Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection (EasyCalendar on Chrome and various other unwanted ads)


  • This topic is locked This topic is locked
4 replies to this topic

#1 lotusflow3r

lotusflow3r

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 02 October 2015 - 10:11 AM

Dear all,

 

This is my girlfriend's PC not mine. She got some kind of malware while downloading Gimp and I've spent the whole day trying to solve this, in vain.

 

It had changed the startup page on all 3 browsers (Explorer, Firefox and Chrome) but thyat was relatively easy to solve, but It keeps opening all kinds of unwanted adds and pages on every browser and on Chrome there's an add-on called EasyCalendar that's installed "by enterprise policy" and can't be removed. There's also a redirect called "tradadexchange" that happens regularly.

 

She was on Avira and I've installed and ran Avast instead. Avast blocks processes regularly while browsing and has identified several viruses but obviously not the main one.

 

I've also run CCleaner and 3 different anti-adware softwares but unsuccessfully. I've tried different methods to get rid of this EasyCalendar thing and deleted several suspect files but all in vain.

 

As requested I've installed and ran FRST. My GF is German and even though i've changed the PC's language to English for some reason FRST is in german and so are the results of its scans. I hope this won't represent a problem :/

 

Many thanks içn advance for your help!

 

Here is the FRST.txt log:

 

Untersuchungsergebnis von Farbar Recovery Scan Tool (FRST) (x64) Version:30-09-2015
durchgeführt von Betti (Administrator) auf BETTISPC (02-10-2015 20:09:17)
Gestartet von C:\Users\Betti\Downloads
Geladene Profile: UpdatusUser & Betti (Verfügbare Profile: UpdatusUser & Betti)
Platform: Windows 8.1 (X64) Sprache: German (Germany)
Internet Explorer Version 11 (Standard-Browser: Chrome)
Start-Modus: Normal
 
==================== Prozesse (Nicht auf der Ausnahmeliste) =================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Prozess geschlossen. Die Datei wird nicht verschoben.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
() C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
() C:\Users\Betti\AppData\Roaming\NetService\netservice.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnWMI.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\csisyncclient.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\msosync.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winamp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Nicht auf der Ausnahmeliste) ===========================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt. Die Datei wird nicht verschoben.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13192848 2012-08-20] (Realtek Semiconductor)
HKLM\...\Run: [ACMON] => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [107192 2012-08-24] (ASUS)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [519408 2013-07-18] (Acronis)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3187360 2012-11-27] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSWebStorage] => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.10.123\AsusWSPanel.exe [3423104 2012-08-31] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [91432 2012-03-29] (CyberLink Corp.)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [7818392 2013-08-22] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1105848 2013-01-10] (Acronis)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [311616 2014-07-25] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6134544 2015-10-02] (AVAST Software)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2121702083-4056039073-698002372-1001\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-10-29] (Microsoft Corporation)
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\Run: [Amazon Music] => C:\Users\Betti\AppData\Local\Amazon Music\Amazon Music Helper.exe [5886784 2015-05-08] ()
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1562264 2014-07-25] (Samsung)
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8461224 2015-09-17] (Piriform Ltd)
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\MountPoints2: F - "F:\.\Autorun.exe" AUTORUN=1
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\MountPoints2: {34fc9ce7-59c6-11e4-beaf-08606e1ec3b0} - "F:\.\Autorun.exe" AUTORUN=1
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\MountPoints2: {34fc9d17-59c6-11e4-beaf-08606e1ec3b0} - "F:\.\Autorun.exe" AUTORUN=1
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  Keine Datei
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  Keine Datei
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  Keine Datei
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-10-02] (AVAST Software)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2013-08-07] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2013-08-07] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2013-08-07] (Acronis)
ShellIconOverlayIdentifiers: [AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.10.123\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.10.123\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.10.123\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  Keine Datei
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  Keine Datei
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  Keine Datei
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.lnk [2014-10-29]
ShortcutTarget: Launcher.lnk -> C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Launcher.exe ()
Startup: C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2013-09-08]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)
Startup: C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk [2015-09-24]
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
GroupPolicy: Beschränkung - Chrome <======= ACHTUNG
 
