Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Cmd window pop ups every hour


  • Please log in to reply
7 replies to this topic

#1 deathborn

deathborn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 June 2016 - 05:52 PM

For a while now I have had Cmd.exe run 2 pop ups about every hour. I do not know what the pop ups are doing and my attempts to catch them have been a bit lacking.

A screen shot I managed to grab while recording my screen: http://imgur.com/9QAXIVf
(screen recorded with Open Broadcaster)

I have attempted running spybot and malwarebytes but the problem persists.

possible other problems:

Sometimes unknown tasks with apparently no purpose will show up in my task manager, which I will promptly end. I suspect they are a product of the Cmd windows.

Any advice on how I can catch this thing and get rid of it would be awesome. Thanks!

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01

Ran by FRED2 (administrator) on FRED2-PC (25-06-2016 18:34:49)
Running from C:\Users\FRED2\Downloads
Loaded Profiles: FRED2 (Available Profiles: FRED2)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(Cerulean Studios) C:\Program Files (x86)\Trillian\trillian.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [13318424 2015-03-12] (Logitech Inc.)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [596640 2016-05-24] (Razer Inc.)
HKU\S-1-5-21-2678748704-3792687868-2610305769-1001\...\MountPoints2: {1df9756f-669e-11e3-a7e8-08606ef0dce6} - E:\setup.exe
HKU\S-1-5-21-2678748704-3792687868-2610305769-1001\...\MountPoints2: {533305f4-1659-11e3-a8fc-08606ef0dce6} - G:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2678748704-3792687868-2610305769-1001\...\MountPoints2: {6247d328-7775-11e3-93c6-08606ef0dce6} - F:\LaunchU3.exe -a
HKU\S-1-5-21-2678748704-3792687868-2610305769-1001\...\MountPoints2: {9aaa3728-1c33-11e3-a826-08606ef0dce6} - G:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2678748704-3792687868-2610305769-1001\...\MountPoints2: {b4c8feaa-10a8-11e6-a983-08606ef0dce6} - H:\setup.exe
HKU\S-1-5-21-2678748704-3792687868-2610305769-1001\...\MountPoints2: {d7946ca0-2e2a-11e5-aa0c-08606ef0dce6} - G:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2678748704-3792687868-2610305769-1001\...\MountPoints2: {e0761206-f054-11e3-b161-08606ef0dce6} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\tray.exe [1010008 2015-04-08] (Garmin Ltd. or its subsidiaries)
Startup: C:\Users\FRED2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trillian.lnk [2016-05-14]
ShortcutTarget: Trillian.lnk -> C:\Program Files (x86)\Trillian\trillian.exe (Cerulean Studios)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{ADDE4760-2DA4-4248-B1B8-9649CECAFFED}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{ADDE4760-2DA4-4248-B1B8-9649CECAFFED}: [DhcpNameServer] 192.168.1.1
ManualProxies: 
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexbho.dll [2014-01-24] (CANON INC.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2014-01-24] (CANON INC.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-26] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-26] (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexhlp.dll [2014-01-24] (CANON INC.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2014-01-24] (CANON INC.)
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.15.0.cab
Handler-x32: intu-tt2015 - {5A676D6A-A3EF-4FAA-8DAC-F55CA235F67C} - C:\Program Files (x86)\TurboTax 2015\ic2015pp.dll [2015-11-23] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_192.dll [2016-06-17] ()
