Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVAST Popup URL:Mal Infection ninthclub


  • This topic is locked This topic is locked
19 replies to this topic

#1 frumpyboy

frumpyboy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 01 November 2015 - 12:41 AM

Hello,

 

I have been experiencing some redirect blocks by AVAST antivirus tool. Any browser (Chrome, Firefox, Internet explorer), when I first visit the first website, I get 2 URL:Mal infection blocked notices from AVAST. Afterwards there's no more noticed until I close browser and reopen. The URL:Mal that AVAST blocks is http://ninthclub.com/Work/new/index.php

 

I have ran Malaware, AdwCleaner, and JRT, but problem persists. Some things were removed, but looks like there's still some stuff left.

 

I have attached the FRST logs per instructions.

 

Thank you in advance for your assistance.

Attached Files



BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 01 November 2015 - 10:53 PM

Hi frumpyboy,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:
  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Let's get started....

Thank you for the logs.

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Freemake Video Converter version 3.2.1

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.  

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter.  Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\Run: [KuxeCxax] => regsvr32.exe "C:\Users\Steven\AppData\Roaming\MereFcajc\QeduWpuy.dll"
C:\Users\Steven\AppData\Roaming\MereFcajc
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {2509c8c7-6a2d-11df-a415-806e6f6e6963} - E:\onecncxr.EXE
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {3ca3dadb-9495-11df-ba9b-0019d1217fbd} - H:\LaunchU3.exe -a
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {490a4bbc-edb9-11e1-8d38-0019d1217fbd} - F:\SETUP.EXE
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {9e0d79ee-8359-11e0-8201-f70008510cd5} - F:\TL-Bootstrap.exe
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {ab2bec41-7e6f-11df-9e9e-0019d1217fbd} - H:\LaunchU3.exe -a
SearchScopes: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
C:\Program Files\Java\jre6\bin\jp2ssv.dll
BHO-x32: No Name -> {89867A4A-BDEE-4259-964A-B8E87C4892F3} -> No File
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll => No File
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll => No File
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll No File
Toolbar: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
FF NetworkProxy: "type", 4
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\new_plugin\npjp2.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
C:\Program Files (x86)\Pando Networks
FF Plugin HKU\S-1-5-21-1222829886-859822242-3001035822-1000: @spoon.net/Spoon Plugin 3.33 -> C:\Users\Steven\AppData\Local\Spoon\3.33.6.45\npMozillaSpoonPlugin.dll [No File]
C:\Users\Steven\AppData\Local\Spoon
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Steven\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\pdf.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll => No File
CHR Plugin: (Java™ Platform SE 6 U22) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll => No File
