Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet URL's sending threats posed as system32 apps - LINKS MAY BE DANGEROUS


  • This topic is locked This topic is locked
2 replies to this topic

#1 vijin

vijin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 23 September 2015 - 04:24 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:23-09-2015
Ran by Jessica (administrator) on RECEPTIONIST (23-09-2015 13:49:44)
Running from C:\Users\Jessica\AppData\Local\Microsoft\Windows\INetCache\IE\UH43JC6U
Loaded Profiles: Jessica (Available Profiles: Jessica)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Microsoft Online Services\MSOIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Microsoft Online Services\MSOIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\mcafee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro X476dw MFP\Bin\ScanToPCActivationApp.exe
(ImageMAKER Development Inc.) C:\Program Files (x86)\Common Files\ImageMAKER\VSTDAEMON.EXE
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro X476dw MFP\Bin\HPNetworkCommunicatorCom.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.6.1008.0\McCSPServiceHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McAMTaskAgent.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17477_none_fa2b7d3b9b36c7b4\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7198424 2013-08-23] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe [2755640 2013-09-26] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [155704 2013-09-26] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [155704 2013-09-26] (Hewlett-Packard)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [YouCam Service] => c:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-09-01] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2015-06-26] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2015-06-26] (Adobe Systems Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6134544 2015-09-23] (AVAST Software)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-980887547-974256115-1884359005-1001\...\Run: [HP Officejet Pro X476dw MFP (NET)] => C:\Program Files\HP\HP Officejet Pro X476dw MFP\Bin\ScanToPCActivationApp.exe [3485728 2013-09-11] (Hewlett-Packard Co.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-09-23] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Vista Fax Daemon.lnk [2014-06-02]
ShortcutTarget: Vista Fax Daemon.lnk -> C:\Program Files (x86)\Common Files\ImageMAKER\Vstdaemon.exe (ImageMAKER Development Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{115312C9-6D9F-4961-9904-4C34FEC3920D}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5783B02E-6B01-4C41-BE95-9C583DB23EFF}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK14/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK14/1
HKU\S-1-5-21-980887547-974256115-1884359005-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aol.com/
HKU\S-1-5-21-980887547-974256115-1884359005-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK14/1
SearchScopes: HKLM -> {2FFA7DBD-1D39-456C-A661-7178FC87CF70} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {2FFA7DBD-1D39-456C-A661-7178FC87CF70} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-980887547-974256115-1884359005-1001 -> DefaultScope {BD13264D-6D29-480C-8186-42471C0D32AF} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US1225D20150126&p={searchTerms}
SearchScopes: HKU\S-1-5-21-980887547-974256115-1884359005-1001 -> {2FFA7DBD-1D39-456C-A661-7178FC87CF70} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-980887547-974256115-1884359005-1001 -> {BD13264D-6D29-480C-8186-42471C0D32AF} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US1225D20150126&p={searchTerms}
SearchScopes: HKU\S-1-5-21-980887547-974256115-1884359005-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-09-23] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-22] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-09-23] (AVAST Software)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-22] (Google Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-22] (Google Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - AOL Toolbar - {A2A31FE0-CB70-409D-B4CC-40DCDF880732} - C:\Program Files (x86)\AOL\Shared\AolIEToolbar.dll No File
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-980887547-974256115-1884359005-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-09-15] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-09-15] (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-09-15] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-09-15] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\MSC\McSnIePl64.dll [2015-08-21] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2015-08-21] (McAfee, Inc.)

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2015-08-21] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2015-08-21] ()
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Extension: McAfee WebAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2015-09-21]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-06-18]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-09-23]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2015-01-26]