==================== Internet (Nicht auf der Ausnahmeliste) ====================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Eintrag entfernt oder auf den Standardwert zurückgesetzt, wenn es sich um einen Registryeintrag handelt.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{3FE87CAB-DD9D-48DB-89A8-AA8A93FABAAD}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{6C3DD23C-88AF-4A13-BD96-12687DEED89F}: [DhcpNameServer] 192.168.178.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Beschränkung <======= ACHTUNG
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.aqovd.com?oem=sunadinv3&uid=TM8512ZJ13S9AR_HitachiHTS545050A7E380&tm=1443719777
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.aqovd.com?oem=sunadinv3&uid=TM8512ZJ13S9AR_HitachiHTS545050A7E380&tm=1443719777
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-2121702083-4056039073-698002372-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus13.msn.com
HKU\S-1-5-21-2121702083-4056039073-698002372-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxps://www.google.com/?trackid=sp-006
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2121702083-4056039073-698002372-1002 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2121702083-4056039073-698002372-1002 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-08-04] (Microsoft Corporation)
BHO: Citavi Picker -> {609D670F-B735-4da7-AC6D-F3BD358E325E} -> C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-10-02] (AVAST Software)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-09-11] (Microsoft Corporation)
BHO-x32: Citavi Picker -> {609D670F-B735-4da7-AC6D-F3BD358E325E} -> C:\WINDOWS\SysWOW64\mscoree.dll [2013-08-22] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-12-17] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-10-02] (AVAST Software)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-12-17] (Oracle Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Betti\AppData\Roaming\Mozilla\Firefox\Profiles\ctnqavgj.default-1407754541820
FF Homepage: hxxp://www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-21] ()
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-16] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-21] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-12-17] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-12-17] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-12-27] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 -> C:\Program Files (x86)\Winamp Detect\npwachk.dll [2013-12-13] (Nullsoft, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-02] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin-x32: PDF Architect 2 -> C:\Program Files (x86)\PDF Architect 2\np-previewer.dll [2014-10-10] (pdfforge GmbH)
FF SearchPlugin: C:\Users\Betti\AppData\Roaming\Mozilla\Firefox\Profiles\ctnqavgj.default-1407754541820\searchplugins\google-images.xml [2014-09-26]
FF SearchPlugin: C:\Users\Betti\AppData\Roaming\Mozilla\Firefox\Profiles\ctnqavgj.default-1407754541820\searchplugins\google-maps.xml [2014-09-26]
FF HKLM-x32\...\Firefox\Extensions: [{8AA36F4F-6DC7-4c06-77AF-5035170634FE}] - C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox => nicht gefunden
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-10-02]
FF HKU\S-1-5-21-2121702083-4056039073-698002372-1002\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\Betti\AppData\Roaming\Mozilla\Firefox\Profiles\ctnqavgj.default-1407754541820\extensions\cliqz@cliqz.com => nicht gefunden
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2015-09-03] <==== ACHTUNG
 
Chrome: 
=======
CHR Profile: C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-02]
CHR Extension: (Google Docs) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-02]
CHR Extension: (Google Drive) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-02]
CHR Extension: (YouTube) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-02]
CHR Extension: (Google Search) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-02]
CHR Extension: (Google Sheets) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-02]
CHR Extension: (Google Docs Offline) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-10-02]
CHR Extension: (Avast Online Security) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-10-02]
CHR Extension: (EasyCalendar) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk [2015-10-02]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-10-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-02]
CHR Extension: (Gmail) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-10-02]
 
==================== Dienste (Nicht auf der Ausnahmeliste) ========================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)
 
R2 ALDITALKVerbindungsassistent_Service; C:\Program Files (x86)\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe [358968 2014-10-29] ()
R2 ASUS InstantOn; C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe [277120 2012-04-13] (ASUS)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-10-02] (AVAST Software)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2774104 2015-09-11] (Microsoft Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 NetTcpHandler; C:\Users\Betti\AppData\Roaming\NetService\netservice.exe [173088 2015-07-09] ()
S3 PDF Architect 2; C:\Program Files (x86)\PDF Architect 2\ws.exe [1771560 2014-10-10] (pdfforge GmbH)
S3 pdfforge CrashHandler; C:\Program Files (x86)\PDF Architect 2\crash-handler-ws.exe [861736 2014-10-10] (pdfforge GmbH)
S3 SXDS10; C:\Program Files (x86)\Common Files\soft Xpansion\sxds10.exe [234096 2013-09-27] (soft Xpansion)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
S2 Crashhd; C:\Users\Betti\AppData\Local\Crsoft\crsvc.exe -st [X]
 
===================== Treiber (Nicht auf der Ausnahmeliste) ==========================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-10-02] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-10-02] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-10-02] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-10-02] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1049880 2015-10-02] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [448968 2015-10-02] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [153744 2015-10-02] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-10-02] (AVAST Software)
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [61824 2012-10-31] (ASUS Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-02] ( )
R0 ngvss; C:\Windows\System32\Drivers\ngvss.sys [132656 2015-10-02] (AVAST Software)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1120032 2013-09-08] (Acronis International GmbH)
S0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [183224 2013-09-08] (Acronis)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 usbrndis6; C:\Windows\system32\DRIVERS\usb80236.sys [20992 2013-08-22] (Microsoft Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
U5 ewusbnet; C:\Windows\SysWOW64\Drivers\ewusbnet.sys [256000 2014-10-29] (Huawei Technologies Co., Ltd.)
U5 ew_hwusbdev; C:\Windows\SysWOW64\Drivers\ew_hwusbdev.sys [117248 2014-10-29] (Huawei Technologies Co., Ltd.)
 
