Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus popups (RDN/YahLover.worm) and possibly Kovter


  • This topic is locked This topic is locked
5 replies to this topic

#1 kmssd

kmssd

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 13 August 2016 - 10:32 AM

I'm trying to clean up my uncle's computer but his programs (AVG and Malware) didn't report any problems. So I ran Spyhunter (before finding posts about it here) and it said the computer might also have Kovter.

 

EDIT: He told me more about it, the popup said a few things, mentioning web-cloud-servers(.)cf/warning, (http://)car-insuracne-policy(.)cf, call 1-844-541-2059. He said it would beep and say warning and alert. He also has some games installed which he said he has cds for which are, iwin game and Legacy Interactive. They installed Jewel Quest 1, Jewel Quest 3 and Mahjong Journey of Enlightenment. These might be considered potential unwanted programs. He wants to keep them.

 

The request information is below.

 

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-08-2016 01
Ran by Administrator (administrator) on YOUR-DA9A3C7920 (13-08-2016 11:20:59)
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(B.H.A Corporation) C:\Program Files\B's Recorder GOLD8\bgsvc.exe
(iWin Inc.) C:\Program Files\iWin Games\iWinTrusted.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Matsubleepa Electric Industrial Co., Ltd.) C:\Program Files\Panasonic\HotKey Appendix\hkeyapp.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Alcatel-Lucent) C:\Program Files\Verizon\McciTrayApp.exe
(Panasonic) C:\Program Files\Panasonic\WLANSW\WLANSw.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Intel Corporation) C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgwdsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgemcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgui.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Hotkey] => C:\WINDOWS\system32\hkeyman.exe [851968 2003-03-14] (Matsubleepa Electric Industrial Co., Ltd.)
HKLM\...\Run: [igfxhkcmd] => C:\WINDOWS\system32\hkcmd.exe [77824 2006-02-27] (Intel Corporation)
HKLM\...\Run: [PCinfo] => C:\Program Files\Panasonic\PCINFO\SetDiag.exe [45056 2005-10-24] (Matsubleepa Electric Industrial Co., Ltd.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [729177 2005-08-01] (Synaptics, Inc.)
HKLM\...\Run: [Panasonic HotKey Manager] => C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE [978944 2005-10-17] (Matsubleepa Electric Industrial Co., Ltd.)
HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [667718 2006-02-28] (Intel Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [602182 2006-02-28] (Intel Corporation)
HKLM\...\Run: [Verizon_McciTrayApp] => C:\Program Files\Verizon\McciTrayApp.exe [1565696 2010-03-17] (Alcatel-Lucent)
HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [186640 2016-07-20] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\Av\avgui.exe [5299984 2016-07-28] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-2308246308-1038398630-221080490-500\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\sspipes.scr [610304 2008-04-13] (Microsoft Corporation)
HKLM\...\AppCertDlls: [drwteset] -> C:\WINDOWS\system32\asr_down.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless LAN Switch.lnk [2006-05-12]
ShortcutTarget: Wireless LAN Switch.lnk -> C:\Program Files\Panasonic\WLANSW\WLANSw.exe (Panasonic)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\Av\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{BBD51085-9A0A-478B-BAB6-8CF80F0763F9}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-2308246308-1038398630-221080490-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://verizon.my.yahoo.com/
HKU\S-1-5-21-2308246308-1038398630-221080490-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2308246308-1038398630-221080490-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://verizon.my.yahoo.com
