04:26 - 2013-07-04 10:45 - 00000000 ____D C:\Users\JHutchinson\AppData\Roaming\VMware
2015-07-21 17:13 - 2013-08-07 12:57 - 00000000 ____D C:\ProgramData\SolarWinds
2015-07-17 10:05 - 2013-07-02 16:44 - 00002192 ____H C:\Users\JHutchinson\Documents\Default.rdp
2015-07-16 10:50 - 2013-07-09 16:04 - 00001063 _____ C:\ProgramData\Microsoft\Windows\Start Menu\LINE.lnk
2015-07-16 10:50 - 2013-07-09 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LINE
 
Some files in TEMP:
====================
C:\Users\administrator\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\administrator\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\administrator\AppData\Local\Temp\ose00000.exe
C:\Users\administrator\AppData\Local\Temp\ose00001.exe
C:\Users\administrator.4DI\AppData\Local\Temp\Uninstall.exe
C:\Users\Administrator.C000839\AppData\Local\Temp\Quarantine.exe
C:\Users\Administrator.C000839\AppData\Local\Temp\sqlite3.dll
C:\Users\JHTest\AppData\Local\Temp\ExSync.exe
C:\Users\JHTest\AppData\Local\Temp\XCeedZip.dll
C:\Users\JHTest100\AppData\Local\Temp\ExSync.exe
C:\Users\JHTest100\AppData\Local\Temp\XCeedZip.dll
C:\Users\JHutchinson\AppData\Local\Temp\ChangeIcon.exe
C:\Users\JHutchinson\AppData\Local\Temp\d7mhddgu.dll
C:\Users\JHutchinson\AppData\Local\Temp\ExSync.exe
C:\Users\JHutchinson\AppData\Local\Temp\ExSync0.exe
C:\Users\JHutchinson\AppData\Local\Temp\Foxit PhantomPDF Updater.exe
C:\Users\JHutchinson\AppData\Local\Temp\Foxit Updater.exe
C:\Users\JHutchinson\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\JHutchinson\AppData\Local\Temp\mRemote_Update.exe
C:\Users\JHutchinson\AppData\Local\Temp\nitro_reader3.exe
C:\Users\JHutchinson\AppData\Local\Temp\nitro_reader3_64.exe
C:\Users\JHutchinson\AppData\Local\Temp\npp.6.4.5.Installer.exe
C:\Users\JHutchinson\AppData\Local\Temp\spiceworks_redist.exe
C:\Users\JHutchinson\AppData\Local\Temp\spiceworks_redist_10.exe
C:\Users\JHutchinson\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\JHutchinson\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\JHutchinson\AppData\Local\Temp\vlc-2.1.1-win32.exe
C:\Users\JHutchinson\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\JHutchinson\AppData\Local\Temp\vlc-2.1.3-win32.exe
C:\Users\JHutchinson\AppData\Local\Temp\XCeedZip.dll
C:\Users\JHutchinson\AppData\Local\Temp\xfoxtuys.exe
C:\Users\JHutchinson\AppData\Local\Temp\xmlUpdater.exe
C:\Users\jhutchinson.4DI\AppData\Local\Temp\ExSync.exe
C:\Users\jhutchinson.4DI\AppData\Local\Temp\XCeedZip.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll
[2013-06-11 17:08] - [2015-07-29 15:57] - 0357888 ____A (Microsoft Corporation) 542B8CD90FFF378BB7EA39450D166777
 
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-08-12 00:21
 
==================== End of log ============================

Attached Files


Edited by lioness8, 14 August 2015 - 05:11 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:04 AM

Posted 14 August 2015 - 08:16 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-4258707457-3743355892-924965443-500\...\Run: [DesktopSearch] => C:\ProgramData\DesktopSearch\DesktopSearch.exe -ros -tray
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL File not found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO: youtubeadblocker -> {f6fe4214-39b6-4eeb-b9c1-0655214a425e} -> C:\Program Files (x86)\youtubeadblocker\qvIb2ZvMMNGWBr.x64.dll No File
Toolbar: HKU\S-1-5-21-4258707457-3743355892-924965443-500 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
R4 hitmanpro37; \??\C:\Windows\system32\drivers\hitmanpro37.sys [X]
Task: {3D253FB7-54F7-4D88-9D49-EB29BFF62691} - \SPBIW_UpdateTask_Time_343034303830313132302d3437415a556c2a3223346c41 -> No File <==== ATTENTION
Task: {F3EE29A3-56F7-4D94-99FA-DEAB3F94B64E} - \Elazt -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:96B35E19
AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

Is the problem persisting?

