Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please do not delete!


  • This topic is locked This topic is locked
2 replies to this topic

#1 TechieMomma

TechieMomma

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 23 November 2015 - 09:27 PM

Please don't delete this again! Luckily I had a copy of all the stuff I had added since the first one.  The mod who stopped helping me TOLD me to write a new topic, because he wouldn't help me anymore because I can't delete something and he said no one else would add onto it, he was closing it out.

 

******** Deleted post *******

 

I posted this a few days ago, and someone got back to me, but refused to help because I can't remove the kmspico off my machine.  He told me to repost so someone else would take it, so I am. I know it's there, I had to put it there because of a dispute about a bad key that the 'trusted partner' and ms wouldn't replace.  Please leave the thread for someone else if you won't help me because of this.  That has been there over a year and the problem is new as of a week or two.  

 

Thank you in advance, and sorry for the long windedness.  Some new issues have come up I've added in.

 

Hi there,

 

I am running Win7 Ultimate and I've obviously got some sort of adware, the PCKeeper site pops up randomly in firefox, and in both firefox and chrome ads are just whizzing by my adblock plus all of a sudden on sites I go to daily, but only in certain places so I think it's a specific ad network.  I can't find any new plugins or extensions in either one that I haven't a. installed myself and b. had for months. 

 

I was in the midst of trying to find and get rid of whatever the adware was when my computer rebooted in the middle of the night and since that reboot my apps are so. slow. to. start.   At first I thought they weren't starting at all because the first ones I usually open which are the memory sucks (firefox/thunderbird/hangouts) would light up in the taskbar and then disappear.  I tried to open a couple of times, and tried chrome as well, but when I went to task manager to investigate they were open but had very small memory footprints (2,000kb or less) and were just hanging there.  If I close and reopen a couple of times or start chrome after trying to start firefox they start slowly creeping up at about a mb or two per second until they build up enough steam to open. Once started apps are mostly responsive again. My computer is old but it got about a hundred times slower after that reboot.

 

I've also had problems with apps becoming unclickable until I minimize from taskbar and restore.  Although at the moment, taskmgr is completely unclickable even after restored.  I texted in safemode with networking and things seem more responsive there but I'm not sure if it's because there's less taxing the system in safemode.  I also tried to login to my grub partition to test my linux install and see if maybe it was hardware not the OS, but I get the message module ntfscomp not loaded and it sends me to the grub recovery line.  My computer has also been getting BSODs in the middle of the night.  I tried to include my last minidump but it won't upload here. Should I change to .txt and send or not?

 

I can't seem to find any running issues. So some things make me think it's hardware, but it seems so specific to just certain behaviors and since the popups showed at the same time, the rest of me thinks it's just something I haven't found yet.

 

I've run malwarebytes, zemana, security essentials scanner, adwcleaner and hijackthis and taken care of anything it found, but the problem is persistent.  Any help would be really appreciated.  It's been years since I've had something that wasn't easily taken care of.  I'm way behind in what the current tools are,  and the only pckeeper thread I could find here was kind of cut off in the middle.

 

Thank you so much for any help!

 

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:18-11-2015
Ran by Sara (administrator) on MAI-PC (18-11-2015 03:29:27)
Running from C:\Users\Sara\Downloads
Loaded Profiles: Sara (Available Profiles: Sara & PermissionsTest)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Core Temp\Core Temp.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Highresolution Enterprises) C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
(Stardock Corporation) C:\Program Files (x86)\Stardock\CursorFX\CursorFX.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Don HO don.h@free.fr) C:\Users\Sara\Downloads\Setups\Notepad-Plus-Plus\notepad++.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Firefox Developer Edition\firefox.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
(Mozilla Corporation) C:\Program Files (x86)\Firefox Developer Edition\plugin-container.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-11-21] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM\...\Run: [XMouseButtonControl] => C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe [1091568 2015-03-02] (Highresolution Enterprises)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597040 2015-10-06] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\WB: C:\Program Files (x86)\Stardock\WindowBlinds\fast64.dll [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1350210079-2480061043-60131931-1000\...\Run: [CursorFX] => C:\Program Files (x86)\Stardock\CursorFX\CursorFX.exe [670896 2015-01-23] (Stardock Corporation)
HKU\S-1-5-21-1350210079-2480061043-60131931-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"
IFEO\notepad.exe: [Debugger] C:\Windows\NotepadStarter.exe
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-10-12] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-10-12] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-10-12] (Google)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Sara\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{BC60CC22-20C4-4490-BE92-1B72ACA16849}: [NameServer] 208.67.222.222,208.67.220.220
Tcpip\..\Interfaces\{BC60CC22-20C4-4490-BE92-1B72ACA16849}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1350210079-2480061043-60131931-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1350210079-2480061043-60131931-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1350210079-2480061043-60131931-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
SearchScopes: HKU\S-1-5-21-1350210079-2480061043-60131931-1000 -> {E7D15226-FD9F-4A0C-BC57-510564E81E9B} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2015-03-31] (Microsoft Corporation)
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2015-01-18] (Siber Systems Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2015-03-18] (Microsoft Corporation)
BHO-x32: No Name -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> No File
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2015-01-18] (Siber Systems Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll [2015-11-17] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-04-29] (Adobe Systems Incorporated)
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
BHO-x32: No Name -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-11-17] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-04-29] (Adobe Systems Incorporated)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2015-01-18] (Siber Systems Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-04-29] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2015-01-18] (Siber Systems Inc.)
Toolbar: HKU\S-1-5-21-1350210079-2480061043-60131931-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: osf - No CLSID Value

