Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Activity (uncertain if affected)


  • This topic is locked This topic is locked
27 replies to this topic

#1 sremed60

sremed60

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 13 June 2016 - 08:49 AM

I had AVG Free for years without any serious issues. I decided to switch it up and try Avast (free). When I did a scan with Avast it gave me a message that my router was set to "weak password" with a link to fix it. When I tried to log into the Netgear site it wouldn't accept the password, so I contacted my cable provider who I lease the router from. The person I talked to told me to contact Netgear support, (I later learned they weren't supposed to refer me to Netgear, but that's neither here nor there). The number I found for Netgear support online was 855-666-8856. I spoke to some guy with very bad English who had me open to the Netgear support page and immediately began telling me to just click yes on the prompts he was sending me. I realized he was attempting to have me give him control of my computer so I said, "I just want to know how to change my password, I don't need you to do it for me, just tell me how to do it." He got irritated and told me he couldn't help me over the phone unless he had access. It seemed odd but I'm no techie and at that point I believed I was speaking to an authorized Netgear support tech, so I clicked the prompts and allowed him to control the computer. He ran a scan and showed me where someone had accessed my computer on June 7th at 12:54pm. He then took me to a page and started showing me different SonicWall options trying to sell me that product for $300+. I told him I wasn't interested in buying anything, I just wanted to change the password to my router. He got irritated again and said "OK, we can fix everything for a one time fee of $79.99." At that point I said just disconnect from my computer. He never changed my password.

 

I immediately contacted my cable provider and explained all that. The guy I spoke to showed me how to change the password to my router and assured me that now that it was changed I was secure. He's the one who told me the first person I talked to should not have referred me to Netgear. He also sent me a link to download their free version of McCafee. The next day we had no internet. I called, the guy refreshed my router and the internet was back on. The day after that the internet seemed extremely slow, so I decided to use the link to McCafee to see what was going on. When I tried to log into my account with my cable provider using the same user name and password I had used for years, it wouldn't allow me to log in. I called them again, they reset my password for me, and again assured me that I was quite secure now. They had no explanation for how or why my old password suddenly didn't work.

So I'm not a techie, but I am paranoid. I'm not sure if that idiot I thought was a legitimate Netgear tech was. I don't know if that breach he showed me on June 7 was legitimate. I just want to make sure I don't have any kind of spyware downloaded anywhere.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:12-06-2016 01
Ran by Owner (administrator) on OWNER-PC (13-06-2016 06:10:22)
Running from C:\Users\Owner\Downloads
Loaded Profiles: Owner & UpdatusUser (Available Profiles: Owner & UpdatusUser)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft) C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(Motorola) C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(WIBU-SYSTEMS AG) C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\MountPoints2: {4d7745c2-b092-11e5-965f-b1111abde6d8} - E:\VerizonWirelessUpgradeAssistantSetup.exe -a
HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\MountPoints2: {5b6f0fb7-b545-11e5-96ae-b84094b070eb} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\MountPoints2: {60c79741-b79f-11e5-92dd-9c64d22512f0} - E:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\MountPoints2: {8314b8a7-4cc7-11e5-951b-d56893e5b1fe} - E:\VerizonWirelessUpgradeAssistantSetup.exe -a
HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\MountPoints2: {edf26309-6055-11e2-beaa-00217048a8f9} - E:\HPLauncher.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{2FED70CA-54C3-412C-9B52-67BEEDF0DA4B}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{A7391524-80C5-4E47-B2CC-DD3B96812072}: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/?ilc=8
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yahoo.com/?ilc=8
HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = www.google.com
hxxp://www.yahoo.com/?ilc=8
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3931276179-3777703916-1810220762-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3931276179-3777703916-1810220762-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=mkg028
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> No File
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} hxxp://files.pcpitstop.com/cab/PCMatic.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [2016-04-20] (McAfee, Inc.)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [2016-04-20] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll [2016-03-31] (McAfee, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8uio6gxl.default-1456921971378
FF Homepage: hxxps://www.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-13] ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2016-03-31] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2014-01-10] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-05-27] (Adobe Systems Inc.)
FF Extension: McAfee WebAdvisor - C:\Program Files\McAfee\SiteAdvisor\saffplg.xpi [2016-06-12]
FF Extension: Download YouTube Videos as MP4 - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8uio6gxl.default-1456921971378\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi [2016-04-17]
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2016-06-12] [not signed]
FF HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi => not found