FF Plugin: @java.com/DTPlugin,version=10.21.2 -> C:\Windows\system32\npDeployJava1.dll [2013-04-21] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_192.dll [2016-06-17] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-12-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-12-26] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-01-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-10-16] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-10-16] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-05-27] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3325161&octid=EB_ORIGINAL_CTID&ISID=ME5EE2665-EFC6-4A7E-9734-316BE0E72D24&SearchSource=55&CUI=&UM=8&UP=SPFAFB5574-38BA-49C8-BF5F-CD34C56005C3&D=051416&SSPV=
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?s=G5Ezftpbl0cshmoBP,9d6154d6-efd3-425f-92fa-112a3319d6c9,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll => No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll => No File
CHR Profile: C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Translate) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2015-11-17]
CHR Extension: (Google Drive) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-25]
CHR Extension: (YouTube) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28]
CHR Extension: (Google Search) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (HTTPS Everywhere) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2016-06-11]
CHR Extension: (Google Docs Offline) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-18]
CHR Extension: (AdBlock) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-09]
CHR Extension: (Change Colors) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbmkekhehjedonbhoikhhkmlapalklgn [2014-10-20]
CHR Extension: (Speed Dial 2) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfpebmajhhopeonhlcgidhclcccjcik [2016-06-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (AlienTube for YouTube™) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\opgodjgjgojjkhlmmhdlojfehcemknnp [2015-10-15]
CHR Extension: (Gmail) - C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-27]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S4 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1362464 2016-03-15] ()
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
R2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [708616 2015-04-08] (Garmin Ltd. or its subsidiaries)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2014-10-16] (NVIDIA Corporation)
R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2013-09-03] (Nero AG)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140936 2013-05-14] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1795912 2014-10-16] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19439944 2014-10-16] (NVIDIA Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [188072 2015-11-04] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S4 BitTorrent; "C:\Program Files\BitTorrent\BitTorrent.exe" /s iid=6908977 did=APSnapdoAMRev sid=3 ref=880b2631-3e04-5f95-9b4a-5487799a1728-PolicyMac id=6be1dde9652db82d208371d33627296304a1c4b313da0e73919c839d673eef0d [X]
S4 dpynloaeuodate; C:\Users\FRED2\AppData\Local\siliconin.exe eproduct dpynloaeuodate [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 asahci64; C:\Windows\system32\drivers\asahci64.sys [49760 2013-02-06] (Asmedia Technology)
R3 CMUSBDAC; C:\Windows\System32\DRIVERS\CMUSBDAC.sys [594944 2014-09-19] (C-MEDIA)
S3 CSRBC; C:\Windows\System32\Drivers\csrbc.sys [38400 2013-03-28] (CSR plc.)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2013-12-22] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [69888 2011-10-17] (Fresco Logic)
S3 gtfilter; C:\Windows\System32\DRIVERS\gtfilter.sys [18272 2012-01-03] (Fructel AB)
S3 IFCoEMP; C:\Windows\system32\drivers\ifM60x64.sys [455088 2012-11-16] (Intel® Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP60X64.sys [159664 2012-11-16] (Intel® Corporation)
S3 lehidmini; C:\Windows\system32\drivers\leath_hid.sys [36608 2012-06-28] (Atheros)
