Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected with smitfraud. Possible others.


  • Please log in to reply
13 replies to this topic

#1 Myroin

Myroin

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 11 June 2016 - 06:33 PM

I had noticed that a number of pop ups kept happening even while running programs like AdBlock Plus on google chrome and decided to run an scan with some malware detection programs.  I noticed one file that it hung up on while scanning was titled smitfraud and I decided to research it to see what it was.  Upon seeing that it was an infection I figured that the program would clean it out on its own.  After it finished its scan though the files with smitfraud in it were not in the files that were found by the scanner.  Any help with possible removal and anything else that must be done to clean up this PC is much appreciated.  Thank you.  Below is the FRST log.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-06-2016
Ran by Kylie (administrator) on KYLIE-PC (11-06-2016 18:15:52)
Running from C:\Users\Kylie\Downloads
Loaded Profiles: Kylie (Available Profiles: Kylie)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Users\Kylie\AppData\Local\Amazon Music\Amazon Music Helper.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8512760 2016-04-14] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2016-04-14] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3945672 2015-07-16] (Synaptics Incorporated)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3777696 2014-01-16] (Dell Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-07] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7405752 2016-06-10] (AVAST Software)
HKLM-x32\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4377256 2015-09-04] (Fitbit, Inc.)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
HKU\S-1-5-21-3210695053-1921284633-1063768586-1001\...\Run: [Amazon Music] => C:\Users\Kylie\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-08] ()
HKU\S-1-5-21-3210695053-1921284633-1063768586-1001\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4377256 2015-09-04] (Fitbit, Inc.)
HKU\S-1-5-21-3210695053-1921284633-1063768586-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-06-10] (AVAST Software)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\WINDOWS\system32\mscoree.dll [2015-10-30] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\WINDOWS\system32\mscoree.dll [2015-10-30] (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{4cdea984-be45-4a68-99b2-d0222cec66c2}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{b6840aea-a5b2-4a1c-83ed-0a367d1cad7e}: [DhcpNameServer] 75.75.75.75 75.75.76.76
ManualProxies: 
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-3210695053-1921284633-1063768586-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> DefaultScope {615C385F-A311-4432-8C85-6610F14E4787} URL = 
SearchScopes: HKLM -> OldSearch URL = hxxp://cn.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=DCJB
SearchScopes: HKLM-x32 -> DefaultScope {615C385F-A311-4432-8C85-6610F14E4787} URL = hxxp://cn.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=DCJB
SearchScopes: HKLM-x32 -> {615C385F-A311-4432-8C85-6610F14E4787} URL = hxxp://cn.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=DCJB
SearchScopes: HKU\S-1-5-21-3210695053-1921284633-1063768586-1001 -> DefaultScope {615C385F-A311-4432-8C85-6610F14E4787} URL = 
SearchScopes: HKU\S-1-5-21-3210695053-1921284633-1063768586-1001 -> OldSearch URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-05-26] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-05-26] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-05-26] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-05-26] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-05-26] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-05-26] (Microsoft Corporation)
 