Chrome:
=======
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx [2016-04-20]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2304912 2011-07-06] (WIBU-SYSTEMS AG)
R2 hasplms; C:\Windows\system32\hasplms.exe [4665168 2015-09-23] (SafeNet Inc.)
R2 HomeNetSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [378848 2016-03-10] (McAfee, Inc.)
S4 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.7.485.8398\AdAwareService.exe [663592 2015-06-24] ()
R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [140552 2016-04-20] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [793432 2016-03-31] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [378848 2016-03-10] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe [1258968 2016-03-14] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [378848 2016-03-10] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [378848 2016-03-10] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [561688 2016-03-07] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [378848 2016-03-10] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [378848 2016-03-10] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [198136 2016-01-25] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [343304 2016-02-19] (McAfee, Inc.)
R3 mfevtp; C:\Windows\system32\mfevtps.exe [267640 2016-01-25] (McAfee, Inc.)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [799600 2016-03-15] (McAfee, Inc.)
S4 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [128512 2015-04-15] (Motorola Mobility LLC) [File not signed]
R2 MSK80Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [378848 2016-03-10] (McAfee, Inc.)
R2 NovaPdfServer; C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [41760 2015-09-21] (Microsoft)
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [741408 2016-03-02] (Intel Security, Inc.)
R2 PST Service; C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [745224 2015-12-07] (DEVGURU Co., LTD.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [46976 2009-07-13] (Microsoft Corporation)
R2 aksfridge; C:\Windows\System32\DRIVERS\aksfridge.sys [438640 2015-09-23] (SafeNet Inc.)
S3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [261464 2015-09-23] (SafeNet Inc.)
S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [70616 2015-09-23] (SafeNet Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [313624 2015-09-23] (SafeNet Inc.)
R0 amacpi; C:\Windows\System32\DRIVERS\null.sys [4608 2009-07-13] (Microsoft Corporation)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72568 2016-01-29] (McAfee, Inc.)
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [618352 2015-09-23] (SafeNet Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [157288 2015-05-19] (McAfee, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [35992 2015-06-18] ()
S3 L6UX2; C:\Windows\System32\Drivers\L6UX2.sys [571264 2010-03-09] (Line 6)
R3 MAFW; C:\Windows\System32\DRIVERS\mafw.sys [192392 2009-07-29] (Avid Technology, Inc.)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [323304 2016-01-29] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [272832 2016-01-29] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [382024 2016-01-29] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [651952 2016-01-29] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [428320 2016-02-10] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [89552 2016-02-10] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files\McAfee\SiteAdvisor\mfesapsn.sys [41096 2016-03-15] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [200800 2016-01-29] (McAfee, Inc.)