==================== NetSvcs (Nicht auf der Ausnahmeliste) ===================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)
 
 
==================== Ein Monat: Erstellte Dateien und Ordner ========
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)
 
2015-10-02 20:09 - 2015-10-02 20:10 - 00025067 _____ C:\Users\Betti\Downloads\FRST.txt
2015-10-02 20:08 - 2015-10-02 20:09 - 00000000 ____D C:\FRST
2015-10-02 20:08 - 2015-10-02 20:08 - 02192384 _____ (Farbar) C:\Users\Betti\Downloads\FRST64.exe
2015-10-02 20:00 - 2015-10-02 20:00 - 00002277 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-02 20:00 - 2015-10-02 20:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-10-02 19:52 - 2015-10-02 19:57 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-02 19:52 - 2015-10-02 19:57 - 00000910 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-02 19:52 - 2015-10-02 19:52 - 00003886 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-10-02 19:52 - 2015-10-02 19:52 - 00003650 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-10-02 19:51 - 2015-10-02 19:51 - 00929872 _____ (Google Inc.) C:\Users\Betti\Desktop\ChromeSetup.exe
2015-10-02 19:39 - 2015-10-02 19:49 - 00000154 _____ C:\WINDOWS\setupact.log
2015-10-02 19:39 - 2015-10-02 19:39 - 00000000 _____ C:\WINDOWS\setuperr.log
2015-10-02 19:38 - 2015-10-02 19:38 - 00001988 _____ C:\WINDOWS\PFRO.log
2015-10-02 18:20 - 2015-10-02 18:20 - 00000000 ____D C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2015-10-02 18:20 - 2015-10-02 18:20 - 00000000 ____D C:\Program Files\Unlocker
2015-10-02 17:24 - 2015-10-02 17:24 - 00000653 _____ C:\Users\Betti\Desktop\MUSIC - Shortcut.lnk
2015-10-02 16:07 - 2015-10-02 18:45 - 00095572 _____ C:\WINDOWS\WindowsUpdate.log
2015-10-02 16:00 - 2015-10-02 16:00 - 00001173 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-10-02 16:00 - 2015-10-02 16:00 - 00001161 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-10-02 15:52 - 2015-10-02 15:52 - 00243872 _____ C:\Users\Betti\Desktop\Firefox Setup Stub 41.0.1.exe
2015-10-02 15:32 - 2015-10-02 15:32 - 00002790 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2015-10-02 15:32 - 2015-10-02 15:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-10-02 15:31 - 2015-10-02 15:32 - 00000000 ____D C:\Program Files\CCleaner
2015-10-02 15:25 - 2015-10-02 15:25 - 00000000 ____D C:\Users\Betti\AppData\Roaming\AVAST Software
2015-10-02 15:15 - 2015-10-02 15:15 - 00003924 _____ C:\WINDOWS\System32\Tasks\avast! Emergency Update
2015-10-02 15:15 - 2015-10-02 15:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-10-02 15:15 - 2015-10-02 15:14 - 01049880 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00448968 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00274808 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00153744 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00132656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\ngvss.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00093528 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00090968 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00065224 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2015-10-02 15:15 - 2015-10-02 15:14 - 00028656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2015-10-02 15:14 - 2015-10-02 15:14 - 00378880 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2015-10-02 15:14 - 2015-10-02 15:14 - 00043112 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2015-10-02 14:57 - 2015-10-02 14:57 - 00000000 ____D C:\Program Files\AVAST Software
2015-10-02 14:53 - 2015-10-02 14:53 - 00000000 ____D C:\ProgramData\AVAST Software
2015-10-02 14:41 - 2015-10-02 14:41 - 00000000 ___RD C:\Users\Betti\Desktop\New folder
2015-10-02 01:38 - 2015-10-02 01:38 - 00006793 _____ C:\Users\Betti\AppData\Local\recently-used.xbel
2015-10-02 01:09 - 2015-10-02 01:09 - 00000063 _____ C:\Users\Betti\.gtk-bookmarks
2015-10-02 00:29 - 2015-10-02 00:37 - 00000000 ____D C:\Users\Betti\AppData\Roaming\ZHP
2015-10-01 23:18 - 2015-10-01 23:26 - 00000000 ____D C:\AdwCleaner
2015-10-01 22:46 - 2015-10-01 22:46 - 00000306 __RSH C:\ProgramData\ntuser.pol
2015-10-01 22:46 - 2015-10-01 22:46 - 00000000 ____D C:\Users\Betti\AppData\Roaming\shortCutStore