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=tb50trie7
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> DefaultScope {9739779D-2BBC-4A00-B33E-6B3E9CF36852} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=veri-ie8
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=tb50trie7
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> {876EAF45-6FC7-483B-BC68-BA212F631958} URL = hxxp://delicious.com/search?p={searchTerms}
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> {9739779D-2BBC-4A00-B33E-6B3E9CF36852} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=veri-ie8
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> {FC7E1A3C-1DD2-43C7-BAB4-556B59A2DC88} URL = hxxp://www.flickr.com/search/?q={searchTerms}
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll [2009-01-22] (TechSmith Corporation)
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-10-22] (Hewlett-Packard Co.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-11-24] (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-11-24] (Sun Microsystems, Inc.)
BHO: SingleInstance Class -> {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-11-20] (Yahoo! Inc)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-10-22] (Hewlett-Packard Co.)
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll [2009-01-22] (TechSmith Corporation)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5ktu2htd.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll [2008-10-04] ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll [2010-11-12] (Sun Microsystems, Inc.)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2009-02-09] (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 -> C:\Program Files\Common Files\Motive\npMotive.dll [2010-03-17] (Alcatel-Lucent)
FF Plugin: @radialpoint.com/SPA,version=1 -> C:\Program Files\Verizon\VSP\nprpspa.dll [2009-02-13] (Radialpoint Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-01-24] [not signed]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009-06-02] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-18] [not signed]
FF HKU\S-1-5-21-2308246308-1038398630-221080490-500\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\Av\avgidsagent.exe [4097280 2016-07-28] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [906512 2016-07-20] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\Av\avgwdsvcx.exe [632632 2016-07-28] (AVG Technologies CZ, s.r.o.)
R2 bgsvc; C:\Program Files\B's Recorder GOLD8\bgsvc.exe [81920 2004-10-14] (B.H.A Corporation) [File not signed]
R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [114753 2006-02-28] (Intel Corporation) [File not signed]
S3 getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [33176 2009-03-03] (NOS Microsystems Ltd.)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [135168 2008-03-25] (Hewlett-Packard Co.) [File not signed]
R2 HPSLPSVC; C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL [630784 2008-03-25] (Hewlett-Packard Co.) [File not signed]
R2 iWinTrusted; C:\Program Files\iWin Games\iWinTrusted.exe [216920 2015-08-14] (iWin Inc.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2010-11-12] (Sun Microsystems, Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [319488 2010-03-17] (Alcatel-Lucent) [File not signed]
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [217164 2006-02-28] (Intel Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [540745 2006-02-28] (Intel Corporation ) [File not signed]
S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21275 2006-05-12] (Meetinghouse Data Communications) [File not signed]