R1 netfilter; C:\Windows\System32\drivers\netfilter.sys [47488 2014-02-13] (NetFilterSDK.com) [File not signed]
S3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [9472 2009-07-24] (Primax Ltd)
S3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [408280 2015-01-22] (BitDefender S.R.L.)
S3 mcdbus; system32\DRIVERS\mcdbus.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-13 06:10 - 2016-06-13 06:10 - 00013986 _____ C:\Users\Owner\Downloads\FRST.txt
2016-06-13 06:09 - 2016-06-13 06:10 - 00000000 ____D C:\FRST
2016-06-13 06:08 - 2016-06-13 06:08 - 01735680 _____ (Farbar) C:\Users\Owner\Downloads\FRST.exe
2016-06-13 06:05 - 2016-06-13 06:05 - 00001081 _____ C:\Users\Public\Desktop\DriveImage XML.lnk
2016-06-13 06:05 - 2016-06-13 06:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runtime Software
2016-06-13 06:05 - 2016-06-13 06:05 - 00000000 ____D C:\Program Files\Runtime Software
2016-06-13 06:04 - 2016-06-13 06:04 - 02026456 _____ C:\Users\Owner\Downloads\dixmlsetup.exe
2016-06-12 20:08 - 2016-06-12 20:08 - 00186880 _____ (CEXX.ORG) C:\Users\Owner\Downloads\LSPFix.exe
2016-06-12 20:00 - 2016-06-12 20:00 - 00000000 ____D C:\Users\Owner\Downloads\backups
2016-06-12 19:47 - 2016-06-12 19:48 - 00388608 _____ (Trend Micro Inc.) C:\Users\Owner\Downloads\HijackThis.exe
2016-06-12 19:13 - 2016-06-12 19:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-06-12 19:13 - 2016-06-12 19:13 - 00001920 _____ C:\Users\Public\Desktop\McAfee Multi Access - Total Protection (PC).lnk
2016-06-12 19:12 - 2015-05-19 13:59 - 00157288 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\HipShieldK.sys
2016-06-12 19:11 - 2016-06-12 19:11 - 00000000 ____D C:\ProgramData\Intel Security
2016-06-12 19:09 - 2016-06-12 19:15 - 00000000 ____D C:\Program Files\McAfee
2016-06-12 19:09 - 2016-06-12 19:09 - 00000000 ____D C:\Program Files\McAfee.com
2016-06-12 19:09 - 2016-06-12 19:09 - 00000000 ____D C:\Program Files\Common Files\Intel Security
2016-06-12 19:05 - 2016-06-12 19:12 - 00000000 ____D C:\Program Files\Common Files\McAfee
2016-06-12 19:05 - 2016-01-25 16:53 - 00267640 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2016-06-12 19:04 - 2016-06-12 19:05 - 08320264 _____ (McAfee, Inc.) C:\Users\Owner\Downloads\Setup_serial_VfS1MISEPi6rzQaPjgjTdg2_key.exe
2016-06-10 15:33 - 2016-06-10 15:33 - 00031727 _____ C:\Users\Owner\Documents\Kitchen Countertops.pdf
2016-06-10 11:51 - 2016-06-10 12:26 - 00000000 ____D C:\Users\Owner\AppData\Local\LogMeIn Rescue Applet
2016-06-10 11:51 - 2016-06-10 11:51 - 01824808 _____ (LogMeIn, Inc.) C:\Users\Owner\Downloads\Support-LogMeInRescue.exe
2016-06-09 13:18 - 2016-06-09 13:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2016-06-09 11:41 - 2016-06-12 18:39 - 00000000 ____D C:\ProgramData\AVAST Software
2016-06-09 11:41 - 2016-06-09 11:41 - 05066104 _____ (AVAST Software) C:\Users\Owner\Downloads\avast_free_antivirus_setup_online.exe
2016-06-08 15:37 - 2016-06-08 15:37 - 00014513 _____ C:\Users\Owner\Documents\Meat Sauce.pdf
2016-06-03 13:25 - 2016-06-03 13:26 - 16321417 _____ C:\Users\Owner\Downloads\Butchering a Whole Chicken in 60 Seconds or Less.mp4
2016-06-03 13:20 - 2016-06-03 13:20 - 19910814 _____ C:\Users\Owner\Downloads\Asian Style Dice _ Julienne.mp4
2016-06-03 13:03 - 2016-06-03 13:03 - 20367160 _____ C:\Users\Owner\Downloads\Three Major Knife Cuts.mp4
2016-06-03 12:51 - 2016-06-03 12:51 - 02535039 _____ C:\Users\Owner\Downloads\F-is-for-Flavor.pdf
2016-06-03 09:02 - 2016-06-03 16:09 - 00000000 ____D C:\Users\Owner\Documents\Cooking