FireFox:
========
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1223183.dll [2015-12-21] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-05-26] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-06-10]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-06-10]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://google.com/
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggWIQoKBwoSFhgQIltZTA1DGQIOeVoNWRQQQwcUJF8PBwhBRQEFIk0FA1oDB0VXfV5bFElXTwhwJVx1DksUc1BQNVVMEnEEQw=="
CHR Profile: C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-06]
CHR Extension: (Google Docs) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-06]
CHR Extension: (Google Drive) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-27]
CHR Extension: (Adblock Plus) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-06-05]
CHR Extension: (Add to Amazon Wish List) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced [2016-06-05]
CHR Extension: (Google Search) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-29]
CHR Extension: (Avast SafePrice) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-02-14]
CHR Extension: (Google Sheets) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-06]
CHR Extension: (Google Docs Offline) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (AdBlock) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-05]
CHR Extension: (History Eraser) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjieilkfnnjoihjjonajndjldjoagffm [2016-06-08]
CHR Extension: (Avast Online Security) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-06-10]
CHR Extension: (Squitten) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhpdmnidcgpjkpppahlnknebdmfjklbc [2016-01-27]
CHR Extension: (Slinky Vintage) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkdjbhifhppglclhnmmnlfloepnolbkn [2016-01-27]
CHR Extension: (Avast) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfoemhabmpijiaamkiokpdfcnheojlaj [2016-02-14]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Chrome Apps & Extensions Developer Tool) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohmmkhmmmpcnpikjeljgnaoabkaalbgc [2014-12-25]
CHR Extension: (Gmail) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-06]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2016-06-10]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-06-10]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-06-10] (AVAST Software)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2945792 2016-05-26] (Microsoft Corporation)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2571352 2016-01-05] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [201816 2016-01-05] (Dell Inc.)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [293440 2014-04-01] (Aviata, Inc.)
R2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [5750440 2015-09-04] (Fitbit, Inc.)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2016-04-14] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S2 My Dell Client Framework; C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe [168960 2014-01-10] (Dell Inc.) [File not signed]
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2004488 2015-06-29] (Electronic Arts)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [200240 2016-05-25] (Microsoft Corporation) [File not signed]
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-07-30] (CyberLink)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [312056 2016-04-14] (Realtek Semiconductor)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-03-14] (Dell Inc.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246472 2015-07-16] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-06-10] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-06-10] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-06-10] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-06-10] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-06-10] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-06-10] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-06-10] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-06-10] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-06-10] (AVAST Software)
R3 athr; C:\Windows\System32\drivers\athw10x.sys [4318760 2016-04-14] (Qualcomm Atheros Communications, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
R3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
R3 DellProf; C:\Windows\system32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-06-10] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-06-11] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [896744 2016-04-14] (Realtek                                            )
S3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [412400 2015-08-06] (Realsil Semiconductor Corporation)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [57032 2015-07-16] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-11 18:15 - 2016-06-11 18:16 - 00020248 _____ C:\Users\Kylie\Downloads\FRST.txt
2016-06-11 18:15 - 2016-06-11 18:15 - 02385408 _____ (Farbar) C:\Users\Kylie\Downloads\FRST64.exe
2016-06-11 18:15 - 2016-06-11 18:15 - 00000000 ____D C:\FRST
2016-06-11 18:14 - 2016-06-11 18:14 - 01735680 _____ (Farbar) C:\Users\Kylie\Downloads\FRST.exe
2016-06-11 18:14 - 2016-06-11 18:14 - 01735680 _____ (Farbar) C:\Users\Kylie\Downloads\FRST (1).exe
2016-06-11 17:51 - 2016-06-11 17:51 - 00388608 _____ (Trend Micro Inc.) C:\Users\Kylie\Downloads\HijackThis.exe
2016-06-11 11:45 - 2016-06-11 11:45 - 00000000 ____D C:\WINDOWS\System32\Tasks\Apple
2016-06-11 11:45 - 2016-06-11 11:45 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-06-11 01:18 - 2016-06-11 01:18 - 00000085 _____ C:\WINDOWS\wininit.ini
2016-06-11 00:37 - 2016-06-11 10:52 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-11 00:36 - 2016-06-11 00:36 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-06-11 00:36 - 2016-06-11 00:36 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-06-11 00:36 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-06-11 00:36 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-06-11 00:36 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-06-10 23:37 - 2016-06-10 23:37 - 00000000 _____ C:\autoexec.bat
2016-06-10 23:35 - 2016-06-10 23:35 - 00022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys
2016-06-10 21:52 - 2016-06-10 21:52 - 00000000 ____D C:\Program Files\Common Files\AV