C:\Program Files (x86)\Pando Networks
CHR Plugin: (Google Update) - C:\Users\Steven\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll => No File
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]
2015-10-30 22:36 - 2015-10-30 22:36 - 00000000 ____D C:\Users\Steven\AppData\Roaming\okshur
2015-10-30 22:33 - 2015-10-31 19:28 - 00000000 ____D C:\Users\Steven\AppData\Roaming\MereFcajc
2015-10-30 20:07 - 2015-10-30 20:07 - 00449298 _____ (Microsoft Corporation) C:\Users\Steven\AppData\Roaming\mhgpwfc.exe
2015-10-27 22:03 - 2015-10-27 22:03 - 00000000 _____ C:\Users\Steven\Downloads\page.uniqueads=yes&page.multiads=yes&Params.styles=funnel_pixel&Params.lifetime=30&site=tm&pagepos=990&adsize=1x1&brand=0&event_name=''&venue_name=''&eventid=&page=art.com%2Fevent%2F0B004F33B66334B6%3Fbrand%3Dhollywoodbowl
2015-10-26 23:40 - 2015-10-31 20:13 - 00003758 _____ C:\Windows\System32\Tasks\AutoKMS
2015-10-26 23:40 - 2015-10-28 08:03 - 00000000 ____D C:\Windows\AutoKMS
C:\Users\Steven\AppData\Local\Temp\amd-catalyst-15.7.1-without-dotnet45-win7-64bit.exe
C:\Users\Steven\AppData\Local\Temp\BetOnline Updater.exe
C:\Users\Steven\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqneucw.dll
C:\Users\Steven\AppData\Local\Temp\GURCF6D.exe
C:\Users\Steven\AppData\Local\Temp\Gw2.exe
C:\Users\Steven\AppData\Local\Temp\hdinst_x64.exe
C:\Users\Steven\AppData\Local\Temp\Installer XR.exe
C:\Users\Steven\AppData\Local\Temp\ose00000.exe
C:\Users\Steven\AppData\Local\Temp\ose00001.exe
C:\Users\Steven\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Steven\AppData\Local\Temp\sfextra.dll
C:\Users\Steven\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Steven\AppData\Local\Temp\sonarinst.exe
C:\Users\Steven\AppData\Local\Temp\sqlite3.dll
C:\Users\Steven\AppData\Local\Temp\vcredist_2010_x64.exe
C:\Users\Steven\AppData\Local\Temp\vcredist_2012_x64.exe
C:\Users\Steven\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Steven\AppData\Local\Temp\virtual_ntdll.dll
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
Task: {405CC077-6633-4C14-940A-B5FFA332ABD9} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-10-26] ()
C:\Windows\AutoKMS
Task: {6A0B5400-B75C-4CDA-993F-D3C848E97D67} - System32\Tasks\{C81B9F28-E836-4BB9-A656-C7D7034B9886} => pcalua.exe -a C:\Users\Steven\AppData\Local\Spoon\3.33.6.45\Spoon-Sandbox.exe -c /uninstall
Task: {87663486-3162-43C1-85ED-DFD0BE455846} - System32\Tasks\{6F329CF9-D9C0-47BD-BAD8-4C544151D2E0} => pcalua.exe -a G:\ffxivsetup.exe -d G:\
Task: {B7C62730-D046-4170-8975-C8F24E80B7B0} - System32\Tasks\{3CDA4F2A-E887-4B73-9D05-202EB7C3C995} => Iexplore.exe hxxp://ui.skype.com/ui/0/6.6.0.106/en/abandoninstall?page=tsPlugin
Task: {F6E6BF69-0069-41AB-B7E8-CDF4A756E8EC} - System32\Tasks\{AF7FEAAF-AD96-44C5-ADD6-286A70F8B35A} => pcalua.exe -a C:\Users\Steven\Desktop\308247_intl_i386_zip.exe -d C:\Users\Steven\Desktop
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
Task: {1C9BA3B8-0835-4DBD-94CD-8BA06D733A83} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-16] ()
C:\ProgramData\AVG January 2013 Campaign
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