FireFox:
========
FF ProfilePath: C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://www.yahoo.com/?fr=yset_ff_syc_oracle&type=orcl_hpset
FF Session Restore: -> is enabled.
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-11-17] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-11-17] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-03-31] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-26] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1350210079-2480061043-60131931-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\Sara\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-1350210079-2480061043-60131931-1000: @talk.google.com/O1DPlugin -> C:\Users\Sara\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-1350210079-2480061043-60131931-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Sara\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-24] (Google Inc.)
FF Plugin HKU\S-1-5-21-1350210079-2480061043-60131931-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Sara\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-24] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-03-31] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\Sara\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Sara\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF SearchPlugin: C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\searchplugins\yahoo-ysp.xml [2015-07-14]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\extensions\adblockpopups@jessehakanen.net.xpi [2015-05-31]
FF Extension: HostAdmin - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\extensions\{bd54afa8-b14a-4d7a-aecf-37e34e882796} [2015-05-31]
FF Extension: Save File to - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\extensions\savefileto@mozdev.org.xpi [2015-05-31]
FF Extension: FireFTP - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [2015-06-06]
FF Extension: ADB Helper - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\adbhelper@mozilla.org [2015-11-12]
FF Extension: Element Hiding Helper for Adblock Plus - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\elemhidehelper@adblockplus.org.xpi [2015-09-01]
FF Extension: Valence - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\fxdevtools-adapters@mozilla.org [2015-10-20]
FF Extension: IP Address and Domain Information - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\jid0-jJRRRBMgoShUhb07IvnxTBAl29w@jetpack.xpi [2015-05-29]
FF Extension: Session Manager - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2015-10-30]
FF Extension: Password Exporter - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}.xpi [2015-05-28]
FF Extension: Adblock Plus - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-09-24]
FF Extension: DownThemAll! - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2015-01-20] [not signed]
FF Extension: Theme Font & Size Changer - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\vakh215d.dev-edition-default\Extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}.xpi [2015-11-17]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2015-07-18] [not signed]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Firefox Developer Edition\firefox.exe

Chrome:
=======
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=orcl_default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (Adblock Plus) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-09-22]
CHR Extension: (Google Docs Offline) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-17]
CHR Extension: (Yahoo Web) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol [2015-11-17]
CHR Extension: (Google Hangouts) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2015-11-09]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2015-02-14]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-26]
CHR HKU\S-1-5-21-1350210079-2480061043-60131931-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Sara\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-02-14]
CHR HKU\S-1-5-21-1350210079-2480061043-60131931-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Apache2; C:\WampDeveloper\Components\Apache\bin\httpd.exe [22016 2013-12-21] (Apache Software Foundation) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-11-21] (Intel Corporation)
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2014-04-08] (Motorola Mobility LLC)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
S3 Mysql5; C:\WampDeveloper\Config\Mysql\my.ini [5506 2015-01-09] () [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [175752 2015-06-23] (Sandboxie Holdings, LLC)
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
R3 TermService; C:\Windows\System32\termsrv.dll [683520 2015-01-22] (Microsoft Corporation) [File not signed]
S3 vncserver; C:\Program Files\RealVNC\VNC Server\vncservice.exe [639808 2014-11-28] (RealVNC Ltd)
S3 wampapache64; c:\wamp\bin\apache\apache2.4.9\bin\httpd.exe [24576 2014-05-01] (Apache Software Foundation) [File not signed]
S3 wampmysqld64; c:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe [12942848 2014-05-01] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S3 WindowBlinds; C:\Program Files (x86)\Stardock\WindowBlinds\wbsrv.exe [89600 2013-05-16] (Stardock Corporation) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 DFX11_1; C:\Windows\System32\drivers\dfx11_1x64.sys [28008 2012-12-13] (Windows ® Win 7 DDK provider)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-07] (Intel Corporation)
S3 massfilter_brcm; C:\Windows\system32\drivers\massfilter_brcm.sys [20232 2012-06-07] (Handset Incorporated)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
R3 nuvotoncir; C:\Windows\System32\DRIVERS\nuvotoncir.sys [48128 2009-08-31] (Nuvoton Technology Corporation)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [190088 2015-06-23] (Sandboxie Holdings, LLC)
U5 UnlockerDriver5; C:\Users\Sara\Downloads\Stardock Customization Software Pack 2014 (windows 8 Addons) [danhuk]\Stardock WindowBlinds 8.00\Setup\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 ALCXWDM; system32\drivers\RTKVAC64.SYS [X]
R3 ALSysIO; \??\C:\Users\Sara\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz134; \??\C:\Users\Sara\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)