Chrome:
=======
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?fr=mcafee&type=B211US1225D20150126&p={searchTerms}
CHR DefaultSearchKeyword: Default -> mcafee
CHR Profile: C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-08-28]
CHR Extension: (Google Docs) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-28]
CHR Extension: (Google Drive) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-28]
CHR Extension: (YouTube) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-28]
CHR Extension: (Google Search) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-28]
CHR Extension: (Google Sheets) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-08-28]
CHR Extension: (SiteAdvisor) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2015-01-26]
CHR Extension: (Bookmark Manager) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Google Wallet) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-28]
CHR Extension: (Gmail) - C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-28]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-09-21]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-09-21]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-09-23]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-23] (AVAST Software)
R2 Cachedrv server; C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe [109568 2013-09-26] () [File not signed]
R2 CyberLink PowerDVD 12 Media Server Monitor Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [77576 2013-08-12] (CyberLink)
R2 CyberLink PowerDVD 12 Media Server Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [298760 2013-08-12] (CyberLink)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [157928 2015-09-15] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [782608 2015-08-21] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.6.1008.0\McCSPServiceHost.exe [1694152 2015-07-23] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [639456 2015-07-17] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-06-29] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [373704 2015-07-06] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [254792 2015-06-29] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R2 msoidsvc; C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2079520 2012-05-17] (Microsoft Corp.)
R2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [50688 2013-05-16] (Hewlett-Packard) [File not signed]
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [87552 2013-09-26] (Softex Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [66048 2013-05-16] (Hewlett-Packard) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-08-23] (Realtek Semiconductor)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-24] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36096 2013-05-22] (Advanced Micro Devices, Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-09-23] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-09-23] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-09-23] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-09-23] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1049880 2015-09-23] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [448968 2015-09-23] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [153744 2015-09-23] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-09-23] (AVAST Software)
S3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-15] (Qualcomm Atheros Communications, Inc.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [77536 2015-07-02] (McAfee, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207208 2015-05-19] (McAfee, Inc.)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [412440 2015-07-02] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [347800 2015-07-02] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80920 2015-07-02] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [496888 2015-07-02] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [875928 2015-07-02] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [529080 2015-06-28] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109728 2015-06-28] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [37960 2015-09-15] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344704 2015-07-02] (McAfee, Inc.)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290008 2013-07-05] (Realtek Semiconductor Corp.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2014-08-15] (Apple, Inc.) [File not signed]
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44024 2015-02-03] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [264000 2015-02-03] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-23 13:04 - 2015-09-23 13:04 - 00001874 _____ C:\Users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\avast! antivirus.lnk
2015-09-23 11:56 - 2015-09-23 11:56 - 00000000 ____D C:\Users\Jessica\AppData\Roaming\AVAST Software
2015-09-23 11:54 - 2015-09-23 11:54 - 00003924 _____ C:\windows\System32\Tasks\avast! Emergency Update
2015-09-23 11:54 - 2015-09-23 11:54 - 00001944 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-09-23 11:54 - 2015-09-23 11:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-09-23 11:53 - 2015-09-23 11:53 - 01049880 _____ (AVAST Software) C:\windows\system32\Drivers\aswSnx.sys
2015-09-23 11:53 - 2015-09-23 11:53 - 00448968 _____ (AVAST Software) C:\windows\system32\Drivers\aswSP.sys
2015-09-23 11:53 - 2015-09-23 11:53 - 00378880 _____ (AVAST Software) C:\windows\system32\aswBoot.exe
2015-09-23 11:53 - 2015-09-23 11:53 - 00274808 _____ (AVAST Software) C:\windows\system32\Drivers\aswVmm.sys
2015-09-23 11:53 - 2015-09-23 11:53 - 00153744 _____ (AVAST Software) C:\windows\system32\Drivers\aswStm.sys
2015-09-23 11:53 - 2015-09-23 11:53 - 00093528 _____ (AVAST Software) C:\windows\system32\Drivers\aswRdr2.sys
2015-09-23 11:53 - 2015-09-23 11:53 - 00090968 _____ (AVAST Software) C:\windows\system32\Drivers\aswMonFlt.sys
2015-09-23 11:53 - 2015-09-23 11:53 - 00065224 _____ (AVAST Software) C:\windows\system32\Drivers\aswRvrt.sys
2015-09-23 11:53 - 2015-09-23 11:53 - 00043112 _____ (AVAST Software) C:\windows\avastSS.scr
2015-09-23 11:53 - 2015-09-23 11:53 - 00028656 _____ (AVAST Software) C:\windows\system32\Drivers\aswHwid.sys
2015-09-23 11:52 - 2015-09-23 11:52 - 00000000 ____D C:\Program Files\AVAST Software
2015-09-03 11:43 - 2015-09-03 11:43 - 00000000 ____D C:\Users\Jessica\AppData\Roaming\WinBatch