2016-06-01 19:29 - 2016-06-01 19:29 - 09639936 _____ C:\Users\Owner\Downloads\HVLectureSkillsIDay2.ppt
2016-06-01 19:17 - 2016-06-01 19:17 - 07821312 _____ C:\Users\Owner\Downloads\HVLectureSkillsIDay1.ppt
2016-05-25 08:27 - 2016-05-25 08:27 - 06893688 _____ (Piriform Ltd) C:\Users\Owner\Downloads\ccsetup518.exe
2016-05-25 08:27 - 2016-05-25 08:27 - 00000969 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-05-25 08:27 - 2016-05-25 08:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-05-20 16:26 - 2016-05-20 16:26 - 00202295 _____ C:\Users\Owner\Downloads\libmp3lame-win-3.99.3.zip
2016-05-20 09:45 - 2016-05-20 09:45 - 00000016 _____ C:\Users\Owner\Documents\txt.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-13 05:58 - 2009-07-13 21:34 - 00020704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-13 05:58 - 2009-07-13 21:34 - 00020704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-13 05:49 - 2009-07-13 21:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-13 05:33 - 2013-03-03 13:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-13 05:30 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\inf
2016-06-13 04:56 - 2014-02-05 09:06 - 00000000 ____D C:\ProgramData\McAfee
2016-06-13 04:49 - 2015-07-10 19:46 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-06-13 04:49 - 2015-06-05 08:11 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-06-12 19:48 - 2013-01-16 19:29 - 00000000 ____D C:\Users\Owner\AppData\Local\VirtualStore
2016-06-12 19:18 - 2015-03-27 11:28 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-06-12 19:09 - 2015-06-27 08:20 - 00000000 ____D C:\Program Files\Common Files\AV
2016-06-10 12:28 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\system32\NDF
2016-06-09 13:27 - 2013-04-12 20:19 - 00000000 ____D C:\Users\UpdatusUser
2016-06-09 13:23 - 2015-01-28 11:49 - 00000000 ____D C:\Users\Owner\AppData\Local\Avg
2016-06-09 13:23 - 2015-01-28 11:48 - 00000000 ____D C:\ProgramData\AVG
2016-06-09 13:23 - 2014-09-21 16:53 - 00000000 ____D C:\Program Files\AVG
2016-06-09 13:23 - 2013-01-17 06:26 - 00000000 ____D C:\ProgramData\MFAData
2016-06-09 13:21 - 2015-10-23 19:31 - 00000000 ____D C:\Users\Owner\AppData\Local\AvgSetupLog
2016-06-09 13:18 - 2014-12-16 08:27 - 00000000 ____D C:\Program Files\QuickTime
2016-06-09 13:18 - 2013-01-17 19:17 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-06-09 13:18 - 2013-01-17 19:17 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-06-09 13:17 - 2013-07-22 07:12 - 00000000 ____D C:\ProgramData\Apple Computer
2016-06-07 12:34 - 2015-10-21 11:29 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-06-03 13:44 - 2013-01-16 19:38 - 00781846 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-26 16:55 - 2015-04-04 01:32 - 00000000 ___SD C:\Windows\system32\GWX
2016-05-25 08:27 - 2016-03-23 11:03 - 00000000 ____D C:\Program Files\CCleaner
2016-05-23 14:25 - 2016-02-25 12:24 - 00000000 ____D C:\Users\Owner\Documents\BeerSmith2
2016-05-20 17:13 - 2014-03-31 11:45 - 00000000 ____D C:\Users\Owner\AppData\Local\WMTools Downloaded Files
2016-05-20 16:35 - 2014-03-31 12:26 - 00042496 _____ C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-05-20 16:34 - 2014-03-31 12:17 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Clone2Go Video Converter Free Version
2016-05-20 16:28 - 2013-01-18 00:33 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Audacity
2016-05-20 16:27 - 2015-02-15 11:03 - 00421888 _____ C:\Users\Owner\Downloads\lame_enc.dll
2016-05-20 16:23 - 2015-05-02 19:06 - 00000000 ____D C:\Users\Owner\Downloads\All For Now