S3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [64280 2013-05-30] (Logitech Inc.)
S3 libusb0; C:\Windows\System32\DRIVERS\libusb0.sys [44480 2013-09-23] (hxxp://libusb-win32.sourceforge.net)
S3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [121416 2012-05-12] (MotioninJoy) [File not signed]
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19272 2014-10-16] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38048 2014-10-16] (NVIDIA Corporation)
R3 rzendpt; C:\Windows\System32\DRIVERS\rzendpt.sys [50392 2015-08-13] (Razer Inc)
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [37184 2015-09-22] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [130880 2015-12-14] (Razer, Inc.)
S3 SaiK0CD7; C:\Windows\System32\DRIVERS\SaiK0CD7.sys [180544 2012-09-20] (Saitek)
S3 SaiK1708; C:\Windows\System32\DRIVERS\SaiK1708.sys [180544 2012-09-20] (Saitek)
R3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [25120 2013-04-30] (Saitek)
R3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [52640 2013-04-30] (Saitek)
S3 SaiU0CD7; C:\Windows\System32\DRIVERS\SaiU0CD7.sys [47168 2012-09-20] (Saitek)
S3 SaiU1708; C:\Windows\System32\DRIVERS\SaiU1708.sys [47168 2012-09-20] (Saitek)
S3 VUSB3HUB; C:\Windows\system32\drivers\ViaHub3.sys [204800 2011-11-14] (VIA Technologies, Inc.)
S3 xhcdrv; C:\Windows\system32\drivers\xhcdrv.sys [256000 2011-11-14] (VIA Technologies, Inc.)
S4 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-25 18:34 - 2016-06-25 18:35 - 00023456 _____ C:\Users\FRED2\Downloads\FRST.txt
2016-06-25 18:34 - 2016-06-25 18:34 - 00000000 ____D C:\FRST
2016-06-25 18:33 - 2016-06-25 18:34 - 02387456 _____ (Farbar) C:\Users\FRED2\Downloads\FRST64.exe
2016-06-22 18:16 - 2016-06-22 18:16 - 00000000 ____D C:\Users\FRED2\Tracing
2016-06-19 20:14 - 2016-06-19 20:14 - 00041248 _____ C:\Users\FRED2\Downloads\the-game_english-919169.zip
2016-06-17 22:18 - 2016-06-17 22:18 - 00606532 _____ C:\Users\FRED2\Downloads\Autoruns.zip
2016-06-17 16:50 - 2016-06-17 16:50 - 03878112 _____ (Husdawg, LLC) C:\Users\FRED2\Downloads\Detection.exe
2016-06-11 21:41 - 2016-06-11 21:45 - 00000000 ____D C:\SUPERHOT
2016-06-11 21:41 - 2016-06-11 21:41 - 00000000 ____D C:\Users\FRED2\AppData\LocalLow\SUPERHOT Team
2016-06-11 20:19 - 2016-06-11 20:26 - 00011081 _____ C:\Users\FRED2\Desktop\Hiking.odt
2016-06-11 07:28 - 2016-06-11 07:28 - 00041168 _____ C:\Users\FRED2\Downloads\[kat.cr]monty.python.the.movies.1.2.3.4.comedy.1971.1983.eng.subs.1080p.h264.mp4 (1).torrent
2016-06-11 07:27 - 2016-06-11 07:27 - 00041168 _____ C:\Users\FRED2\Downloads\[kat.cr]monty.python.the.movies.1.2.3.4.comedy.1971.1983.eng.subs.1080p.h264.mp4.torrent
2016-06-11 07:25 - 2016-06-11 07:25 - 00014651 _____ C:\Users\FRED2\Downloads\[kat.cr]monty.python.jabberwocky.1977.dvdrip.divx.torrent
2016-06-11 06:50 - 2016-06-11 06:50 - 00017730 _____ C:\Users\FRED2\Downloads\[otorrents.com]forrest-gump-1994-720p.torrent
2016-06-04 17:53 - 2016-06-04 17:53 - 00036829 _____ C:\Users\FRED2\Downloads\x-men-apocalypse_english-1346862.zip
2016-06-04 17:53 - 2016-06-04 17:53 - 00036829 _____ C:\Users\FRED2\Downloads\x-men-apocalypse_english-1346862 (1).zip
2016-06-04 17:53 - 2016-06-04 17:53 - 00033978 _____ C:\Users\FRED2\Downloads\x-men-apocalypse_english-1347054.zip
2016-05-26 20:28 - 2016-05-26 20:28 - 00211592 _____ (Microsoft Corporation) C:\Users\FRED2\Downloads\vs_community_ENU.exe
2016-05-26 20:26 - 2016-05-26 20:26 - 01147432 _____ (Microsoft Corporation) C:\Users\FRED2\Downloads\wdksetup.exe
2016-05-26 20:15 - 2016-05-26 20:15 - 01270466 _____ C:\Users\FRED2\Downloads\ProcessExplorer.zip
2016-05-26 09:06 - 2016-05-26 09:54 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-05-26 09:03 - 2016-05-26 09:03 - 16563352 _____ (Malwarebytes Corp.) C:\Users\FRED2\Downloads\mbar-1.09.3.1001.exe