2016-06-10 21:49 - 2016-06-11 13:19 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-06-10 21:49 - 2016-06-11 01:18 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-06-10 21:49 - 2016-06-10 21:49 - 00000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking
2016-06-10 21:37 - 2016-06-10 21:37 - 00398152 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-06-10 21:36 - 2016-06-10 21:36 - 00052184 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-05-13 01:33 - 2016-05-13 01:33 - 20381888 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-11 18:13 - 2014-12-28 21:06 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-06-11 18:02 - 2016-02-15 14:52 - 00000924 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-11 17:51 - 2014-12-25 15:15 - 00000000 ____D C:\Users\Kylie\AppData\Local\VirtualStore
2016-06-11 17:33 - 2014-12-28 21:06 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-06-11 16:02 - 2016-02-15 14:52 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-11 14:31 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-11 14:25 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-11 14:19 - 2016-04-16 04:00 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-06-11 14:19 - 2015-08-05 20:19 - 00000000 __SHD C:\Users\Kylie\IntelGraphicsProfiles
2016-06-11 13:19 - 2016-02-13 08:14 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-11 12:03 - 2015-10-30 01:28 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-06-11 11:45 - 2014-12-26 02:28 - 00002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-06-11 01:20 - 2015-06-21 19:51 - 00004280 _____ C:\WINDOWS\System32\Tasks\avast! Emergency Update
2016-06-11 01:07 - 2016-04-16 04:14 - 00001564 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-06-11 01:07 - 2016-03-09 21:32 - 00002013 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Free Antivirus.lnk
2016-06-11 01:07 - 2016-02-26 21:11 - 00001212 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-06-11 01:07 - 2016-02-15 14:53 - 00002262 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-11 01:07 - 2016-01-20 23:41 - 00002483 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk
2016-06-11 01:07 - 2016-01-20 23:41 - 00002482 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk
2016-06-11 01:07 - 2016-01-20 23:41 - 00002446 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk
2016-06-11 01:07 - 2016-01-20 23:41 - 00002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk
2016-06-11 01:07 - 2016-01-20 23:41 - 00002439 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk
2016-06-11 01:07 - 2016-01-20 23:41 - 00002433 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk
2016-06-11 01:07 - 2016-01-20 23:41 - 00002425 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk
2016-06-11 01:07 - 2015-05-03 22:18 - 00001761 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-06-11 01:07 - 2014-12-27 11:47 - 00001362 _____ C:\Users\Public\Desktop\The Sims 4.lnk
2016-06-11 01:07 - 2014-12-27 04:29 - 00001139 _____ C:\Users\Public\Desktop\VLC media player.lnk
2016-06-11 01:07 - 2014-09-27 08:01 - 00000712 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel® HD Graphics Control Panel.lnk
2016-06-11 01:06 - 2015-12-13 11:15 - 00000938 _____ C:\Users\Kylie\Desktop\µTorrent.lnk
2016-06-11 01:06 - 2015-08-05 20:26 - 00002409 _____ C:\Users\Kylie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-06-11 01:06 - 2015-08-05 12:29 - 00001914 _____ C:\Users\Kylie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\avast! antivirus.lnk
2016-06-11 01:06 - 2014-12-27 16:38 - 00001216 _____ C:\Users\Kylie\Desktop\Amazon Music.lnk
2016-06-11 01:06 - 2014-12-26 23:57 - 00000881 _____ C:\Users\Kylie\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2016-06-11 01:06 - 2014-12-26 02:35 - 00000997 _____ C:\Users\Kylie\Desktop\Origin.lnk
2016-06-11 01:05 - 2014-12-26 23:57 - 00000000 ____D C:\ProgramData\APN
2016-06-10 23:14 - 2015-10-30 02:24 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-06-10 23:11 - 2014-09-27 08:02 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-06-10 21:46 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
2016-06-10 21:46 - 2015-08-05 20:11 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-10 21:40 - 2016-02-26 21:11 - 00004006 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1456539094
2016-06-10 21:37 - 2015-06-21 19:51 - 00465792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-06-10 21:37 - 2015-06-21 19:51 - 00287528 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2016-06-10 21:37 - 2015-06-21 19:51 - 00166432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2016-06-10 21:37 - 2015-06-21 19:51 - 00107792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-06-10 21:37 - 2015-06-21 19:51 - 00103064 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2016-06-10 21:37 - 2015-06-21 19:51 - 00074544 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-06-10 21:37 - 2015-06-21 19:51 - 00037656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-06-10 21:36 - 2016-02-18 12:55 - 00037144 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2016-06-10 21:36 - 2015-06-21 19:51 - 01070904 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2016-06-05 22:41 - 2016-04-16 04:04 - 00000000 ____D C:\Users\Kylie
2016-05-28 22:33 - 2014-12-25 15:17 - 00000000 ___RD C:\Users\Kylie\OneDrive
2016-05-15 23:29 - 2016-02-13 08:20 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-05-15 03:56 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\rescache
2016-05-15 03:33 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-05-15 03:16 - 2016-02-13 08:03 - 00000000 ____D C:\Program Files\Windows Journal
2016-05-15 03:16 - 2015-10-30 02:24 - 00015703 _____ C:\WINDOWS\system32\OEMDefaultAssociations.xml
2016-05-15 03:16 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\oobe
2016-05-15 03:16 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-05-15 03:16 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\Provisioning
2016-05-15 03:16 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\bcastdvr
2016-05-14 17:14 - 2014-12-27 21:10 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-05-14 17:00 - 2014-12-27 21:10 - 139319312 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-05-13 01:33 - 2014-12-28 21:06 - 00003968 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
2016-05-13 01:33 - 2014-12-28 21:06 - 00003816 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
 