2015-10-01 22:19 - 2015-10-02 20:00 - 00000000 ____D C:\Users\Betti\AppData\Roaming\RunDir
2015-10-01 22:19 - 2015-10-01 22:19 - 00000102 _____ C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2015-10-01 22:19 - 2015-10-01 22:19 - 00000000 ____D C:\Users\Betti\AppData\Roaming\NetService
2015-10-01 22:11 - 2015-10-02 01:38 - 00000000 ____D C:\Users\Betti\AppData\Local\gtk-2.0
2015-10-01 22:01 - 2015-10-01 22:01 - 00000000 ____D C:\Users\Betti\.thumbnails
2015-10-01 21:58 - 2015-10-02 02:09 - 00000000 ____D C:\Users\Betti\.gimp-2.8
2015-10-01 21:58 - 2015-10-01 21:58 - 00000000 ____D C:\Users\Betti\AppData\Local\gegl-0.2
2015-09-24 13:46 - 2015-09-24 13:46 - 00000000 ____D C:\Users\Betti\AppData\Roaming\OpenOffice.org
2015-09-24 13:26 - 2015-09-24 13:26 - 00000000 ___SD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.4.1
2015-09-24 13:26 - 2015-09-24 13:26 - 00000000 ____D C:\Program Files (x86)\OpenOffice.org 3
2015-09-21 15:32 - 2015-09-21 15:32 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-09-21 15:32 - 2015-09-21 15:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-09-20 21:05 - 2015-09-20 21:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp
2015-09-20 21:05 - 2009-09-04 17:29 - 01892184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\D3DX9_42.dll
2015-09-20 21:05 - 2006-09-28 16:05 - 02414360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d3dx9_31.dll
2015-09-20 21:04 - 2015-09-20 21:04 - 00000000 ____D C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Détection de l'application Winamp
2015-09-20 21:04 - 2015-09-20 21:04 - 00000000 ____D C:\Program Files (x86)\Winamp Detect
2015-09-20 18:41 - 2015-10-02 20:00 - 00000000 ____D C:\Program Files (x86)\Google
2015-09-20 18:41 - 2015-10-02 19:39 - 00000000 ____D C:\Users\Betti\AppData\Local\Google
2015-09-20 18:29 - 2015-09-21 08:52 - 00000000 ____D C:\Users\Betti\AppData\Roaming\Winamp
2015-09-20 18:29 - 2015-09-20 21:06 - 00000000 ____D C:\Program Files (x86)\Winamp
2015-09-19 10:25 - 2015-09-19 10:25 - 00000000 ____D C:\WINDOWS\SysWOW64\Drivers\en-GB
2015-09-19 10:25 - 2015-09-19 10:25 - 00000000 ____D C:\WINDOWS\system32\Drivers\en-GB
2015-09-09 19:39 - 2015-08-27 08:18 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-09-09 19:39 - 2015-08-26 23:30 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-09-09 19:39 - 2015-08-26 23:30 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-09-09 19:39 - 2015-08-26 23:30 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-09-09 19:39 - 2015-08-26 23:30 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-09-09 19:39 - 2015-08-26 20:16 - 03705344 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-09-09 19:39 - 2015-08-26 19:59 - 02240512 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-09-09 19:39 - 2015-08-26 19:57 - 00891904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-09-09 19:39 - 2015-08-26 19:57 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-09-09 19:39 - 2015-08-26 19:56 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-09-09 19:39 - 2015-08-26 19:56 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-09-09 19:39 - 2015-08-26 19:56 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-09-09 19:39 - 2015-07-30 22:48 - 00268288 _____ (Microsoft Corporation) C:\WINDOWS\system32\InkEd.dll
2015-09-09 19:39 - 2015-07-30 21:52 - 00230912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InkEd.dll
2015-09-09 19:38 - 2015-08-22 23:49 - 25188352 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-09-09 19:38 - 2015-08-22 23:05 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-09-09 19:38 - 2015-08-22 23:04 - 00585216 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-09-09 19:38 - 2015-08-22 22:52 - 19856384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-09-09 19:38 - 2015-08-22 22:51 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-09-09 19:38 - 2015-08-22 22:50 - 05923840 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-09-09 19:38 - 2015-08-22 22:25 - 00504832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-09-09 19:38 - 2015-08-22 22:20 - 02279424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-09-09 19:38 - 2015-08-22 22:20 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-09-09 19:38 - 