2016-05-26 09:01 - 2016-05-26 09:02 - 74637872 _____ (Logitech, Inc.) C:\Users\FRED2\Downloads\lws251.exe
2016-05-26 08:34 - 2016-06-25 17:37 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-05-26 08:34 - 2016-06-17 06:37 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-25 18:26 - 2013-12-13 00:07 - 00000000 ____D C:\Users\FRED2\AppData\Local\Battle.net
2016-06-25 17:38 - 2016-05-10 20:33 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-25 16:42 - 2013-04-20 08:05 - 00000000 ____D C:\Program Files (x86)\Steam
2016-06-25 16:23 - 2014-04-03 01:00 - 00000000 ____D C:\Users\FRED2\AppData\Roaming\Skype
2016-06-24 20:38 - 2016-05-10 20:33 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-24 00:53 - 2015-11-22 18:20 - 00000000 ____D C:\Program Files (x86)\Overwatch
2016-06-23 18:11 - 2013-08-25 12:54 - 00000000 ____D C:\Program Files (x86)\Diablo III
2016-06-23 18:10 - 2014-11-04 20:41 - 00000000 ____D C:\Program Files (x86)\Heroes of the Storm
2016-06-23 17:52 - 2013-12-13 00:07 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-06-23 05:59 - 2016-05-14 16:47 - 00000000 ____D C:\Users\FRED2\AppData\Local\WINTUNEPRO
2016-06-22 23:59 - 2014-08-28 23:38 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-22 21:48 - 2013-04-20 08:57 - 00000000 ____D C:\Users\FRED2\AppData\Roaming\OBS
2016-06-22 21:45 - 2016-05-14 18:26 - 00000000 ____D C:\Users\FRED2\AppData\Roaming\StardewValley
2016-06-22 18:16 - 2015-12-20 19:26 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-06-22 18:16 - 2014-04-03 01:00 - 00000000 ____D C:\ProgramData\Skype
2016-06-22 18:16 - 2013-04-19 22:06 - 00000000 ____D C:\Users\FRED2
2016-06-20 22:53 - 2013-09-05 18:34 - 00007603 _____ C:\Users\FRED2\AppData\Local\Resmon.ResmonCfg
2016-06-20 22:30 - 2013-04-20 08:12 - 00000000 ____D C:\Users\FRED2\AppData\Roaming\tixati
2016-06-20 20:08 - 2013-04-20 08:43 - 00000000 ____D C:\Users\FRED2\AppData\Roaming\vlc
2016-06-20 20:08 - 2009-07-14 00:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-20 20:08 - 2009-07-14 00:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-20 18:53 - 2013-04-20 08:12 - 00000000 ____D C:\Users\FRED2\Documents\Torrents
2016-06-19 18:40 - 2014-04-18 06:13 - 00000000 ____D C:\Users\FRED2\Desktop\Games
2016-06-17 22:28 - 2015-12-11 19:26 - 00012485 _____ C:\Users\FRED2\Desktop\budget.ods
2016-06-17 22:28 - 2013-09-20 16:33 - 00000000 ____D C:\Users\FRED2\Desktop\Protection
2016-06-17 19:53 - 2013-04-10 15:03 - 00000000 ____D C:\ProgramData\NVIDIA
2016-06-17 19:53 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-17 19:41 - 2013-09-07 10:05 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-17 19:37 - 2013-04-19 22:06 - 00000000 ____D C:\Users\FRED2\AppData\Local\VirtualStore
2016-06-17 06:37 - 2013-04-20 23:51 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-06-17 06:37 - 2013-04-20 23:51 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-06-14 11:33 - 2013-04-20 20:40 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2016-06-11 21:45 - 2015-05-31 09:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-06-11 21:45 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-06-11 20:19 - 2015-03-15 17:40 - 00268288 ___SH C:\Users\FRED2\Documents\Thumbs.db
2016-06-11 20:19 - 2015-01-24 10:42 - 00000000 ____D C:\Users\FRED2\Documents\Army
2016-06-05 20:29 - 2015-10-14 16:59 - 00000000 ____D C:\Users\FRED2\AppData\Roaming\Kodi
2016-06-04 20:15 - 2016-05-11 06:31 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-06-04 08:10 - 2014-01-16 15:01 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-05-26 09:04 - 2014-08-28 23:38 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-05-26 08:27 - 2013-04-21 19:48 - 00000000 ____D C:\Users\FRED2\AppData\Local\ElevatedDiagnostics
 