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [134912 2016-05-13] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [247552 2016-06-30] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [201472 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [212736 2016-06-01] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [287008 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [201472 2016-07-19] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [47360 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [231168 2016-07-12] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\WINDOWS\system32\drivers\avgtpx86.sys [37664 2013-07-30] (AVG Technologies)
R0 avgunivx; C:\WINDOWS\System32\DRIVERS\avgunivx.sys [65280 2016-06-20] (AVG Technologies CZ, s.r.o.)
R2 brecal; C:\Program Files\Panasonic\BRECAL\Brecal.sys [7168 2004-11-15] (Matsubleepa Electric Industrial Co., Ltd.) [File not signed]
R0 BsStor; C:\WINDOWS\system32\Drivers\BsStor.sys [10112 2005-05-30] (B.H.A Co.,Ltd.) [File not signed]
S4 BsUDF; C:\WINDOWS\system32\Drivers\BsUDF.sys [164992 2005-12-06] (B.H.A Co.,Ltd.) [File not signed]
R1 cdrbsdrv; C:\WINDOWS\system32\Drivers\cdrbsdrv.sys [32256 2005-05-11] (B.H.A Corporation) [File not signed]
S3 EsgScanner; C:\WINDOWS\System32\DRIVERS\EsgScanner.sys [19984 2016-08-09] ()
R3 GTWINSER; C:\WINDOWS\System32\DRIVERS\GTwinSER.sys [66912 2003-01-11] (Gemplus)
R3 HOTKEY; C:\WINDOWS\System32\DRIVERS\HOTKEY.SYS [10112 2005-11-25] (Matsubleepa Electric Industrial Co.,Ltd.)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2007-01-17] (HP)
R3 HSFHWAZL; C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys [202240 2005-11-08] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [997376 2005-11-08] (Conexant Systems, Inc.)
R3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [35968 2005-06-10] (Infineon Technologies AG)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2016-08-13] (Malwarebytes)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2010-03-17] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2010-03-17] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R2 pcinfo; C:\Program Files\Panasonic\PCINFO\pcinfo.sys [8192 2005-12-05] (Matsubleepa Electric Industrial Co., Ltd.) [File not signed]
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [13568 2006-02-28] (Intel Corporation) [File not signed]
R2 SDKEY; C:\Program Files\Panasonic\SDKEY\SDKEY.SYS [8192 2005-04-21] (Matsubleepa Electric Industrial Co., Ltd.) [File not signed]
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1099336 2005-12-27] (SigmaTel, Inc.)
S3 tosporte; C:\WINDOWS\System32\DRIVERS\tosporte.sys [47104 2005-11-24] (TOSHIBA Corporation) [File not signed]
S3 Tosrfbd; C:\WINDOWS\System32\Drivers\tosrfbd.sys [108800 2005-11-23] (TOSHIBA CORPORATION) [File not signed]
S3 Tosrfbnp; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [36480 2005-09-15] (TOSHIBA Corporation) [File not signed]
S1 Tosrfcom; C:\WINDOWS\System32\Drivers\tosrfcom.sys [64896 2005-08-01] (TOSHIBA Corporation) [File not signed]
S3 Tosrfhid; C:\WINDOWS\System32\DRIVERS\Tosrfhid.sys [62848 2005-12-01] (TOSHIBA Corporation.) [File not signed]
S3 tosrfnds; C:\WINDOWS\System32\DRIVERS\tosrfnds.sys [18612 2005-01-06] (TOSHIBA Corporation.) [File not signed]
S3 Tosrfusb; C:\WINDOWS\System32\Drivers\tosrfusb.sys [36736 2005-11-16] (TOSHIBA CORPORATION) [File not signed]
R3 w39n51; C:\WINDOWS\System32\DRIVERS\w39n51.sys [1428480 2006-02-26] (Intel® Corporation)
R1 WLANSW; C:\Program Files\Panasonic\WLANSW\WLANSW.SYS [7680 2005-02-10] (Matsubleepa Electric Industrial Co., Ltd.) [File not signed]
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [232064 2005-05-06] (Marvell)
S3 HPZid412; system32\DRIVERS\HPZid412.sys [X]
S3 HPZipr12; system32\DRIVERS\HPZipr12.sys [X]
S4 IntelIde; no ImagePath
S3 MREMP50a64; no ImagePath
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-13 11:20 - 2016-08-13 11:22 - 00019108 _____ C:\Documents and Settings\Administrator\Desktop\FRST.txt
2016-08-13 11:20 - 2016-08-13 11:20 - 00000000 ____D C:\FRST
2016-08-13 11:19 - 2016-08-13 11:19 - 01744384 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2016-08-13 11:02 - 2016-08-13 11:02 - 00000673 _____ C:\Documents and Settings\All Users\Desktop\AVG Protection.lnk