LAST >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v4111_zpsn56hzjza.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt
  • Optional:

    NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 frumpyboy

frumpyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 02 November 2015 - 12:34 AM

Hi dbrisendine,

 

 

When I try to run FRST, the program will stop responding and crash. I have tried letting it sit there, but it doesn't respond forcing a hard restart to bring the computer back to normal. I have pasted the fixlog below of how far it got.

 

Let me know if you still want me to run Adwcleaner or something else. Thank you!

 

Fix result of Farbar Recovery Scan Tool (x64) Version:30-10-2015

Ran by Steven (2015-11-01 21:21:40) Run:7
Running from C:\Users\Steven\Desktop
Loaded Profiles: Steven (Available Profiles: Steven & Guest)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\Run: [KuxeCxax] => regsvr32.exe "C:\Users\Steven\AppData\Roaming\MereFcajc\QeduWpuy.dll"
C:\Users\Steven\AppData\Roaming\MereFcajc
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {2509c8c7-6a2d-11df-a415-806e6f6e6963} - E:\onecncxr.EXE
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {3ca3dadb-9495-11df-ba9b-0019d1217fbd} - H:\LaunchU3.exe -a
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {490a4bbc-edb9-11e1-8d38-0019d1217fbd} - F:\SETUP.EXE
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {9e0d79ee-8359-11e0-8201-f70008510cd5} - F:\TL-Bootstrap.exe
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {ab2bec41-7e6f-11df-9e9e-0019d1217fbd} - H:\LaunchU3.exe -a
SearchScopes: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
C:\Program Files\Java\jre6\bin\jp2ssv.dll
BHO-x32: No Name -> {89867A4A-BDEE-4259-964A-B8E87C4892F3} -> No File
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll => No File
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll => No File
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll No File
Toolbar: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
FF NetworkProxy: "type", 4
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\new_plugin\npjp2.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
C:\Program Files (x86)\Pando Networks
FF Plugin HKU\S-1-5-21-1222829886-859822242-3001035822-1000: @spoon.net/Spoon Plugin 3.33 -> C:\Users\Steven\AppData\Local\Spoon\3.33.6.45\npMozillaSpoonPlugin.dll [No File]
C:\Users\Steven\AppData\Local\Spoon
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Steven\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\pdf.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll => No File
CHR Plugin: (Java™ Platform SE 6 U22) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll => No File
C:\Program Files (x86)\Pando Networks
CHR Plugin: (Google Update) - C:\Users\Steven\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll => No File
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]