==================== Files in the root of some directories =======
 
2016-05-02 11:03 - 2016-05-14 16:53 - 6494208 _____ () C:\Users\FRED2\AppData\Roaming\agent.dat
2016-05-02 11:02 - 2016-05-14 16:52 - 0127488 _____ () C:\Users\FRED2\AppData\Roaming\Installer.dat
2016-05-02 11:03 - 2016-05-14 16:53 - 0018432 _____ () C:\Users\FRED2\AppData\Roaming\Main.dat
2013-09-13 00:33 - 2013-09-13 00:33 - 0000042 _____ () C:\Users\FRED2\AppData\Roaming\WB.CFG
2013-09-05 18:34 - 2016-06-20 22:53 - 0007603 _____ () C:\Users\FRED2\AppData\Local\Resmon.ResmonCfg
2016-05-02 12:08 - 2016-05-02 12:08 - 0000000 _____ () C:\Users\FRED2\AppData\Local\{E0FE84C0-C5CA-49EA-8FD1-2C6F835277EF}
2013-04-21 20:09 - 2013-04-21 20:09 - 0159528 _____ () C:\ProgramData\1366589266.bdinstall.bin
2013-09-05 14:11 - 2013-09-05 14:11 - 0022799 _____ () C:\ProgramData\1378404700.bdinstall.bin
2013-09-05 14:12 - 2013-09-05 14:12 - 0161521 _____ () C:\ProgramData\1378404701.bdinstall.bin
2013-09-07 08:27 - 2013-09-07 08:27 - 0022832 _____ () C:\ProgramData\1378556826.bdinstall.bin
2013-09-07 08:27 - 2013-09-07 08:27 - 0043667 _____ () C:\ProgramData\1378556832.bdinstall.bin
2013-09-07 08:32 - 2013-09-07 08:32 - 0080339 _____ () C:\ProgramData\1378557083.bdinstall.bin
 
Some files in TEMP:
====================
C:\Users\FRED2\AppData\Local\Temp\uninstall.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-17 00:27
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:35 PM

Posted 26 June 2016 - 03:52 PM

hi,

 

You can run these two tools and we will go from there. Usually only on this site once or twice per day so you may not get a response back from me until the following day.

 

Please download adwcleaner and save to your desktop.

    http://www.bleepingcomputer.com/download/adwcleaner/

    Right click AdwCleaner.exe and select "run as admin"
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

Please download Junkware Removal Tool to your desktop.

     http://thisisudax.org/downloads/JRT.exe

    Double click the icon or Right click for Vista/W7,8 and select Run as admin.
    The tool will open and start scanning.
    Please be patient as this can take a while to complete.
    On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    Post the contents of JRT.txt into your next message
 

 


How Can I Reduce My Risk to Malware?


#3 deathborn

deathborn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 26 June 2016 - 08:34 PM

Thanks for your assistance so far!
 
# AdwCleaner v5.200 - Logfile created 26/06/2016 at 21:15:51
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-26.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : FRED2 - FRED2-PC
# Running from : C:\Users\FRED2\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Users\FRED2\AppData\Local\QuickCleaner
[-] Folder Deleted : C:\Users\FRED2\AppData\Local\WINTUNEPRO
[-] Folder Deleted : C:\Users\FRED2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Win Tune Pro
[-] Folder Deleted : C:\Users\FRED2\AppData\Local\app
[-] Folder Deleted : C:\uninst
 
***** [ Files ] *****
 
[#] File Deleted : C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmnlcjabgnpnenekpadlanbbkooimhnj
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
[-] Key Deleted : HKLM\SOFTWARE\MIITS LLC
 
***** [ Web browsers ] *****
 
[-] [C:\Users\FRED2\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Deleted : hxxp://www.trovi.com/?gd=&ctid=CT3325161&octid=EB_ORIGINAL_CTID&ISID=ME5EE2665-EFC6-4A7E-9734-316BE0E72D24&SearchSource=55&CUI=&UM=8&UP=SPFAFB5574-38BA-49C8-BF5F-CD34C56005C3&D=051416&SSPV=
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [4148 bytes] - [14/05/2016 18:31:18]
C:\AdwCleaner\AdwCleaner[C2].txt - [1806 bytes] - [26/06/2016 21:15:51]
C:\AdwCleaner\AdwCleaner[S1].txt - [4204 bytes] - [14/05/2016 18:30:37]
C:\AdwCleaner\AdwCleaner[S2].txt - [1882 bytes] - [26/06/2016 21:13:08]
C:\AdwCleaner\AdwCleaner[S3].txt - [1955 bytes] - [26/06/2016 21:14:06]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2098 bytes] ##########
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 7 Home Premium x64 
Ran by FRED2 (Administrator) on 26/06/2016 at 21:27:33.09
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 33 
 