2015-08-22 22:15 - 00665600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-09-09 19:38 - 2015-08-22 22:14 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-09-09 19:38 - 2015-08-22 22:11 - 14451712 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-09-09 19:38 - 2015-08-22 22:11 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-09-09 19:38 - 2015-08-22 22:11 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-09-09 19:38 - 2015-08-22 22:11 - 00374784 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-09-09 19:38 - 2015-08-22 22:09 - 02126336 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-09-09 19:38 - 2015-08-22 21:58 - 04520448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-09-09 19:38 - 2015-08-22 21:56 - 02427392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-09-09 19:38 - 2015-08-22 21:53 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-09-09 19:38 - 2015-08-22 21:52 - 12857344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-09-09 19:38 - 2015-08-22 21:50 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-09-09 19:38 - 2015-08-22 21:48 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-09-09 19:38 - 2015-08-22 21:48 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-09-09 19:38 - 2015-08-22 21:48 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-09-09 19:38 - 2015-08-22 21:44 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-09-09 19:38 - 2015-08-22 21:31 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-09-09 19:38 - 2015-08-22 21:30 - 01951232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-09-09 19:38 - 2015-08-22 21:26 - 01310720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-09-09 19:38 - 2015-08-22 21:25 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-09-09 19:38 - 2015-08-01 09:17 - 00229376 _____ (Microsoft Corporation) C:\WINDOWS\system32\schtasks.exe
2015-09-09 19:38 - 2015-08-01 09:15 - 00182784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schtasks.exe
2015-09-09 19:38 - 2015-08-01 09:08 - 01265152 _____ (Microsoft Corporation) C:\WINDOWS\system32\schedsvc.dll
2015-09-09 19:38 - 2015-08-01 09:07 - 00468992 _____ (Microsoft Corporation) C:\WINDOWS\system32\taskeng.exe
2015-09-09 19:38 - 2015-08-01 09:07 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\taskeng.exe
2015-09-09 19:38 - 2015-07-14 08:57 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\tzsync.exe
2015-09-09 19:37 - 2015-09-02 08:26 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-09-09 19:37 - 2015-09-02 08:25 - 00358912 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2015-09-09 19:37 - 2015-09-02 08:20 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2015-09-09 19:37 - 2015-09-02 07:47 - 00301568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2015-09-09 19:37 - 2015-09-02 07:43 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2015-09-09 19:37 - 2015-08-04 02:45 - 00074928 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidapi.dll
2015-09-09 19:37 - 2015-08-04 02:45 - 00065600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\appidapi.dll
2015-09-09 19:37 - 2015-08-01 19:52 - 00039936 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidsvc.dll
2015-09-09 19:36 - 2015-07-22 20:04 - 02775552 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2015-09-09 19:36 - 2015-07-22 20:03 - 01728000 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Immersive.dll
2015-09-09 19:36 - 2015-07-22 19:55 - 02461184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2015-09-09 19:36 - 2015-07-22 19:55 - 01546752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Immersive.dll
2015-09-09 19:36 - 2015-07-19 00:01 - 00194048 _____ (Microsoft Corporation) C:\WINDOWS\system32\shacct.dll
2015-09-09 19:36 - 2015-07-18 23:59 - 00655872 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSync.dll
2015-09-09 19:36 - 2015-07-18 23:59 - 00148480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shacct.dll
2015-09-09 19:36 - 2015-07-18 23:57 - 00520192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSync.dll
2015-09-03 21:22 - 2015-10-02 16:00 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== Ein Monat: Geänderte Dateien und Ordner ========
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)
 