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-23 13:51 - 2014-05-29 15:39 - 01293084 _____ C:\windows\WindowsUpdate.log
2015-09-23 13:49 - 2015-05-28 15:06 - 00000000 ____D C:\FRST
2015-09-23 13:37 - 2013-08-22 08:20 - 00000000 ____D C:\windows\CbsTemp
2015-09-23 13:00 - 2013-08-22 08:36 - 00000000 ____D C:\windows\system32\sru
2015-09-23 12:53 - 2015-07-22 13:33 - 00000932 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-23 10:17 - 2014-05-29 15:53 - 00003594 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-980887547-974256115-1884359005-1001
2015-09-23 10:08 - 2013-08-24 14:38 - 00891920 _____ C:\windows\system32\PerfStringBackup.INI
2015-09-23 10:04 - 2014-05-29 15:50 - 00000000 ___DO C:\Users\Jessica\SkyDrive
2015-09-23 10:03 - 2014-05-29 15:49 - 00000000 ____D C:\Users\Jessica\Documents\Youcam
2015-09-23 10:02 - 2015-07-22 13:33 - 00000928 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-23 10:02 - 2015-05-20 14:01 - 00000000 ____D C:\ProgramData\Windows Genuine Advantage
2015-09-23 10:01 - 2014-05-29 15:47 - 00000000 ____D C:\Users\Jessica
2015-09-23 10:01 - 2013-08-22 07:46 - 00041834 _____ C:\windows\setupact.log
2015-09-23 10:01 - 2013-08-22 07:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-09-23 09:00 - 2014-08-28 12:45 - 00000000 ____D C:\Users\Jessica\AppData\Local\Google
2015-09-23 08:38 - 2013-08-22 06:25 - 00262144 ___SH C:\windows\system32\config\BBI
2015-09-23 02:53 - 2013-08-22 08:36 - 00000000 ____D C:\windows\AppReadiness
2015-09-22 12:04 - 2015-08-17 08:44 - 00003064 _____ C:\windows\System32\Tasks\McAfeeLogon
2015-09-22 12:04 - 2015-08-17 08:44 - 00000000 ____D C:\windows\System32\Tasks\McAfee
2015-09-21 13:21 - 2013-08-24 14:32 - 00498968 _____ C:\windows\PFRO.log
2015-09-21 09:34 - 2015-01-26 14:57 - 00000000 ____D C:\Program Files\Common Files\McAfee
2015-09-21 09:21 - 2013-08-22 06:25 - 00262144 ___SH C:\windows\system32\config\ELAM
2015-09-21 09:20 - 2014-06-08 10:04 - 00000366 _____ C:\windows\Tasks\HPCeeScheduleForJessica.job
2015-09-16 13:37 - 2014-06-27 14:34 - 00000000 ____D C:\Users\Jessica\Desktop\JESSICA
2015-09-16 02:48 - 2015-07-22 13:33 - 00003904 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-16 02:48 - 2015-07-22 13:33 - 00003668 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-14 15:31 - 2015-05-08 20:03 - 00000000 ____D C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
2015-09-14 08:51 - 2014-06-08 10:04 - 00003184 _____ C:\windows\System32\Tasks\HPCeeScheduleForJessica
2015-09-14 08:50 - 2014-05-31 19:36 - 00000052 _____ C:\windows\SysWOW64\DOErrors.log
2015-09-03 11:48 - 2014-03-27 12:29 - 00000000 ____D C:\windows\Hewlett-Packard
2015-09-03 11:48 - 2013-09-02 21:57 - 00000000 ____D C:\SWSETUP
2015-09-03 11:45 - 2014-03-27 12:01 - 00000000 ____D C:\Program Files (x86)\CyberLink
2015-08-28 15:23 - 2014-05-29 15:48 - 00003950 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{C56DC612-7729-440E-AC3B-DB6759CC9B06}