2015-10-30 22:36 - 2015-10-30 22:36 - 00000000 ____D C:\Users\Steven\AppData\Roaming\okshur
2015-10-30 22:33 - 2015-10-31 19:28 - 00000000 ____D C:\Users\Steven\AppData\Roaming\MereFcajc
2015-10-30 20:07 - 2015-10-30 20:07 - 00449298 _____ (Microsoft Corporation) C:\Users\Steven\AppData\Roaming\mhgpwfc.exe
2015-10-27 22:03 - 2015-10-27 22:03 - 00000000 _____ C:\Users\Steven\Downloads\page.uniqueads=yes&page.multiads=yes&Params.styles=funnel_pixel&Params.lifetime=30&site=tm&pagepos=990&adsize=1x1&brand=0&event_name=''&venue_name=''&eventid=&page=art.com%2Fevent%2F0B004F33B66334B6%3Fbrand%3Dhollywoodbowl
2015-10-26 23:40 - 2015-10-31 20:13 - 00003758 _____ C:\Windows\System32\Tasks\AutoKMS
2015-10-26 23:40 - 2015-10-28 08:03 - 00000000 ____D C:\Windows\AutoKMS
C:\Users\Steven\AppData\Local\Temp\amd-catalyst-15.7.1-without-dotnet45-win7-64bit.exe
C:\Users\Steven\AppData\Local\Temp\BetOnline Updater.exe
C:\Users\Steven\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqneucw.dll
C:\Users\Steven\AppData\Local\Temp\GURCF6D.exe
C:\Users\Steven\AppData\Local\Temp\Gw2.exe
C:\Users\Steven\AppData\Local\Temp\hdinst_x64.exe
C:\Users\Steven\AppData\Local\Temp\Installer XR.exe
C:\Users\Steven\AppData\Local\Temp\ose00000.exe
C:\Users\Steven\AppData\Local\Temp\ose00001.exe
C:\Users\Steven\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Steven\AppData\Local\Temp\sfextra.dll
C:\Users\Steven\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Steven\AppData\Local\Temp\sonarinst.exe
C:\Users\Steven\AppData\Local\Temp\sqlite3.dll
C:\Users\Steven\AppData\Local\Temp\vcredist_2010_x64.exe
C:\Users\Steven\AppData\Local\Temp\vcredist_2012_x64.exe
C:\Users\Steven\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Steven\AppData\Local\Temp\virtual_ntdll.dll
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
Task: {405CC077-6633-4C14-940A-B5FFA332ABD9} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-10-26] ()
C:\Windows\AutoKMS
Task: {6A0B5400-B75C-4CDA-993F-D3C848E97D67} - System32\Tasks\{C81B9F28-E836-4BB9-A656-C7D7034B9886} => pcalua.exe -a C:\Users\Steven\AppData\Local\Spoon\3.33.6.45\Spoon-Sandbox.exe -c /uninstall
Task: {87663486-3162-43C1-85ED-DFD0BE455846} - System32\Tasks\{6F329CF9-D9C0-47BD-BAD8-4C544151D2E0} => pcalua.exe -a G:\ffxivsetup.exe -d G:\
Task: {B7C62730-D046-4170-8975-C8F24E80B7B0} - System32\Tasks\{3CDA4F2A-E887-4B73-9D05-202EB7C3C995} => Iexplore.exe hxxp://ui.skype.com/ui/0/6.6.0.106/en/abandoninstall?page=tsPlugin
Task: {F6E6BF69-0069-41AB-B7E8-CDF4A756E8EC} - System32\Tasks\{AF7FEAAF-AD96-44C5-ADD6-286A70F8B35A} => pcalua.exe -a C:\Users\Steven\Desktop\308247_intl_i386_zip.exe -d C:\Users\Steven\Desktop
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
Task: {1C9BA3B8-0835-4DBD-94CD-8BA06D733A83} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-16] ()
C:\ProgramData\AVG January 2013 Campaign
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
*****************
 