2016-08-13 11:02 - 2016-08-13 11:02 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2016-08-13 11:01 - 2016-08-13 11:01 - 00000000 ___HD C:\$AVG
2016-08-13 09:40 - 2016-08-13 10:56 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\AvgSetupLog
2016-08-13 09:40 - 2016-08-13 09:52 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Avg
2016-08-09 14:59 - 2016-08-13 10:48 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-09 14:59 - 2016-08-09 14:59 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2016-08-09 14:59 - 2016-08-09 14:59 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-08-09 14:59 - 2016-08-09 14:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-09 14:59 - 2016-08-09 14:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-08-09 14:59 - 2016-03-10 14:09 - 00123264 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-08-09 14:59 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-08-09 13:45 - 2016-08-09 13:45 - 00019984 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys
2016-08-09 11:17 - 2016-08-09 11:17 - 00000650 _____ C:\Documents and Settings\Administrator\Desktop\Firefox.lnk
2016-07-19 12:28 - 2016-07-19 12:28 - 00201472 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgmfx86.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-13 11:22 - 2006-05-12 13:24 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2016-08-13 11:14 - 2009-04-23 18:16 - 00000906 _____ C:\Documents and Settings\Administrator\Desktop\snapr53.txt
2016-08-13 11:06 - 2009-05-26 18:23 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\HPAppData
2016-08-13 11:03 - 2010-12-30 17:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2016-08-13 10:59 - 2009-04-22 16:12 - 00000000 ____D C:\Program Files\AVG
2016-08-13 10:57 - 2014-03-12 18:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVG
2016-08-13 10:48 - 2013-07-14 18:44 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-08-13 10:48 - 2006-05-12 05:39 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2016-08-13 10:47 - 2015-07-27 21:58 - 00032644 _____ C:\WINDOWS\SchedLgU.Txt
2016-08-13 10:46 - 2014-03-29 07:44 - 00000238 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2016-08-13 10:46 - 2006-05-12 13:24 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-13 10:45 - 2006-05-12 13:24 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2016-08-13 10:43 - 2006-05-12 06:08 - 00000000 ___HD C:\WINDOWS\inf
2016-08-13 10:10 - 2015-04-05 15:56 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adblock Plus for IE
2016-08-13 09:52 - 2011-10-28 18:21 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\AVG
2016-08-13 09:51 - 2006-05-12 13:24 - 00000000 ___RD C:\Documents and Settings\Administrator\My Documents
2016-08-13 09:50 - 2006-05-12 13:24 - 00000000 ____D C:\Documents and Settings\Administrator
2016-08-13 09:41 - 2009-04-22 16:29 - 00000000 __SHD C:\Documents and Settings\Administrator\UserData
2016-08-09 15:17 - 2013-08-14 18:24 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-08-09 15:08 - 2009-05-07 16:40 - 144884648 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-08-09 12:47 - 2006-05-12 05:48 - 00000211 __RSH C:\boot.ini
2016-08-09 12:47 - 2006-05-12 05:39 - 00000638 _____ C:\WINDOWS\win.ini
2016-08-09 12:47 - 2006-05-12 05:38 - 00000227 _____ C:\WINDOWS\system.ini
2016-08-09 11:18 - 2016-06-09 17:17 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-07-27 17:09 - 2009-04-22 20:22 - 00002479 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2016-07-18 19:53 - 2014-01-21 12:57 - 00000412 _____ C:\Documents and Settings\Administrator\My Documents\spider.sav
2016-07-14 19:49 - 2012-05-14 17:15 - 00796352 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-07-14 19:49 - 2011-07-25 16:43 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-07-14 19:49 - 2006-05-12 13:19 - 00000000 ____D C:\WINDOWS\system32\Macromed