==================== Files in the root of some directories =======

2013-12-24 19:23 - 2013-12-24 19:27 - 0000580 _____ () C:\Users\Owner\AppData\Local\cookies.ini
2014-03-31 12:26 - 2016-05-20 16:35 - 0042496 _____ () C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-05-08 07:08 - 2016-05-08 07:08 - 0007605 _____ () C:\Users\Owner\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
C:\Users\Owner\AppData\Local\Temp\McCSPInstall.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-08 16:05

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 14 June 2016 - 09:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Unhide files/folders Windows 7.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Remove this program via the Control Panel > Programs > Programs and Features applet.
SavingsBull (Version: 1.0.0.0 - SavingsBull) Hidden <==== ATTENTION

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi => not found
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - hxxp://clients2.google.com/service/update2/crx
R1 netfilter; C:\Windows\System32\drivers\netfilter.sys [47488 2014-02-13] (NetFilterSDK.com) [File not signed]
S3 mcdbus; system32\DRIVERS\mcdbus.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\UpdatusUser\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
Task: {01393EB7-0BD6-4888-A57D-9DB6FC109687} - System32\Tasks\0415avUpdateInfo => C:\ProgramData\Avg_Update_0415av\0415av_AVG-Secure-Search-Update.exe [2015-04-21] ()
Task: {BAFFD272-2A55-405F-99FC-91BF6BEDDA37} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: C:\Windows\Tasks\0415avUpdateInfo.job => C:\ProgramData\Avg_Update_0415av\0415av_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
MSCONFIG\startupreg: AVG_UI => "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY
C:\Windows\System32\drivers\netfilter.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know of any issues with this computer.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 20 June 2016 - 08:02 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 21 June 2016 - 07:51 AM

This topic has been re-opened at the request of the person who originally posted.

#5 sremed60

sremed60
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 21 June 2016 - 11:23 AM

Thank you. I followed all the instructions, below are the two logs. I just wanted to add some things that may or may not be relevant.

  1. In the first step the "Show Hidden Files" button was already selected.
  2. In the second step there was no program called "SavingsBull" in the list. I also did a search for SavingsBull in the RUN BOX and nothing showed up. So I'm not sure how "hidden" it is or if it somehow got deleted since I first posted this.
  3. When I clicked to run FRST a small box popped up that says FRST Failed to Update (5) or something like that. I just closed the box and hit "Fix" anyway.

Here are the logs:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:12-06-2016 01
Ran by Owner (2016-06-21 08:47:50) Run:2
Running from C:\Users\Owner\Downloads
Loaded Profiles: Owner & UpdatusUser (Available Profiles: Owner & UpdatusUser)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi => not found
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - hxxp://clients2.google.com/service/update2/crx
R1 netfilter; C:\Windows\System32\drivers\netfilter.sys [47488 2014-02-13] (NetFilterSDK.com) [File not signed]
S3 mcdbus; system32\DRIVERS\mcdbus.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\UpdatusUser\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll => No File
Task: {01393EB7-0BD6-4888-A57D-9DB6FC109687} - System32\Tasks\0415avUpdateInfo => C:\ProgramData\Avg_Update_0415av\0415av_AVG-Secure-Search-Update.exe [2015-04-21] ()
Task: {BAFFD272-2A55-405F-99FC-91BF6BEDDA37} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: C:\Windows\Tasks\0415avUpdateInfo.job => C:\ProgramData\Avg_Update_0415av\0415av_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
MSCONFIG\startupreg: AVG_UI => "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY
C:\Windows\System32\drivers\netfilter.sys