==================== Files in the root of some directories =======
 
2016-04-16 03:59 - 2016-04-16 03:59 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-27 07:54 - 2014-09-27 07:54 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-09-27 07:50 - 2014-09-27 07:51 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-09-27 07:51 - 2014-09-27 07:53 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-09-27 07:53 - 2014-09-27 07:54 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-09-27 07:50 - 2014-09-27 07:50 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-10 23:19
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 11 June 2016 - 07:00 PM

Hello Myroin and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 Myroin

Myroin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 11 June 2016 - 07:12 PM

Thank you for your speed in getting to my problem. I look forward to whatever advise you have!

#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 11 June 2016 - 07:36 PM

Hi again,

 

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

==================================
 

How is now and are  there still septoms ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 Myroin

Myroin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 11 June 2016 - 08:49 PM

Zemana AntiMalware 2.20.2.985 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/6/11
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Core™ i3-4030U CPU @ 1.90GHz
BIOS Mode              : UEFI
CUID                   : 12571F284D50B4B000DB38
Scan Type              : Smart Scan
Duration               : 3m 42s
Scanned Objects        : 14479
Detected Objects       : 4
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
Internet Explorer Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Shortcut
 
Internet Explorer Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Shortcut
 
Chrome Policy
Status             : Scanned
Object             : ajfkkibblclcckocmcmcgmbemadahdam
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Policy
 
Chrome Policy
Status             : Scanned
Object             : ajfkkibblclcckocmcmcgmbemadahdam
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Policy
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 4
Reported as safe      : 0
Failed                : 0
 
 
 
This was the report.  I don't have as many pop ups coming up currently.


#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 11 June 2016 - 09:16 PM

Good job. :thumbup2:
 
How to Enable and Disable System Restore

Please do enable.

https://support.microsoft.com/en-us/kb/264887

===============================================

 