#5 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 14 August 2015 - 10:21 AM

Hi,

 

The problem still persists  :(

 

Fix result of Farbar Recovery Scan Tool (x64) Version:13-08-2015
Ran by jhutchinson (2015-08-14 14:43:20) Run:1
Running from C:\Users\jhutchinson.4DI\Downloads
Loaded Profiles: Administrator & jhutchinson & Administrator &  (Available Profiles: Administrator & jhutchinson & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-4258707457-3743355892-924965443-500\...\Run: [DesktopSearch] => C:\ProgramData\DesktopSearch\DesktopSearch.exe -ros -tray
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL File not found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO: youtubeadblocker -> {f6fe4214-39b6-4eeb-b9c1-0655214a425e} -> C:\Program Files (x86)\youtubeadblocker\qvIb2ZvMMNGWBr.x64.dll No File
Toolbar: HKU\S-1-5-21-4258707457-3743355892-924965443-500 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
R4 hitmanpro37; \??\C:\Windows\system32\drivers\hitmanpro37.sys [X]
Task: {3D253FB7-54F7-4D88-9D49-EB29BFF62691} - \SPBIW_UpdateTask_Time_343034303830313132302d3437415a556c2a3223346c41 -> No File <==== ATTENTION
Task: {F3EE29A3-56F7-4D94-99FA-DEAB3F94B64E} - \Elazt -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:96B35E19
AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
HKU\S-1-5-21-4258707457-3743355892-924965443-500\Software\Microsoft\Windows\CurrentVersion\Run\\DesktopSearch => value removed successfully
"C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL" => Value data removed successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f6fe4214-39b6-4eeb-b9c1-0655214a425e}" => key removed successfully
"HKCR\CLSID\{f6fe4214-39b6-4eeb-b9c1-0655214a425e}" => key removed successfully
HKU\S-1-5-21-4258707457-3743355892-924965443-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => value removed successfully
HKCR\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
hitmanpro37 => Unable to stop service.
hitmanpro37 => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3D253FB7-54F7-4D88-9D49-EB29BFF62691}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D253FB7-54F7-4D88-9D49-EB29BFF62691}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SPBIW_UpdateTask_Time_343034303830313132302d3437415a556c2a3223346c41 => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F3EE29A3-56F7-4D94-99FA-DEAB3F94B64E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F3EE29A3-56F7-4D94-99FA-DEAB3F94B64E}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Elazt => key not found. 
C:\ProgramData\TEMP => ":96B35E19" ADS removed successfully.
C:\ProgramData\TEMP => ":9A870F8B" ADS removed successfully.


#6 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 14 August 2015 - 10:40 AM

Farbar seemed to have frozen, by the logs. I think that was the case?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:04 AM

Posted 15 August 2015 - 07:04 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#8 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 17 August 2015 - 05:49 AM

Hi,

 

I followed you instructions, but I go a script error, please see screenshot below. When the scan finished notepad opened, but it was blank and there isn't a zoek-results.log file on the C drive.

 

I have opened chrome to test and the issue is still there, ads and new tabs with ads.

 

I disabled Sophos.

 

 

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:04 AM

Posted 17 August 2015 - 07:29 AM

Copy the Zoek.exe file to your desktop as requested.
It should run now.

#10 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 August 2015 - 03:47 AM

Hi,

 

I did run it from my desktop and I still got the same script error. And nothing on the notepad......

Attached Files



#11 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 August 2015 - 05:05 AM

I am running Windows 7 pro, is there compatibility issues? I have run it in XP mode, but still the same error.... :(


Edited by lioness8, 18 August 2015 - 05:27 AM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:04 AM

Posted 18 August 2015 - 07:36 AM


Run this instead.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CloseProcesses:
cmd: ipconfig /flushdns

Place the fix here...

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#13 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 August 2015 - 09:52 AM

Hi,

 

The computer is still the same.......

 

I have a process called PEVZ.exe running in the processes....

 

Fix result of Farbar Recovery Scan Tool (x64) Version:17-08-2015
Ran by jhutchinson (2015-08-18 15:04:25) Run:2
Running from C:\Users\jhutchinson.4DI\Downloads
Loaded Profiles: jhutchinson (Available Profiles: Administrator & jhutchinson & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CloseProcesses:
cmd: ipconfig /flushdns
 
Place the fix here...
 
End
*****************
 
Processes closed successfully.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
Place the fix here... => Error: No automatic fix found for this entry.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 15:04:27 ====


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:04 AM

Posted 18 August 2015 - 12:31 PM

This process is not listed on any of your logs. Good catch.

Stop the process.


I want to find out where this file is located.

Please run the Farbar Recovery Scan Tool. Enter PEVZ.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#15 lioness8

lioness8
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 19 August 2015 - 03:48 AM

:unsure: Before you replied, I deleted the contents from the user/appdata/temp folder where it was, but I am still getting ad tabs though, so I guess its deeper or the issue is something else

 

When I used the farbar search after I deleted, the result was blank

 

Farbar Recovery Scan Tool (x64) Version:17-08-2015
Ran by jhutchinson (2015-08-19 10:03:39)
Running from C:\Users\jhutchinson.4DI\Downloads
Boot Mode: Normal
 
================== Search Files: "pevz.exe" =============
 
====== End of Search ======

Edited by lioness8, 19 August 2015 - 04:04 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users