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key not found.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E8A89AD-95D7-40EB-8D9D-083EF7066A01} => key not found.
HKCR\CLSID\{0E8A89AD-95D7-40EB-8D9D-083EF7066A01} => key not found.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key not found.
HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\Software\Mozilla\Firefox\Extensions\\{e4f94d1e-2f53-401e-8885-681602c0ddd8} => value not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh => key not found.
netfilter => service not found.
mcdbus => service not found.
Synth3dVsc => service not found.
tsusbhub => service not found.
VGPU => service not found.
HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736} => key not found.
HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394} => key not found.
HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => key not found.
HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => key not found.
HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => key not found.
HKU\S-1-5-21-3931276179-3777703916-1810220762-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{01393EB7-0BD6-4888-A57D-9DB6FC109687} => key not found.
C:\Windows\System32\Tasks\0415avUpdateInfo => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0415avUpdateInfo => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAFFD272-2A55-405F-99FC-91BF6BEDDA37} => key not found.
C:\Windows\System32\Tasks\ROC_REG_JAN_DELETE => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ROC_REG_JAN_DELETE => key not found.
C:\Windows\Tasks\0415avUpdateInfo.job => not found.
C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => not found.
MSCONFIG\startupreg: AVG_UI => "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY => Error: No automatic fix found for this entry.
"C:\Windows\System32\drivers\netfilter.sys" => not found.
EmptyTemp: => 61.8 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:48:20 ====

 

# AdwCleaner v5.200 - Logfile created 21/06/2016 at 09:06:47
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-20.3 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (X86)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\Desktop\adwcleaner_5.200.exe
# Option : Scan
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\ProgramData\AVG Security Toolbar
Folder Found : C:\ProgramData\Avg_Update_0116av
Folder Found : C:\ProgramData\Avg_Update_0316av
Folder Found : C:\ProgramData\Avg_Update_0415av
Folder Found : C:\ProgramData\Avg_Update_0615av
Folder Found : C:\ProgramData\Avg_Update_0715av
Folder Found : C:\ProgramData\Avg_Update_0915av
Folder Found : C:\ProgramData\Avg_Update_1015av
Folder Found : C:\ProgramData\Avg_Update_1215av
Folder Found : C:\ProgramData\Application Data\AVG Security Toolbar
Folder Found : C:\ProgramData\Application Data\Avg_Update_0116av
Folder Found : C:\ProgramData\Application Data\Avg_Update_0316av
Folder Found : C:\ProgramData\Application Data\Avg_Update_0415av
Folder Found : C:\ProgramData\Application Data\Avg_Update_0615av
Folder Found : C:\ProgramData\Application Data\Avg_Update_0715av
Folder Found : C:\ProgramData\Application Data\Avg_Update_0915av
Folder Found : C:\ProgramData\Application Data\Avg_Update_1015av
Folder Found : C:\ProgramData\Application Data\Avg_Update_1215av
Folder Found : C:\Program Files\DriverAssist
Folder Found : C:\Program Files\File Type Helper
Folder Found : C:\Windows\Installer\{6DDE8071-E4BA-461B-8A96-990DFAA0EBD1}
Folder Found : C:\Windows\Installer\{813BA625-B0FA-48D8-9B75-59759C88C219}
Folder Found : C:\Windows\system32\config\systemprofile\AppData\LocalLow\AVG SafeGuard toolbar

***** [ Files ] *****

File Found : C:\Windows\system32\lavasofttcpservice.dll
File Found : C:\Windows\system32\LavasoftTcpServiceOff.ini