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CreateRestorePoint:
CloseProcesses:
Task: {206BB383-AB57-4C80-B162-C2F9AA09E4AD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {3FCCF87E-A05C-45D6-8D38-2D3693183FCF} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {56A06791-CD7D-4D61-A91B-6A7CEAC38F63} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {621F6205-0248-444B-938D-60B9BB10B2F9} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {8BF8B8EC-C311-4CF9-86D3-27D8FB3310E5} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {A5A3DB17-A65A-4935-A4F4-AAA8C016E040} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {BEE873D4-C2D3-4FFC-8258-D403AFF1A2FD} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {DF0F82F7-39B6-45CD-A030-01DB0C10FC8D} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {EE1200E1-5A19-4906-BF2D-14FC1478042F} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {F309AAA1-38AE-4DCD-8B98-8632464CC7EE} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {F55230E9-8B22-4897-9839-98F7E194E146} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
FirewallRules: [{62BCDF7C-52B4-420E-884F-B83D69F528E4}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{EBC6B211-BB10-485D-9D86-45CA453695BE}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{CA365640-AD9B-4652-995D-002ECEEBF813}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{FC44706D-478E-4A46-BD9F-43E23509D86F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {615C385F-A311-4432-8C85-6610F14E4787} URL = 
SearchScopes: HKLM -> OldSearch URL = hxxp://cn.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=DCJB
SearchScopes: HKLM-x32 -> DefaultScope {615C385F-A311-4432-8C85-6610F14E4787} URL = hxxp://cn.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=DCJB
SearchScopes: HKLM-x32 -> {615C385F-A311-4432-8C85-6610F14E4787} URL = hxxp://cn.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=DCJB
SearchScopes: HKU\S-1-5-21-3210695053-1921284633-1063768586-1001 -> DefaultScope {615C385F-A311-4432-8C85-6610F14E4787} URL = 
SearchScopes: HKU\S-1-5-21-3210695053-1921284633-1063768586-1001 -> OldSearch URL = 
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggWIQoKBwoSFhgQIltZTA1DGQIOeVoNWRQQQwcUJF8PBwhBRQEFIk0FA1oDB0VXfV5bFElXTwhwJVx1DksUc1BQNVVMEnEEQw=="
CHR Extension: (Squitten) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhpdmnidcgpjkpppahlnknebdmfjklbc [2016-01-27]
HKU\S-1-5-21-3210695053-1921284633-1063768586-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
CHR Extension: (Slinky Vintage) - C:\Users\Kylie\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkdjbhifhppglclhnmmnlfloepnolbkn [2016-01-27]
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-06-10] ()
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\Drivers\EsgScanner.sys
2016-06-10 21:49 - 2016-06-11 13:19 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-06-10 21:49 - 2016-06-11 01:18 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
C:\WINDOWS\System32\Tasks\Safer-Networking
C:\ProgramData\APN
2016-04-16 03:59 - 2016-04-16 03:59 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-27 07:54 - 2014-09-27 07:54 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-09-27 07:50 - 2014-09-27 07:51 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-09-27 07:51 - 2014-09-27 07:53 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-09-27 07:53 - 2014-09-27 07:54 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-09-27 07:50 - 2014-09-27 07:50 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
====================================================================================

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 Myroin

Myroin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 11 June 2016 - 10:18 PM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6/11/2016
Scan Time: 9:42 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.06.12.01
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Kylie
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 310664
Time Elapsed: 25 min, 12 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Attached Files



#8 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 12 June 2016 - 08:35 AM

Nice :thumbup2:

 

Step 1:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 Myroin

Myroin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 12 June 2016 - 11:13 AM

# AdwCleaner v5.119 - Logfile created 12/06/2016 at 11:00:43
# Updated 30/05/2016 by Xplode
# Database : 2016-06-12.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Kylie - KYLIE-PC
# Running from : C:\Users\Kylie\Downloads\adwcleaner_5.119.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
 
***** [ Web browsers ] *****
 
 
*************************

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64 
Ran by Kylie (Administrator) on Sun 06/12/2016 at 11:04:24.37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 2 
 
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/12/2016 at 11:11:58.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 12 June 2016 - 08:02 PM

Hi again,

 

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

=========================================================================

How is the machine running now and any issues ? Please let me know.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 Myroin

Myroin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 13 June 2016 - 12:02 AM

C:\Users\Kylie\AppData\Roaming\uTorrent\updates\3.4.2_37594.exe a variant of Win32/OpenCandy.A potentially unsafe application cleaned by deleting
C:\Users\Kylie\Desktop\uTorrent.exe a variant of Win32/OpenCandy.A potentially unsafe application cleaned by deleting
 
 
There seems to be drastically less pop ups currently.  When that last scan happened I did not notice any file names with smitfraud in it but I haven't seen any files cleaned off the computer with that title either.  Will use the computer for a bit to see if any more pop ups occur.


#12 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 13 June 2016 - 07:32 PM

There seems to be drastically less pop ups currently.
Will use the computer for a bit to see if any more pop ups occur.

e.g : which  pop up's  you see  and would you write ?


Edited by olgun52, 13 June 2016 - 07:33 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 Myroin

Myroin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 14 June 2016 - 07:11 PM

Pardon me for not getting back to you sooner.  After several hours of use it seems that there are no longer any pop ups appearing.  I greatly appreciate your time and help!  Thank you so much!



#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 15 June 2016 - 03:50 PM

You are welcome. is there any else issue now ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users