Restore point was successfully created.


#4 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 02 November 2015 - 01:00 AM

See if this helps:
 

FIRST >>>>

Please download Rkill by Grinler and save it to your desktop.  (Use Link1 first.)

  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, stop and do not run Step2,  Come back here and please let me know.
  • Do not reboot the computer, you will need to run the application again.

SECOND >>>>

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#5 frumpyboy

frumpyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 02 November 2015 - 01:24 AM

Looks like we made some progress. It ran for 15 mins with no updates, but didn't freeze, I ended up rebooting again because it looked like it was just hanging. Pasted log below:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:30-10-2015
Ran by Steven (2015-11-01 22:05:39) Run:8
Running from C:\Users\Steven\Desktop
Loaded Profiles: Steven (Available Profiles: Steven & Guest)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\Run: [KuxeCxax] => regsvr32.exe "C:\Users\Steven\AppData\Roaming\MereFcajc\QeduWpuy.dll"
C:\Users\Steven\AppData\Roaming\MereFcajc
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {2509c8c7-6a2d-11df-a415-806e6f6e6963} - E:\onecncxr.EXE
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {3ca3dadb-9495-11df-ba9b-0019d1217fbd} - H:\LaunchU3.exe -a
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {490a4bbc-edb9-11e1-8d38-0019d1217fbd} - F:\SETUP.EXE
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {9e0d79ee-8359-11e0-8201-f70008510cd5} - F:\TL-Bootstrap.exe
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\...\MountPoints2: {ab2bec41-7e6f-11df-9e9e-0019d1217fbd} - H:\LaunchU3.exe -a
SearchScopes: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
C:\Program Files\Java\jre6\bin\jp2ssv.dll
BHO-x32: No Name -> {89867A4A-BDEE-4259-964A-B8E87C4892F3} -> No File
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll => No File
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll => No File
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll No File
Toolbar: HKU\S-1-5-21-1222829886-859822242-3001035822-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
FF NetworkProxy: "type", 4
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\new_plugin\npjp2.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
C:\Program Files (x86)\Pando Networks
FF Plugin HKU\S-1-5-21-1222829886-859822242-3001035822-1000: @spoon.net/Spoon Plugin 3.33 -> C:\Users\Steven\AppData\Local\Spoon\3.33.6.45\npMozillaSpoonPlugin.dll [No File]
C:\Users\Steven\AppData\Local\Spoon
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Steven\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\pdf.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll => No File
CHR Plugin: (Java™ Platform SE 6 U22) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll => No File
C:\Program Files (x86)\Pando Networks
CHR Plugin: (Google Update) - C:\Users\Steven\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll => No File
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]
2015-10-30 22:36 - 2015-10-30 22:36 - 00000000 ____D C:\Users\Steven\AppData\Roaming\okshur
2015-10-30 22:33 - 2015-10-31 19:28 - 00000000 ____D C:\Users\Steven\AppData\Roaming\MereFcajc
2015-10-30 20:07 - 2015-10-30 20:07 - 00449298 _____ (Microsoft Corporation) C:\Users\Steven\AppData\Roaming\mhgpwfc.exe
2015-10-27 22:03 - 2015-10-27 22:03 - 00000000 _____ C:\Users\Steven\Downloads\page.uniqueads=yes&page.multiads=yes&Params.styles=funnel_pixel&Params.lifetime=30&site=tm&pagepos=990&adsize=1x1&brand=0&event_name=''&venue_name=''&eventid=&page=art.com%2Fevent%2F0B004F33B66334B6%3Fbrand%3Dhollywoodbowl
2015-10-26 23:40 - 2015-10-31 20:13 - 00003758 _____ C:\Windows\System32\Tasks\AutoKMS
2015-10-26 23:40 - 2015-10-28 08:03 - 00000000 ____D C:\Windows\AutoKMS
C:\Users\Steven\AppData\Local\Temp\amd-catalyst-15.7.1-without-dotnet45-win7-64bit.exe
C:\Users\Steven\AppData\Local\Temp\BetOnline Updater.exe
C:\Users\Steven\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqneucw.dll
C:\Users\Steven\AppData\Local\Temp\GURCF6D.exe
C:\Users\Steven\AppData\Local\Temp\Gw2.exe
C:\Users\Steven\AppData\Local\Temp\hdinst_x64.exe
C:\Users\Steven\AppData\Local\Temp\Installer XR.exe
C:\Users\Steven\AppData\Local\Temp\ose00000.exe
C:\Users\Steven\AppData\Local\Temp\ose00001.exe