***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioCompress3.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioFile3.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioFileWMA3.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioFormatSettings3.DLL
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Key Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Key Found : HKLM\SOFTWARE\Classes\AppID\{5E50AE1D-BC76-418B-94C4-EFEAC0CEF80C}
Key Found : HKLM\SOFTWARE\Classes\AppID\{69E54DE2-C4ED-4BEC-8046-E3F9AC74B4B0}
Key Found : HKLM\SOFTWARE\Classes\AppID\{F54A0D21-6A53-460C-8301-C694EC9E1033}
Key Found : HKLM\SOFTWARE\Classes\AppID\{F7BCCFD4-2FA6-477D-A1B0-EF7500B3C49E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F14321-8FED-4CBC-B01A-4B57FC199062}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{23BDC78C-B7BB-42E5-B970-54B292592D72}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2C6F7E96-73BC-47A5-9F51-B67F0BAFE24D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4C58EB04-7B72-4D3D-A36E-66167A99BC31}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4EE0B011-604C-47F3-8F2B-39F79640B85E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CD5175E2-7CC1-418C-B66C-0AB95DAD4103}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D8BFC514-1135-4393-B09A-193D2AAC5037}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6BC38BF4-E84D-46E1-920B-42D31AEA617E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{98ED0D10-F1FC-4113-A095-9BD7F96040C9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B162A975-6C7C-4202-9167-306028913A3D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DEF4ED0D-E666-4631-A35A-A634332F0550}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{43B4B831-F41F-4F73-8F14-4FFF0BA75B1B}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6C9945B7-1D19-46CB-88C0-45A24DF6CD6E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{84B9B044-17C0-48FB-A300-C9747D5DF29C}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{85672EDB-2CC8-40B9-A9E8-77D3478F2EFB}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
Key Found : HKCU\Software\Define Ext
Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKLM\SOFTWARE\AVG Secure Search
Key Found : HKLM\SOFTWARE\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Define Ext
Key Found : HKLM\SOFTWARE\Lavasoft\Web Companion
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DDE8071-E4BA-461B-8A96-990DFAA0EBD1}
Key Found : HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\Software\Define Ext
Key Found : HKU\S-1-5-21-3931276179-3777703916-1810220762-1000\Software\AppDataLow\Software\adawarebp
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C19AC53289098045B06B0DD1D37CBAB
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23D9E9D21B4E77E41B9F50DD22F24E20
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23EEA1F105A7F45449974D9B95E7AC89
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\26982796A8AFD1246B95E00265A95BF9
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32DA746012E6D4F488AAD113D6FA4A44
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42D92D0D75AFEF74297E03876C8D9D33
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50FFE845C555A6E4BADB7CB7A145BFEB
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\715A3348920B6534690067594BB69F60
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7B7B13B037A7C2A42AC3E3EAF14D7107
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D05B2942E9CC80499F397F6114DFB35
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8591B8948E1C4A04F90505B3CDEE8555
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8D841C5FEC311624CB88D49DB3884FA7
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD04033484A18CA4CAB3EE59D39D756E
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD746BF3B3B3FD8409B86604BA85982A
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF767AE36C8829547ACD71A4249A42B9
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F355F0DB7A2E3A14B8E7A568FBA25937
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1708EDD6AB4EB164A86999D0AF0ABE1D
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\526AB318AF0B8D84B9579557C9882C91
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\1708EDD6AB4EB164A86999D0AF0ABE1D
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\526AB318AF0B8D84B9579557C9882C91
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\1708EDD6AB4EB164A86999D0AF0ABE1D
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\526AB318AF0B8D84B9579557C9882C91
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1708EDD6AB4EB164A86999D0AF0ABE1D
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\526AB318AF0B8D84B9579557C9882C91

***** [ Web browsers ] *****

[C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com

*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [8414 bytes] - [21/06/2016 09:06:47]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [8487 bytes] ##########
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 21 June 2016 - 12:43 PM

Please ru the AdwCleaning tool and clean everything that was Identified.

===

Let see what the Registry will identify for SavingsBull

Please download SystemLook if your system is a 64bit system, then download the SystemLook_x64.exe save it to your Desktop.
SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    SavingsBull
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===

    How is the computer running now?