==================== Files in the root of some directories =======

2015-05-21 09:09 - 2015-05-27 14:57 - 0007598 _____ () C:\Users\Jessica\AppData\Local\resmon.resmoncfg
2015-05-29 10:00 - 2015-05-29 10:00 - 0207466 _____ () C:\ProgramData\1432918191.bdinstall.bin
2015-05-29 11:08 - 2015-05-29 11:08 - 0037462 _____ () C:\ProgramData\1432922920.bdinstall.bin
2015-05-29 11:08 - 2015-05-29 11:10 - 0039455 _____ () C:\ProgramData\1432922936.6424.bin
2015-05-29 11:09 - 2015-05-29 11:11 - 0002410 _____ () C:\ProgramData\1432922936.6788.bin
2015-05-29 11:09 - 2015-05-29 11:11 - 0001548 _____ () C:\ProgramData\1432922936.6792.bin
2015-05-29 11:10 - 2015-05-29 11:13 - 0007659 _____ () C:\ProgramData\1432922936.6864.bin
2015-05-29 13:39 - 2015-05-29 13:41 - 0037145 _____ () C:\ProgramData\1432931995.5456.bin
2015-05-29 13:40 - 2015-05-29 13:41 - 0002110 _____ () C:\ProgramData\1432931995.5732.bin
2015-05-29 13:40 - 2015-05-29 13:41 - 0000262 _____ () C:\ProgramData\1432931995.5736.bin
2015-05-29 14:20 - 2015-05-29 14:20 - 0037670 _____ () C:\ProgramData\1432934397.bdinstall.bin
2015-05-29 14:21 - 2015-05-29 14:21 - 0099381 _____ () C:\ProgramData\1432934405.bdinstall.bin
2014-05-30 10:04 - 2014-05-30 10:04 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
C:\Users\Jessica\AppData\Local\Temp\COMAP.EXE
C:\Users\Jessica\AppData\Local\Temp\Extract.exe
C:\Users\Jessica\AppData\Local\Temp\onenote_2010_64.exe
C:\Users\Jessica\AppData\Local\Temp\outlooksoclconnector_2010_64.exe
C:\Users\Jessica\AppData\Local\Temp\outlook_2010_64.exe
C:\Users\Jessica\AppData\Local\Temp\SP64077.exe
C:\Users\Jessica\AppData\Local\Temp\sp64126.exe
C:\Users\Jessica\AppData\Local\Temp\SP71862.exe
C:\Users\Jessica\AppData\Local\Temp\UninstallHPSA.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-09-23 02:49

==================== End of FRST.txt ============================

 

I turned on avast to block the incoming threats such as:

 

Infection Details:

URL: http://46.4.98.202/20d09ebff388b1d6e2f57c5719bc58fe9ddc8d08d527a48aa232b8f7030221bf2ea2df5fe7788283f489c4e6e5d99e6cf37db6b2db9cb530a3f757f1c9b91b881a5dae6442924abbe992865f08ea40a63979aa556372c96d19ecd2d25a321ce0117edfafb1392ea07536857a97b62418ff113e7fb25844ec6ed3cbc0621dea555c801e7f4e193978edac47c9e635ba1cdafdf1c1f1df2652b6e0d1f912ee5fda98830569fe0dd6f8504787b8a7f8d65a/click?sid=da2956ccf23fb740e7eaa4c0946829a5ed5a2f76&cid=0

Infection: URL:Mal

Process:C:\Windows\System32\conhost.exe

There are several different URL locations such as: http://scoring24.com/4.html|{gzip}

 

These threats are detected a few times every minute by Avast. I turned off my internet and manually stopped the virus processes when I did the FRST.exe scan. Let me know if you'd like me to scan again with no Avast, letting the virus run its course. They are to use system32 applications like taskhost.exe, iexplorer.exe, msiexec.exe, conhost.exe. They use up huge amounts of CPU and Memory usage, as well as 0.1-0.3 MBPS of network usage. When I ended the Windows Explore task, these false programs stopped running such as the conhost.exe's - some of which were able to get through Avast's protection.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Black_Bird

Black_Bird

  • Malware Response Team
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:26 PM

Posted 27 September 2015 - 04:36 PM

Hi,

Welcome here! I am Black_Bird and I'll be helping you cleaning up your PC. :)
If you've got any questions during the removal process, please don't hesitate to ask!