Failed to delete: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\663OERDD (Temporary Internet Files Folder) 
Failed to delete: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DRDO545 (Temporary Internet Files Folder) 
Failed to delete: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J9V0A4R9 (Temporary Internet Files Folder) 
Failed to delete: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UW2P0GYJ (Temporary Internet Files Folder) 
Failed to delete: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSVHU6UR (Temporary Internet Files Folder) 
Failed to delete: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6SAPJK6 (Temporary Internet Files Folder) 
Successfully deleted: C:\ProgramData\1366589266.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\1378404700.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\1378404701.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\1378556826.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\1378556832.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\1378557083.bdinstall.bin (File) 
Successfully deleted: C:\ProgramData\19a87fa1ec024bbcbb41931263354405 (Folder) 
Successfully deleted: C:\ProgramData\drivergenius (Folder) 
Successfully deleted: C:\Users\FRED2\Appdata\LocalLow\company (Folder) 
Successfully deleted: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CARZZ8GI (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G4NDPVO8 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\FRED2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\663OERDD (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DRDO545 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CARZZ8GI (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G4NDPVO8 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J9V0A4R9 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UW2P0GYJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSVHU6UR (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6SAPJK6 (Temporary Internet Files Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 26/06/2016 at 21:32:01.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:35 PM

Posted 27 June 2016 - 04:35 PM

Ok. So you still getting the cmd windows popups. Its hard to read the screenshot you uploaded, at least to try and read what it actually says.

 

We will use FRST to remove some items.

Copy whats below into notepad and save it as Fixlist.txt in the same location you have FRST. Start FRST like before except this time click on the Fix button once. Machine will reboot to finish. Upon reboot it will display a new fixlog.txt that you can copy/paste in your reply.

We will go from there.

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3325161&octid=EB_ORIGINAL_CTID&ISID=ME5EE2665-EFC6-4A7E-9734-316BE0E72D24&SearchSource=55&CUI=&UM=8&UP=SPFAFB5574-38BA-49C8-BF5F-CD34C56005C3&D=051416&SSPV=
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?s=G5Ezftpbl0cshmoBP,9d6154d6-efd3-425f-92fa-112a3319d6c9,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
S4 BitTorrent; "C:\Program Files\BitTorrent\BitTorrent.exe" /s iid=6908977 did=APSnapdoAMRev sid=3 ref=880b2631-3e04-5f95-9b4a-5487799a1728-PolicyMac id=6be1dde9652db82d208371d33627296304a1c4b313da0e73919c839d673eef0d [X]
S4 dpynloaeuodate; C:\Users\FRED2\AppData\Local\siliconin.exe eproduct dpynloaeuodate [X]
C:\Users\FRED2\AppData\Local\siliconin.exe eproduct dpynloaeuodate
2016-05-02 11:03 - 2016-05-14 16:53 - 6494208 _____ () C:\Users\FRED2\AppData\Roaming\agent.dat
2016-05-02 11:02 - 2016-05-14 16:52 - 0127488 _____ () C:\Users\FRED2\AppData\Roaming\Installer.dat
2016-05-02 11:03 - 2016-05-14 16:53 - 0018432 _____ () C:\Users\FRED2\AppData\Roaming\Main.dat
2013-09-13 00:33 - 2013-09-13 00:33 - 0000042 _____ () C:\Users\FRED2\AppData\Roaming\WB.CFG
2013-09-05 18:34 - 2016-06-20 22:53 - 0007603 _____ () C:\Users\FRED2\AppData\Local\Resmon.ResmonCfg
Empty Temp:

How Can I Reduce My Risk to Malware?