#7 sremed60

sremed60
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 24 June 2016 - 08:33 AM

Please ru the AdwCleaning tool and clean everything that was Identified.

===

Let see what the Registry will identify for SavingsBull

Please download SystemLook if your system is a 64bit system, then download the SystemLook_x64.exe save it to your Desktop.
SystemLook.exe
SystemLook_x64.exe

  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    SavingsBull
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===

    How is the computer running now?

 

OK. Will do



#8 sremed60

sremed60
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 24 June 2016 - 08:36 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 06:35 on 24/06/2016 by Owner
Administrator - Elevation successful

========== regfind ==========

Searching for "SavingsBull "
No data found.

-= EOF =-



#9 sremed60

sremed60
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 24 June 2016 - 08:38 AM

I cleaned everything the adwcleaning tool wanted to clean. I seem to now get that "Windows Explorer is not responding" error ALL THE TIME. It doesn't seem to make a difference what I'm doing. Sometimes I can get through it, but about half the time that error message pops up now.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 24 June 2016 - 10:06 AM

Do you still get the message even after a restart of the system?

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
or https://www.eset.com/int/home/online-scanner/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

This may take awhile, run it when you know you will not need the computer for an hour or two.
<<<>>

#11 sremed60

sremed60
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 24 June 2016 - 12:20 PM

Couldn't get the Eset online scanner to scan. Clicked "Scan Now." The first time I clicked "Run" then clicked OK to all the prompts and agreed to the terms - and nothing happened. The second time I clicked "Save" instead of "Run" and went thru everything again. Nothing ever pops up



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 24 June 2016 - 01:34 PM

Try the RUN as an Administrator.

#13 sremed60

sremed60
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 24 June 2016 - 07:45 PM

I did. Didn't help. I tried getting to it from IE, Firefox and Google Chrome. It downloads to my computer. And when I click it it asks all the usual questions - but then it never pops up so I can adjust it to scan. 

 

In the meantime, my computer is running slower and choppier than ever, in addition to getting that Windows Explorer is not responding error. I did a fix Windows 7 scan but it didn't find any problems.

 

I also restarted the computer a couple times and then tried it - nothing.


Edited by sremed60, 24 June 2016 - 07:46 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 25 June 2016 - 07:11 AM



Download and run the Microsoft Safety Scanner
https://www.microsoft.com/security/scanner/en-us/default.aspx

Read the information.

Any change?

#15 sremed60

sremed60
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 AM

Posted 25 June 2016 - 04:30 PM

Download and run the Microsoft Safety Scanner
https://www.microsoft.com/security/scanner/en-us/default.aspx

Read the information.

Any change?

It completed and said no viruses, no spyware, no malware or any other problems.

 

Slow computer and the "Windows Explorer has stopped Responding" still there. I've been transferring files from old discs to an external hard drive for the last week or so with no real issues. As I stated in my first post, that Netgear tech told me someone breached my system. Because he did that thing where he is able to control my computer remotely, I was nervous about what he might have done and really just wanted to make sure there wasn't anything left in my computer that would give anyone access to personal info. I can change  pass words, but how do I know they aren't able to have access to the new password? That was really my only concern.

 

Since running the adwcleaning tool my computer seems to be having some issues I didn't have before. Running slow and a lot of error messages. In addition to the Windows Explorer not responding, I have gotten an error message when trying to transfer files; images, videos, or whatever, that the file couldn't be copied because the source file couldn't be read. (I can't remember the exact wording of the error message). I've only gotten it 2 or 3 times, but I've never seen it before. I used to be able to copy several hundred jpeg images and paste them in the hard drive, and it only took a few seconds, maybe a minute at the most, for them to be transferred. Now, sometimes, it takes forever and I start getting that error that the source couldn't be read.

I'm no techie, like I said, but I'm now wondering if the adwcleaning tool maybe deleted something that shouldn't have been deleted? Or maybe it's just coincidence.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users