==================== Files in the root of some directories =======

2015-06-08 15:40 - 2015-06-08 15:39 - 16341076 _____ () C:\Program Files (x86)\X-TaskCoach_1.4.2_rev1.zip
2015-01-01 11:23 - 2015-10-29 20:12 - 0000132 _____ () C:\Users\Sara\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-09-30 22:40 - 2015-11-17 22:21 - 0001386 ___SH () C:\Users\Sara\AppData\Roaming\systemMK.$dk
2015-05-09 10:31 - 2015-05-09 10:35 - 0008704 ___SH () C:\Users\Sara\AppData\Roaming\Thumbs.db
2015-04-17 04:21 - 2015-04-17 04:21 - 0033193 _____ () C:\Users\Sara\AppData\Roaming\UserTile.png
2015-06-07 00:57 - 2015-06-07 00:57 - 0000600 _____ () C:\Users\Sara\AppData\Roaming\winscp.rnd
2015-01-01 11:43 - 2015-06-05 16:31 - 0001456 _____ () C:\Users\Sara\AppData\Local\Adobe Save for Web 13.0 Prefs
2014-12-30 16:10 - 2014-11-27 14:14 - 0005632 _____ () C:\Users\Sara\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-12-29 21:40 - 2015-01-02 04:01 - 0015983 _____ () C:\Users\Sara\AppData\Local\HWVendorDetection.log
2015-01-18 20:13 - 2015-11-17 23:52 - 0000600 _____ () C:\Users\Sara\AppData\Local\PUTTY.RND
2014-12-27 13:50 - 2015-05-26 11:39 - 0007624 _____ () C:\Users\Sara\AppData\Local\resmon.resmoncfg
2014-12-30 16:10 - 2014-11-16 16:50 - 0000000 _____ () C:\Users\Sara\AppData\Local\{B09D62C6-20A0-47EC-BBCA-427DF726B3C9}
2015-05-21 13:46 - 2015-05-21 13:46 - 0000000 _____ () C:\Users\Sara\AppData\Local\{DA992AE5-E950-4A39-A860-3C23357EC9C7}
2015-04-11 17:32 - 2015-04-11 17:32 - 0740775 _____ () C:\ProgramData\AndyDrivers.zip
2014-12-29 22:11 - 2014-12-29 22:11 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-02-05 23:11 - 2015-02-05 23:13 - 0000614 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Files to move or delete:
====================
C:\Users\Sara\g2ax_customer_downloadhelper_win32_x86.exe
C:\Users\Sara\g2ax_expert_downloadhelper_win32_x86.exe


Some files in TEMP:
====================
C:\Users\Sara\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjdn8lm.dll
C:\Users\Sara\AppData\Local\Temp\jre-8u51-windows-au.exe
C:\Users\Sara\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\Sara\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\Sara\AppData\Local\Temp\ose00000.exe
C:\Users\Sara\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Sara\AppData\Local\Temp\sqlite3.dll
C:\Users\Sara\AppData\Local\Temp\wlsetup-web-1.exe
C:\Users\Sara\AppData\Local\Temp\wlsetup-web.exe
C:\Users\Sara\AppData\Local\Temp\ytb.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-11 02:36

==================== End of FRST.txt ============================

Attached Files

Attached Files



BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:03:41 PM

Posted 23 November 2015 - 11:16 PM

Hi TechieMomma,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:

  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
     

Let's get started....


FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

KMSpico

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt





Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\WB: C:\Program Files (x86)\Stardock\WindowBlinds\fast64.dll [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
IFEO\notepad.exe: [Debugger] C:\Windows\NotepadStarter.exe
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1350210079-2480061043-60131931-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
BHO-x32: No Name -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
BHO-x32: No Name -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> No File
Toolbar: HKU\S-1-5-21-1350210079-2480061043-60131931-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Handler: osf - No CLSID Value
FF Session Restore: -> is enabled.
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Homepage: hxxps://www.yahoo.com/?fr=yset_ff_syc_oracle&type=orcl_hpset
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Google Drive) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Sara\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2015-02-14]
CHR HKU\S-1-5-21-1350210079-2480061043-60131931-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Sara\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-02-14]
C:\Users\Sara\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx
S3 ALCXWDM; system32\drivers\RTKVAC64.SYS [X]
R3 ALSysIO; \??\C:\Users\Sara\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz134; \??\C:\Users\Sara\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Windows\system32\drivers\RTKVAC64.SYS
C:\Users\Sara\AppData\Local\Temp\ALSysIO64.sys
C:\Users\Sara\AppData\Local\Temp\cpuz134\cpuz134_x64.sys
C:\Windows\system32\DRIVERS\VBoxNetFlt.sys
C:\Windows\System32\drivers\rdvgkmd.sys
2014-12-29 22:11 - 2014-12-29 22:11 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
C:\Users\Sara\g2ax_customer_downloadhelper_win32_x86.exe
C:\Users\Sara\g2ax_expert_downloadhelper_win32_x86.exe
C:\Users\Sara\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjdn8lm.dll
C:\Users\Sara\AppData\Local\Temp\jre-8u51-windows-au.exe
C:\Users\Sara\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\Sara\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\Sara\AppData\Local\Temp\ose00000.exe
C:\Users\Sara\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Sara\AppData\Local\Temp\sqlite3.dll
C:\Users\Sara\AppData\Local\Temp\wlsetup-web-1.exe
C:\Users\Sara\AppData\Local\Temp\wlsetup-web.exe
C:\Users\Sara\AppData\Local\Temp\ytb.exe
cmd: sfc /scanfile=C:\Windows\system32\User32.dll
CustomCLSID: HKU\S-1-5-21-1350210079-2480061043-60131931-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Sara\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
Hosts:
Task: {173E8226-D5C1-4820-81B4-5D99438FB513} - System32\Tasks\{7CD14D18-32C0-4676-9130-06E0FFD77193} => pcalua.exe -a C:\Users\Sara\AppData\Local\Temp\wlsetup-web-1.exe -d C:\Users\Sara\AppData\Local\Temp
Task: {4933B1AF-6FAD-4300-940B-44AE86147637} - System32\Tasks\{5FA535AB-8A41-4CA2-9261-E1F6FC8C1854} => pcalua.exe -a "C:\Users\Sara\Downloads\Setups\IntelGraphics\Intel Control Center\SetupICC.exe" -d "C:\Users\Sara\Downloads\Setups\IntelGraphics\Intel Control Center"
Task: {51565095-3631-4F30-8456-3F31AA6BDA0A} - System32\Tasks\{8EC18092-8C69-45AE-9ACB-7FE39979A02D} => pcalua.exe -a C:\Users\Sara\AppData\Local\Temp\wlsetup-web.exe -d C:\Users\Sara\AppData\Local\Temp
Task: {86FD54A7-1541-4A5C-B169-B074F5F0F4DA} - System32\Tasks\{B1569DC9-821B-4A0E-97E4-A5CF41D7C98F} => pcalua.exe -a C:\Users\Sara\Downloads\jxpiinstall.exe -d C:\Users\Sara\Downloads
Task: {B060A098-680C-4321-BA75-21C11B4F40C1} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-12-04] (@ByELDI)
C:\Program Files\KMSpico
Task: {DCC3635C-A918-4672-BD20-4CA3538BCFAC} - \AdobeAAMUpdater-1.0-Mai-PC-Sara -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:8FAE08A5
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


LAST >>>>


AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

  • Close all open windows and browsers.
  •  
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  • You will see the following console:
  • AdwCleaner_v5016_zpsf8ln0fea.png
  •  
  • Click the Scan button and wait for the scan to finish.
  •  
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
  •  
  • Click the Clean button.
  •  
  • Everything checked will be deleted.
  •  
  • When the program has finished cleaning a report appears.
  •  
  • Once done it will ask to reboot, allow this
  • adwcleaner_delete_restart.jpg
  •  
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt


Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

 

How is your system running now?


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:03:41 PM

Posted 29 November 2015 - 12:20 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users