C:\Users\Steven\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Steven\AppData\Local\Temp\sfextra.dll
C:\Users\Steven\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Steven\AppData\Local\Temp\sonarinst.exe
C:\Users\Steven\AppData\Local\Temp\sqlite3.dll
C:\Users\Steven\AppData\Local\Temp\vcredist_2010_x64.exe
C:\Users\Steven\AppData\Local\Temp\vcredist_2012_x64.exe
C:\Users\Steven\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Steven\AppData\Local\Temp\virtual_ntdll.dll
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Steven\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
Task: {405CC077-6633-4C14-940A-B5FFA332ABD9} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-10-26] ()
C:\Windows\AutoKMS
Task: {6A0B5400-B75C-4CDA-993F-D3C848E97D67} - System32\Tasks\{C81B9F28-E836-4BB9-A656-C7D7034B9886} => pcalua.exe -a C:\Users\Steven\AppData\Local\Spoon\3.33.6.45\Spoon-Sandbox.exe -c /uninstall
Task: {87663486-3162-43C1-85ED-DFD0BE455846} - System32\Tasks\{6F329CF9-D9C0-47BD-BAD8-4C544151D2E0} => pcalua.exe -a G:\ffxivsetup.exe -d G:\
Task: {B7C62730-D046-4170-8975-C8F24E80B7B0} - System32\Tasks\{3CDA4F2A-E887-4B73-9D05-202EB7C3C995} => Iexplore.exe hxxp://ui.skype.com/ui/0/6.6.0.106/en/abandoninstall?page=tsPlugin
Task: {F6E6BF69-0069-41AB-B7E8-CDF4A756E8EC} - System32\Tasks\{AF7FEAAF-AD96-44C5-ADD6-286A70F8B35A} => pcalua.exe -a C:\Users\Steven\Desktop\308247_intl_i386_zip.exe -d C:\Users\Steven\Desktop
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
Task: {1C9BA3B8-0835-4DBD-94CD-8BA06D733A83} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-16] ()
C:\ProgramData\AVG January 2013 Campaign
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\Software\Microsoft\Windows\CurrentVersion\Run\\KuxeCxax => value removed successfully
C:\Users\Steven\AppData\Roaming\MereFcajc => moved successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2509c8c7-6a2d-11df-a415-806e6f6e6963}" => key removed successfully
HKCR\CLSID\{2509c8c7-6a2d-11df-a415-806e6f6e6963} => key not found. 
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3ca3dadb-9495-11df-ba9b-0019d1217fbd}" => key removed successfully
HKCR\CLSID\{3ca3dadb-9495-11df-ba9b-0019d1217fbd} => key not found. 
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{490a4bbc-edb9-11e1-8d38-0019d1217fbd}" => key removed successfully
HKCR\CLSID\{490a4bbc-edb9-11e1-8d38-0019d1217fbd} => key not found. 
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e0d79ee-8359-11e0-8201-f70008510cd5}" => key removed successfully
HKCR\CLSID\{9e0d79ee-8359-11e0-8201-f70008510cd5} => key not found. 
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab2bec41-7e6f-11df-9e9e-0019d1217fbd}" => key removed successfully
HKCR\CLSID\{ab2bec41-7e6f-11df-9e9e-0019d1217fbd} => key not found. 
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
"HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
"C:\Program Files\Java\jre6\bin\jp2ssv.dll" => not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89867A4A-BDEE-4259-964A-B8E87C4892F3}" => key removed successfully
HKCR\Wow6432Node\CLSID\{89867A4A-BDEE-4259-964A-B8E87C4892F3} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{AE7CD045-E861-484f-8273-0445EE161910}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{F4971EE7-DAA0-4053-9964-665D8EE6A077}" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully
"HKCR\Wow6432Node\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" => key removed successfully
HKU\S-1-5-21-1222829886-859822242-3001035822-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key not found. 
"HKCR\PROTOCOLS\Handler\linkscanner" => key removed successfully
"HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}" => key removed successfully
Firefox Proxy settings were reset.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully
C:\Program Files (x86)\Pando Networks => moved successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000\Software\MozillaPlugins\@spoon.net/Spoon Plugin 3.33" => key removed successfully
C:\Users\Steven\AppData\Local\Spoon\3.33.6.45\npMozillaSpoonPlugin.dll => not found.
C:\Users\Steven\AppData\Local\Spoon => moved successfully
C:\Users\Steven\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\pdf.dll => not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll => not found.
C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll => not found.
C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => not found.