2015-10-02 20:06 - 2013-09-08 14:58 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2121702083-4056039073-698002372-1002
2015-10-02 19:51 - 2014-09-08 21:50 - 00000000 ___DO C:\Users\Betti\OneDrive
2015-10-02 19:49 - 2013-08-22 20:15 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-10-02 19:48 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\system32\sru
2015-10-02 19:43 - 2015-07-26 16:33 - 00000000 ____D C:\Users\Betti\AppData\Roaming\vlc
2015-10-02 19:31 - 2014-03-18 15:33 - 01776918 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-10-02 19:31 - 2014-03-18 14:55 - 00765582 _____ C:\WINDOWS\system32\perfh007.dat
2015-10-02 19:31 - 2014-03-18 14:55 - 00159366 _____ C:\WINDOWS\system32\perfc007.dat
2015-10-02 16:00 - 2013-12-14 18:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-10-02 15:44 - 2014-12-19 12:29 - 00000000 ____D C:\Users\Betti\AppData\Local\PDFCreator
2015-10-02 15:44 - 2014-12-19 11:47 - 00000000 ____D C:\Program Files\PDFCreator
2015-10-02 15:38 - 2014-09-08 21:40 - 00000000 ___DC C:\WINDOWS\Panther
2015-10-02 15:21 - 2013-09-08 15:58 - 00000000 ____D C:\Program Files (x86)\Avira
2015-10-02 15:18 - 2014-09-08 22:33 - 00000000 ____D C:\ProgramData\Avira
2015-10-02 14:49 - 2012-07-26 13:42 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2015-10-02 14:05 - 2013-08-22 18:55 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-10-02 01:09 - 2014-09-08 20:52 - 00000000 ____D C:\Users\Betti
2015-10-02 00:19 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\security
2015-10-02 00:14 - 2015-02-07 20:48 - 00000295 _____ C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Papierkorb.lnk
2015-10-02 00:14 - 2014-10-29 14:24 - 00002253 _____ C:\ProgramData\Microsoft\Windows\Start Menu\ALDI TALK Verbindungsassistent.lnk
2015-10-02 00:14 - 2014-09-08 21:46 - 00001114 _____ C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-10-02 00:14 - 2014-09-08 20:58 - 00001511 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-10-02 00:14 - 2014-09-08 20:52 - 00000469 _____ C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2015-10-02 00:14 - 2014-09-08 20:52 - 00000467 _____ C:\Users\Betti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2015-10-02 00:14 - 2013-10-16 13:53 - 00001009 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2015-10-02 00:14 - 2013-09-08 19:10 - 00001107 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CDBurnerXP.lnk
2015-10-02 00:14 - 2013-09-08 16:25 - 00002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-10-02 00:14 - 2012-11-27 09:40 - 00001364 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2015-10-02 00:14 - 2012-11-27 09:40 - 00001295 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2015-10-01 22:46 - 2013-08-22 21:06 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2015-10-01 22:46 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2015-09-30 21:53 - 2014-06-23 23:42 - 00000000 ____D C:\ProgramData\tmp
2015-09-26 12:59 - 2013-08-22 20:14 - 00398976 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-09-24 22:32 - 2015-04-17 09:23 - 00000000 ____D C:\Users\Betti\AppData\Roaming\dvdcss
2015-09-24 19:07 - 2014-12-27 17:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-09-22 10:32 - 2014-08-27 15:52 - 00000000 ____D C:\Users\Betti\AppData\Roaming\Skype
2015-09-22 10:00 - 2012-07-26 13:29 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-09-21 15:32 - 2014-08-27 15:51 - 00000000 ____D C:\ProgramData\Skype
2015-09-20 00:18 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\rescache
2015-09-19 17:35 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\system32\en-GB
2015-09-19 17:34 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\SysWOW64\en-GB
2015-09-19 10:26 - 2014-03-18 15:10 - 00000000 ____D C:\Program Files\Windows Journal
2015-09-19 10:26 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\SysWOW64\winrm
2015-09-19 10:26 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\SysWOW64\slmgr
2015-09-19 10:26 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\WinStore
2015-09-19 10:26 - 2013-08-22 21:06 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2015-09-19 10:26 - 2013-08-22 21:06 - 00000000 ____D C:\Program Files\Windows Defender
2015-09-19 10:26 - 2013-08-22 21:06 - 00000000 ____D C:\Program Files\Common Files\System
2015-09-19 10:26 - 2013-08-22 21:06 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2015-09-19 10:26 - 2013-08-22 21:06 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2015-09-19 10:26 - 2013-08-22 19:06 - 00000000 ____D C:\WINDOWS\SysWOW64\oobe
2015-09-19 10:26 - 2013-08-22 19:06 - 00000000 ____D C:\WINDOWS\servicing
2015-09-19 10:26 - 2012-07-26 15:13 - 00000000 ____D C:\WINDOWS\en-GB
2015-09-19 10:25 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\SysWOW64\WCN
2015-09-19 10:25 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\SysWOW64\Printing_Admin_Scripts
2015-09-19 10:25 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\system32\winrm
2015-09-19 10:25 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\system32\slmgr
2015-09-19 10:25 - 2013-08-22 21:06 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2015-09-19 10:25 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\system32\migwiz
2015-09-19 10:25 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2015-09-19 10:25 - 2013-08-22 19:06 - 00000000 ____D C:\WINDOWS\system32\oobe
2015-09-19 10:24 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\system32\WCN
2015-09-19 10:24 - 2014-03-18 14:55 - 00000000 ____D C:\WINDOWS\system32\Printing_Admin_Scripts
2015-09-19 10:24 - 2013-08-22 21:06 - 00000000 ___SD C:\WINDOWS\system32\dsc
2015-09-19 10:24 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2015-09-19 10:24 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\Help
2015-09-19 10:24 - 2013-08-22 21:06 - 00000000 ____D C:\WINDOWS\FileManager
2015-09-15 17:02 - 2014-12-28 13:10 - 00003096 _____ C:\WINDOWS\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-2121702083-4056039073-698002372-1002
2015-09-15 06:48 - 2013-08-22 21:08 - 00812008 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-09-15 06:48 - 2013-08-22 21:08 - 00178152 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-09-13 18:32 - 2015-05-21 20:24 - 00000000 ____D C:\Users\Betti\Documents\Shao Texte
2015-09-11 20:05 - 2013-09-10 23:30 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-09-09 20:16 - 2014-11-02 18:29 - 00000000 ____D C:\Users\Betti\Documents\CHENNAI
2015-09-07 21:30 - 2013-09-08 17:51 - 00000000 ____D C:\Users\Betti\Documents\Musik
2015-09-07 20:33 - 2013-09-08 17:52 - 00000000 ____D C:\Users\Betti\Documents\Steuererklärung
2015-09-07 20:29 - 2013-09-08 17:52 - 00000000 ____D C:\Users\Betti\Documents\Briefe
2015-09-05 13:09 - 2013-09-08 22:47 - 00000000 ____D C:\Users\Betti\AppData\Local\Packages
2015-09-05 12:54 - 2013-09-08 17:50 - 00000000 ____D C:\Users\Betti\Documents\Wohnung
 