#5 deathborn

deathborn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 27 June 2016 - 09:51 PM

Thanks for continuing to help !
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 26-06-2016 02
Ran by FRED2 (2016-06-27 22:42:11) Run:1
Running from C:\Users\FRED2\Desktop\Protection
Loaded Profiles: FRED2 (Available Profiles: FRED2)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3325161&octid=EB_ORIGINAL_CTID&ISID=ME5EE2665-EFC6-4A7E-9734-316BE0E72D24&SearchSource=55&CUI=&UM=8&UP=SPFAFB5574-38BA-49C8-BF5F-CD34C56005C3&D=051416&SSPV=
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?s=G5Ezftpbl0cshmoBP,9d6154d6-efd3-425f-92fa-112a3319d6c9,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
S4 BitTorrent; "C:\Program Files\BitTorrent\BitTorrent.exe" /s iid=6908977 did=APSnapdoAMRev sid=3 ref=880b2631-3e04-5f95-9b4a-5487799a1728-PolicyMac id=6be1dde9652db82d208371d33627296304a1c4b313da0e73919c839d673eef0d [X]
S4 dpynloaeuodate; C:\Users\FRED2\AppData\Local\siliconin.exe eproduct dpynloaeuodate [X]
C:\Users\FRED2\AppData\Local\siliconin.exe eproduct dpynloaeuodate
2016-05-02 11:03 - 2016-05-14 16:53 - 6494208 _____ () C:\Users\FRED2\AppData\Roaming\agent.dat
2016-05-02 11:02 - 2016-05-14 16:52 - 0127488 _____ () C:\Users\FRED2\AppData\Roaming\Installer.dat
2016-05-02 11:03 - 2016-05-14 16:53 - 0018432 _____ () C:\Users\FRED2\AppData\Roaming\Main.dat
2013-09-13 00:33 - 2013-09-13 00:33 - 0000042 _____ () C:\Users\FRED2\AppData\Roaming\WB.CFG
2013-09-05 18:34 - 2016-06-20 22:53 - 0007603 _____ () C:\Users\FRED2\AppData\Local\Resmon.ResmonCfg
Empty Temp:
*****************
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
Chrome HomePage => not found.
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
Chrome DefaultSuggestURL => not found.
BitTorrent => service not found.
dpynloaeuodate => service removed successfully
"C:\Users\FRED2\AppData\Local\siliconin.exe eproduct dpynloaeuodate" => not found.
C:\Users\FRED2\AppData\Roaming\agent.dat => moved successfully
C:\Users\FRED2\AppData\Roaming\Installer.dat => moved successfully
C:\Users\FRED2\AppData\Roaming\Main.dat => moved successfully
C:\Users\FRED2\AppData\Roaming\WB.CFG => moved successfully
C:\Users\FRED2\AppData\Local\Resmon.ResmonCfg => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 51643687 B
Java, Flash, Steam htmlcache => 50945307 B
Windows/system/drivers => 1113314 B
Edge => 0 B
Chrome => 827300612 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 100805526 B
systemprofile32 => 66088 B
LocalService => 66228 B
NetworkService => 572110 B
UpdatusUser => 0 B
FRED2 => 110230694 B
 
RecycleBin => 0 B
EmptyTemp: => 1.1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 22:43:09 ====


#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:35 PM

Posted 28 June 2016 - 04:33 PM

Ok. what about the cmd windows. Still showing up? I cant make out the screenshot you posted, to hard to read. Can you post what its says, make be helpful.


How Can I Reduce My Risk to Malware?


#7 deathborn

deathborn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 28 June 2016 - 08:18 PM

So far I haven't seen it since your last fix. 

The cmd pop up It was recorded with open broadcaster because the it would open and then close immediately. SO the only way for me to get it was to constantly record the screen for an hour. I can't read it either. 

 

It only shows for about a tenth of a second, longer if im straining the PC resources but not much. 

 

Thanks for your help. If it comes up again i'll let you know :)



#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:35 PM

Posted 29 June 2016 - 04:22 PM

​Ok thanks for the update. Should it appear again just post back. Otherwise if all is good on your end: Happy Safe surfing out there.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users