C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll => not found.
"C:\Program Files (x86)\Pando Networks" => not found.
C:\Users\Steven\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll => not found.
AdobeARMservice => service removed successfully
C:\Users\Steven\AppData\Roaming\okshur => moved successfully
"C:\Users\Steven\AppData\Roaming\MereFcajc" => not found.
C:\Users\Steven\AppData\Roaming\mhgpwfc.exe => moved successfully
Could not move "C:\Users\Steven\Downloads\page.uniqueads=yes&page.multiads=yes&Params.styles=funnel_pixel&Params.lifetime=30&site=tm&pagepos=990&adsize=1x1&brand=0&event_name=''&venue_name=''&eventid=&page=art.com%2Fevent%2F0B004F33B66334B6%3Fbrand%3Dhollywoodbowl" => Scheduled to move on reboot.
C:\Windows\System32\Tasks\AutoKMS => moved successfully
C:\Windows\AutoKMS => moved successfully
C:\Users\Steven\AppData\Local\Temp\amd-catalyst-15.7.1-without-dotnet45-win7-64bit.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\BetOnline Updater.exe => moved successfully
"C:\Users\Steven\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqneucw.dll" => not found.
C:\Users\Steven\AppData\Local\Temp\GURCF6D.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\Gw2.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\hdinst_x64.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\Installer XR.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\ose00000.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\ose00001.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\sfamcc00001.dll => moved successfully
C:\Users\Steven\AppData\Local\Temp\sfextra.dll => moved successfully
C:\Users\Steven\AppData\Local\Temp\SkypeSetup.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\sonarinst.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\sqlite3.dll => moved successfully
C:\Users\Steven\AppData\Local\Temp\vcredist_2010_x64.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\vcredist_2012_x64.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\vcredist_x86.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\virtual_ntdll.dll => moved successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-1222829886-859822242-3001035822-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{405CC077-6633-4C14-940A-B5FFA332ABD9} => key not found. 
C:\Windows\System32\Tasks\AutoKMS => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
"C:\Windows\AutoKMS" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6A0B5400-B75C-4CDA-993F-D3C848E97D67}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6A0B5400-B75C-4CDA-993F-D3C848E97D67}" => key removed successfully
C:\Windows\System32\Tasks\{C81B9F28-E836-4BB9-A656-C7D7034B9886} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C81B9F28-E836-4BB9-A656-C7D7034B9886}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87663486-3162-43C1-85ED-DFD0BE455846}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87663486-3162-43C1-85ED-DFD0BE455846}" => key removed successfully
C:\Windows\System32\Tasks\{6F329CF9-D9C0-47BD-BAD8-4C544151D2E0} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{6F329CF9-D9C0-47BD-BAD8-4C544151D2E0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B7C62730-D046-4170-8975-C8F24E80B7B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7C62730-D046-4170-8975-C8F24E80B7B0}" => key removed successfully
C:\Windows\System32\Tasks\{3CDA4F2A-E887-4B73-9D05-202EB7C3C995} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{3CDA4F2A-E887-4B73-9D05-202EB7C3C995}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F6E6BF69-0069-41AB-B7E8-CDF4A756E8EC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F6E6BF69-0069-41AB-B7E8-CDF4A756E8EC}" => key removed successfully
C:\Windows\System32\Tasks\{AF7FEAAF-AD96-44C5-ADD6-286A70F8B35A} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{AF7FEAAF-AD96-44C5-ADD6-286A70F8B35A}" => key removed successfully
C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1C9BA3B8-0835-4DBD-94CD-8BA06D733A83}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C9BA3B8-0835-4DBD-94CD-8BA06D733A83}" => key removed successfully
C:\Windows\System32\Tasks\ROC_REG_JAN_DELETE => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ROC_REG_JAN_DELETE" => key removed successfully
C:\ProgramData\AVG January 2013 Campaign => moved successfully
C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`26hfm" ADS removed successfully.
 