==================== Dateien im Wurzelverzeichnis einiger Verzeichnisse =======
 
2013-10-28 20:13 - 2013-10-28 20:13 - 0000021 _____ () C:\Users\Betti\AppData\Roaming\my_intel.sys
2013-09-08 22:49 - 2014-12-27 09:41 - 0000401 _____ () C:\Users\Betti\AppData\Roaming\sp_data.sys
2013-09-27 15:32 - 2014-03-22 15:47 - 0000150 _____ () C:\Users\Betti\AppData\Local\Citavi Picker Internet Explorer Protocol.txt
2015-10-02 01:38 - 2015-10-02 01:38 - 0006793 _____ () C:\Users\Betti\AppData\Local\recently-used.xbel
2013-10-15 02:04 - 2013-10-15 02:04 - 0007605 _____ () C:\Users\Betti\AppData\Local\Resmon.ResmonCfg
2014-08-28 12:13 - 2014-08-28 12:13 - 0000040 ___SH () C:\ProgramData\.zreglib
2012-11-27 09:38 - 2012-09-07 17:10 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2012-11-27 09:38 - 2009-07-22 15:34 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2012-11-27 09:38 - 2012-09-07 17:07 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
2015-10-01 22:19 - 2015-10-01 22:19 - 0000102 _____ () C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
 
Dateien, die verschoben oder gelöscht werden sollten:
====================
C:\ProgramData\SetStretch.VBS
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
 
 
==================== Bamital & volsnap =================
 
(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)
 
C:\WINDOWS\system32\winlogon.exe => Datei ist digital signiert
C:\WINDOWS\system32\wininit.exe => Datei ist digital signiert
C:\WINDOWS\explorer.exe => Datei ist digital signiert
C:\WINDOWS\SysWOW64\explorer.exe => Datei ist digital signiert
C:\WINDOWS\system32\svchost.exe => Datei ist digital signiert
C:\WINDOWS\SysWOW64\svchost.exe => Datei ist digital signiert
C:\WINDOWS\system32\services.exe => Datei ist digital signiert
C:\WINDOWS\system32\User32.dll => Datei ist digital signiert
C:\WINDOWS\SysWOW64\User32.dll => Datei ist digital signiert
C:\WINDOWS\system32\userinit.exe => Datei ist digital signiert
C:\WINDOWS\SysWOW64\userinit.exe => Datei ist digital signiert
C:\WINDOWS\system32\rpcss.dll => Datei ist digital signiert
C:\WINDOWS\system32\dnsapi.dll => Datei ist digital signiert
C:\WINDOWS\SysWOW64\dnsapi.dll => Datei ist digital signiert
C:\WINDOWS\system32\Drivers\volsnap.sys => Datei ist digital signiert
 
 
LastRegBack: 2015-10-02 02:23
 
==================== Ende von FRST.txt ============================

Attached Files


Edited by lotusflow3r, 02 October 2015 - 12:55 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 03 October 2015 - 08:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold using the Add/Remove Programs applet.
Audacity Bundle by Fileparade.com (HKLM-x32\...\Audacity Bundle by Fileparade.com) (Version: 1.0.0.0 - SweetPacks LTD) <==== ACHTUNG

---

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Users\Betti\AppData\Roaming\NetService\netservice.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  Keine Datei
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  Keine Datei
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  Keine Datei
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  Keine Datei
GroupPolicy: Beschränkung - Chrome <======= ACHTUNG
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Beschränkung <======= ACHTUNG
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.aqovd.com?oem=sunadinv3&uid=TM8512ZJ13S9AR_HitachiHTS545050A7E380&tm=1443719777
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.aqovd.com?oem=sunadinv3&uid=TM8512ZJ13S9AR_HitachiHTS545050A7E380&tm=1443719777
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxps://www.google.com/?trackid=sp-006
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2121702083-4056039073-698002372-1002 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2121702083-4056039073-698002372-1002 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2015-09-03] <==== ACHTUNG
CHR Extension: (Avast Online Security) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-10-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-10-02]
CHR Extension: (EasyCalendar) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk
R2 NetTcpHandler; C:\Users\Betti\AppData\Roaming\NetService\netservice.exe [173088 2015-07-09] ()
S2 Crashhd; C:\Users\Betti\AppData\Local\Crsoft\crsvc.exe -st [X]
C:\Users\Betti\AppData\Roaming\NetService\
C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Restart the computer normally.

How is the computer running now?

#3 lotusflow3r

lotusflow3r
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 04 October 2015 - 09:33 AM

Dear Nasdaq, thanks so much on behalf of me and Bettina :)

 

I followed every step and it seems to have worked, this naughty Easy Calendar add-on at least has disappeared from Chrome and I haven't had any adds popup so far!

 

Here is the Fixlog as requested, followed by the ADW Cleaner log (there were several IDK why so I,ve copied the most recent one. I've had it clean all the programs u see in it so they shouldn't be here anymore.