An important WARNING to all individuals reading this topic:
All advice in this topic was given specifically for this user and this computer!! Performing instructions given by me in this topic on other computers may harm your computer's infrastructure and can cause serious damage to them!!
Please don't perform the steps given by me or other Helpers in this topic when you are not the original Topic Starter, but start your own topic with a question for help. You will get help from a trained and qualified Helper to clean up your computer from any present malware when you do so.


==============================================================================================

First, two very important steps to do:
  • Please don't stop processes yourself from now on anymore. I only can identify the whole infection if I see everything that's active.
  • You've installed 2 anti-virus programs: McAfee and Avast! Although I recommend Avast above McAfee, I think you've paid for McAfee, right? It's your choice, but please remove one of them now. If you remove McAfee, you can keep Avast! & Windows Defender. Though, if you decide to keep McAfee and delete Avast!, please disable Windows Defender as well. If you don't, those programs will interfere with each other.
==============================================================================================

1. We need to temporarily disable any cd-emulators active on your computer, as they can impede the interpretation of logfiles provided by our tools.
  • Download Defogger and save it to your Desktop.
  • Right-click Defogger.exe and select Run as Administrator.
  • When the program has opened, click the Disable button.
  • When Defogger asks for a confirmation, click Yes.
  • Wait untill you get the "Finished" message. Click OK.
  • When Defogger asks you to restart the system, please allow the program to do so immediately.
  • When an error occured while using Defogger, look for a file called "defogger_disable.txt", which should be located at your Desktop. Post the contents of this file into your next reply.
  • You can enable the cd-emulator software again by running Defogger again and clicking the "Re-enable" button. Only do this when I told you your computer is clean again.
2. Download AdwCleaner and save it to your Desktop.
  • Close all open windows.
  • Right-click AdwCleaner.exe and select Run as Administrator.
  • When the program has started, click the Scan button and wait untill the scan has finished.
  • Make sure everything (on all tabs) is selected, and click the Clean button.
  • It's possible that AdwCleaner asks you to restart the system. It's important that you agree with this.
  • After restart a logfile will appear. Please post the contents of that logfile in your next reply.
3. Download Malwarebytes' Anti-Malware and save it to your Desktop.
If you already got Malwarebytes' Anti-Malware installed on your computer, please go to step 3-A.3-A. Start Malwarebytes' Anti-Malware.
  • On the Dashboard tab, click the Update Now button, to update the definitions to the latest version.
  • Then click the Scan tab. Select Custom Scan and click the Start Scan button.
  • In the window that appears, check the box next to Scan for Rootkits. Also, select all drives, except for CD/DVD-drives. After you have done this, click Start Scan.
  • Follow the instructions given by Malwarebytes' Anti-Malware.
  • If any items were found during the scan process, Malwarebytes' Anti-Malware will ask you what you want to do with those items. Please quarantine all items.
  • It's possible the program asks you for permission to restart the computer. If so, please allow MBAM to do so immediately.
  • Save the logfile in txt-format and copy/paste it in your next reply.
  • Note: If you can't find the logfile, look at the "History" tab. Select the most recent logfile (you can see the creation date in the log's title).
4. Please reboot your PC.

5. Please tell me if anything changed regarding your PC problems and also please include all logfiles from the steps above:
  • Defogger - if an error occured during run
  • AdwCleaner
  • Malwarebytes' Anti-Malware Custom Scan
  • And also please do a new scan with FRST now and include it's logfile in your next reply.
Good luck! :)

Edited by Black_Bird, 27 September 2015 - 04:37 PM.

Kind regards,
Black_Bird
 

What to do when your computer is infected? Read here!

The Bleeping Computer Board Rules - The Moderating Team


If I am directly helping you on a topic and I've not replied within 24 hours please send me a Private Message with a link to your topic.


#3 Black_Bird

Black_Bird

  • Malware Response Team
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:26 PM

Posted 01 October 2015 - 05:19 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Kind regards,
Black_Bird
 

What to do when your computer is infected? Read here!

The Bleeping Computer Board Rules - The Moderating Team


If I am directly helping you on a topic and I've not replied within 24 hours please send me a Private Message with a link to your topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users