=========  ipconfig /flushdns =========


#6 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 02 November 2015 - 01:35 AM

Can you check to see if there is a log file for RKill?


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#7 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 02 November 2015 - 02:04 AM

Let's see what AdwCleaner does since the Fixlist did not complete entirely ......
 

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v5016_zpsf8ln0fea.png
  • Click on Options and select the following (make them checked)
    • Delete "Tracing" keys
    • Reset Proxy settings
    • Reset Winsock settings
    • Reset Firewall settings
    • Reset IPSec settings
    • Reset BITS queue
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#8 frumpyboy

frumpyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 02 November 2015 - 10:48 PM

I've posted AdwCleaner log and RKill log. AdwCleaner is coming back with nothing, however when I try to click clean, it freezes the program and forces me to do a hard restart similar to FRST.

 

RKill

Rkill 2.8.2 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/02/2015 07:22:01 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       activate.adobe.com
  127.0.0.1       practivate.adobe.com
  127.0.0.1       ereg.adobe.com
  127.0.0.1       activate.wip3.adobe.com
  127.0.0.1       wip3.adobe.com
  127.0.0.1       3dns-3.adobe.com
  127.0.0.1       3dns-2.adobe.com
  127.0.0.1       adobe-dns.adobe.com
  127.0.0.1       adobe-dns-2.adobe.com
  127.0.0.1       adobe-dns-3.adobe.com
  127.0.0.1       ereg.wip3.adobe.com
  127.0.0.1       activate-sea.adobe.com
  127.0.0.1       wwis-dubc1-vip60.adobe.com
  127.0.0.1       activate-sjc0.adobe.com
  127.0.0.1       wwis-dubc1-vip60.adobe.com127.0.0.1       localhost
  127.0.0.1       localhost
 
Program finished at: 11/02/2015 07:22:24 PM
Execution time: 0 hours(s), 0 minute(s), and 23 seconds(s)
 
AdwCleaner
# AdwCleaner v5.016 - Logfile created 02/11/2015 at 19:41:04
# Updated 01/11/2015 by Xplode
# Database : 2015-11-01.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Steven - STEVENGAME01
# Running from : C:\Users\Steven\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S6].txt - [589 bytes] ##########
 


#9 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 03 November 2015 - 10:28 PM

I'm a little concerned about the freezing during what should be normal operations (the scanners are not asking the system to do anything unusual; only running MS OS commands).

 

Please download Farbar Service Scanner to your desktop and double click on the file to run it.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#10 frumpyboy

frumpyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 03 November 2015 - 10:42 PM

Below is log. Also, now when I open any browser, I get a small window popup saying "BC Loaded", then it disappears after a few seconds and the browser window opens up. I've attached screenshot. 

 

FSS Services Log:

 

Farbar Service Scanner Version: 26-07-2015
Ran by Steven (administrator) on 03-11-2015 at 19:37:29
Running from "C:\Users\Steven\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****
 
 

Attached Files



#11 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 04 November 2015 - 12:22 AM

Did you purposely turn off Windows Updates and the Windows Firewall?

 

Also, you have two AVs running at the same time (Avast and Emsisoft).  ????  Only one should be active at anytime.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#12 frumpyboy

frumpyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 04 November 2015 - 02:33 AM

Yes, I'm having a conflict with Windows Updates where it will take 50-80% of CPU. Windows firewall I normally don't have on as I am behind a router and have Avast or some AV running. I can remove Emsisoft, that was remnant when I was trying to clean a bit prior to not finding a solution.



#13 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 05 November 2015 - 01:16 PM

Malwarebytes Anti-Malware - please run a scan see what this finds now.  Even if it find nothing, please post the log anyway.

 

2.0 Threat Scan

    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.
    How to get logs:
    (Export log to save as txt)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the scan log which shows the Date and time of the scan just performed.
    • Click 'Export'.
    • Click 'Text file (*.txt)'
    • In the Save File dialog box which appears, click on Desktop.
    • In the File name: box type a name for your scan log.
    • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
    • Click Ok
    • Attach that saved log to your next reply.
    (Copy to clipboard for pasting into forum replies or tickets)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the scan log which shows the Date and time of the scan just performed.
    • Click 'Copy to Clipboard'
    • Paste the contents of the clipboard into your reply.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#14 frumpyboy

frumpyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 November 2015 - 01:31 AM

Here's the scan results. No threats, so no restart required:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/5/2015
Scan Time: 10:08 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.11.06.01
Rootkit Database: v2015.11.04.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Steven
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 422702
Time Elapsed: 20 min, 17 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#15 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:04:36 PM

Posted 08 November 2015 - 02:48 PM

We need to get a fresh scan from FRST.

  • If you still have the Addition.txt file on your desktop, please delete it now.
  • Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • If an update is available, the program will inform you and download the update.  Allow it do this please.  Otherwise, just wait for the "The tool is ready to use." message.
  • Please check the Addition.txt in the Option Scan section of FRST.
  • Please check the 90 Days Files in the Option Scan section also.
  • Press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The tool will generate will another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users