 

Plz lemme know if the log reveal anything still wrong, and many many thx again, it's really great to have people like you to help like this :)

 

Entferungsergebnis von Farbar Recovery Scan Tool (x64) Version:03-10-2015
durchgeführt von Betti (2015-10-04 19:14:33) Run:1
Gestartet von C:\Users\Betti\Desktop
Geladene Profile: UpdatusUser & Betti (Verfügbare Profile: UpdatusUser & Betti)
Start-Modus: Normal
==============================================
 
fixlist Inhalt:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
() C:\Users\Betti\AppData\Roaming\NetService\netservice.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  Keine Datei
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  Keine Datei
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  Keine Datei
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  Keine Datei
GroupPolicy: Beschränkung - Chrome <======= ACHTUNG
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Beschränkung <======= ACHTUNG
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.aqovd.com?oem=sunadinv3&uid=TM8512ZJ13S9AR_HitachiHTS545050A7E380&tm=1443719777
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.aqovd.com?oem=sunadinv3&uid=TM8512ZJ13S9AR_HitachiHTS545050A7E380&tm=1443719777
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxps://www.google.com/?trackid=sp-006
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2121702083-4056039073-698002372-1002 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2121702083-4056039073-698002372-1002 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2015-09-03] <==== ACHTUNG
CHR Extension: (Avast Online Security) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-10-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-10-02]
CHR Extension: (EasyCalendar) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk
R2 NetTcpHandler; C:\Users\Betti\AppData\Roaming\NetService\netservice.exe [173088 2015-07-09] ()
S2 Crashhd; C:\Users\Betti\AppData\Local\Crsoft\crsvc.exe -st [X]
C:\Users\Betti\AppData\Roaming\NetService\
C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk
 
End
*****************
 
Wiederherstellungspunkt wurde erfolgreich erstellt.
Prozess erfolgreich geschlossen.
C:\Users\Betti\AppData\Roaming\NetService\netservice.exe => Prozess konnte nicht geschlossen werden
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Schlüssel erfolgreich entfernt
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Schlüssel nicht gefunden. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Schlüssel erfolgreich entfernt
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Schlüssel nicht gefunden. 
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Schlüssel erfolgreich entfernt
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Schlüssel nicht gefunden. 
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Schlüssel erfolgreich entfernt
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Schlüssel nicht gefunden. 
C:\WINDOWS\system32\GroupPolicy\Machine => erfolgreich verschoben
C:\WINDOWS\system32\GroupPolicy\GPT.ini => erfolgreich verschoben
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => erfolgreich verschoben
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Schlüssel erfolgreich entfernt
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Wert erfolgreich wiederhergestellt
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Wert erfolgreich wiederhergestellt
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Wert erfolgreich wiederhergestellt
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Wert erfolgreich wiederhergestellt
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main\\Start Page => Wert erfolgreich wiederhergestellt
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main\\Search Page => Wert erfolgreich wiederhergestellt
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\Software\Microsoft\Internet Explorer\Main\\Search Bar => Wert erfolgreich entfernt
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich wiederhergestellt
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich wiederhergestellt
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F}" => Schlüssel erfolgreich entfernt
HKCR\Wow6432Node\CLSID\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F} => Schlüssel nicht gefunden. 
HKU\S-1-5-21-2121702083-4056039073-698002372-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich entfernt
"HKU\S-1-5-21-2121702083-4056039073-698002372-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F}" => Schlüssel erfolgreich entfernt
HKCR\CLSID\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F} => Schlüssel nicht gefunden. 
C:\Program Files (x86)\mozilla firefox\firefox.cfg => erfolgreich verschoben
C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => erfolgreich verschoben
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => Schlüssel erfolgreich entfernt
Konnte nicht verschoben werden "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => ist geplant bei Neustart verschoben zu werden.
CHR Extension: (EasyCalendar) - C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk => nicht gefunden
NetTcpHandler => Dienst erfolgreich gestoppt.
NetTcpHandler => Dienst erfolgreich entfernt
Crashhd => Dienst erfolgreich entfernt
C:\Users\Betti\AppData\Roaming\NetService => erfolgreich verschoben
C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk => erfolgreich verschoben
EmptyTemp: => 860.2 MB temporäre Dateien entfernt.
 
Ergebnis der geplanten Datei-Verschiebungen (Start-Modus: Normal) (Datum&Uhrzeit: 2015-10-04 19:22:07)
 
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Konnte nicht verschoben werden
 
==== Ende von Fixlog 19:22:07 ====
 
# AdwCleaner v5.010 - Logfile created 04/10/2015 at 19:36:56
# Updated 04/10/2015 by Xplode
# Database : 2015-10-04.3 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Betti - BETTISPC
# Running from : C:\Users\Betti\Desktop\adwcleaner_5.010.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : search.snap.do
[-] [C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : securesearch
[-] [C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : mystartsearch
[-] [C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://feed.snap.do/?publisher=QuickOB&dpid=QuickOB&co=FR&userid=bc0a6e9b-ce0a-44ee-9955-8f329ee5e50f&searchtype=hp&installDate=01/01/1970
[-] [C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxps://in.search.yahoo.com/?type=201117&fr=spigot-yhp-ch
[-] [C:\Users\Betti\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Deleted : hxxp://search.conduit.com/?SearchSource=10&ctid=CT2613520
 
*************************
 
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C9].txt - [1546 bytes] ##########
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 05 October 2015 - 12:47 PM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 11 October 2015 - 09:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users