==================== Files in the root of some directories =======

2013-02-18 15:21 - 2013-02-18 19:38 - 0000004 _____ () C:\Documents and Settings\Administrator\Application Data\skype.ini
2011-05-15 12:44 - 2011-05-15 12:58 - 0010530 ___SH () C:\Documents and Settings\Administrator\Local Settings\Application Data\0d0w4kk54c0b50x30s4tl5v
2012-06-08 19:38 - 2012-06-08 19:38 - 0034764 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\dt.dat
2011-05-15 12:44 - 2011-05-15 12:58 - 0010530 ___SH () C:\Documents and Settings\All Users\Application Data\0d0w4kk54c0b50x30s4tl5v
2009-05-26 17:31 - 2010-01-30 09:09 - 0007156 _____ () C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Files to move or delete:
====================
C:\Documents and Settings\Administrator\Application Data\skype.ini


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Attached Files


Edited by kmssd, 13 August 2016 - 12:55 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 14 August 2016 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program via the Control Panel > Programs > Programs and features.
iWin Games (HKLM\...\iWinArcade) (Version: 2.93 - )



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(iWin Inc.) C:\Program Files\iWin Games\iWinTrusted.exe
HKLM\...\AppCertDlls: [drwteset] -> C:\WINDOWS\system32\asr_down.dll
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=tb50trie7
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=tb50trie7
BHO: SingleInstance Class -> {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-11-20] (Yahoo! Inc)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
R2 iWinTrusted; C:\Program Files\iWin Games\iWinTrusted.exe [216920 2015-08-14] (iWin Inc.)
S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [X]
S3 HPZid412; system32\DRIVERS\HPZid412.sys [X]
S3 HPZipr12; system32\DRIVERS\HPZipr12.sys [X]
S4 IntelIde; no ImagePath
S3 MREMP50a64; no ImagePath
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; no ImagePath
U1 WS2IFSL; no ImagePath
C:\Program Files\iWin Games
C:\WINDOWS\system32\asr_down.dll
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 [276]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:290A724C [262]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:E50C1642 [105]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know what problem persists.

#3 kmssd

kmssd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 14 August 2016 - 11:05 AM

Hi nasdaq, thank you for taking time out of your day to help me with this. I read and ran the steps you suggested and the logs are below.

 

Fixlog.txt contents

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 11-08-2016 01
Ran by Administrator (2016-08-14 11:16:44) Run:1
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(iWin Inc.) C:\Program Files\iWin Games\iWinTrusted.exe
HKLM\...\AppCertDlls: [drwteset] -> C:\WINDOWS\system32\asr_down.dll
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=tb50trie7
SearchScopes: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query={searchTerms}&invocationType=tb50trie7
BHO: SingleInstance Class -> {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-11-20] (Yahoo! Inc)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-2308246308-1038398630-221080490-500 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
R2 iWinTrusted; C:\Program Files\iWin Games\iWinTrusted.exe [216920 2015-08-14] (iWin Inc.)
S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [X]
S3 HPZid412; system32\DRIVERS\HPZid412.sys [X]
S3 HPZipr12; system32\DRIVERS\HPZipr12.sys [X]
S4 IntelIde; no ImagePath
S3 MREMP50a64; no ImagePath
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; no ImagePath
U1 WS2IFSL; no ImagePath
C:\Program Files\iWin Games
C:\WINDOWS\system32\asr_down.dll
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 [276]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:290A724C [262]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:E50C1642 [105]

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\iWin Games\iWinTrusted.exe => No running process found
HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\\drwteset => value removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}" => key removed successfully.
HKCR\CLSID\{0B4A10D1-FBD6-451d-BFDA-F03252B05984} => key not found.
"HKU\S-1-5-21-2308246308-1038398630-221080490-500\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}" => key removed successfully.
HKCR\CLSID\{0B4A10D1-FBD6-451d-BFDA-F03252B05984} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}" => key removed successfully.
"HKCR\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => value removed successfully.
HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => key not found.
HKU\S-1-5-21-2308246308-1038398630-221080490-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => value removed successfully.
HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}" => key removed successfully.
"HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}" => key removed successfully.
"HKCR\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" => key removed successfully.
"HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" => key removed successfully.
"HKCR\PROTOCOLS\Handler\linkscanner" => key removed successfully.
"HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}" => key removed successfully.
iWinTrusted => service not found.
AVG Security Toolbar Service => service removed successfully.
HPZid412 => service removed successfully.
HPZipr12 => service removed successfully.
IntelIde => service removed successfully.
MREMP50a64 => service removed successfully.
MREMPR5 => service removed successfully.
MRENDIS5 => service removed successfully.
MRESP50a64 => service removed successfully.
WS2IFSL => service removed successfully.
"C:\Program Files\iWin Games" => not found.
"C:\WINDOWS\system32\asr_down.dll" => not found.
C:\Documents and Settings\All Users\Application Data\TEMP => ":0B4227B4" ADS removed successfully..
C:\Documents and Settings\All Users\Application Data\TEMP => ":290A724C" ADS removed successfully..
C:\Documents and Settings\All Users\Application Data\TEMP => ":E50C1642" ADS removed successfully..

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 66496 B
Java, Flash, Steam htmlcache => 657 B
Windows/system/dllcache/drivers => 681848 B
Edge => 0 B
Chrome => 0 B
Firefox => 368632046 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default User => 82494 B
All Users => 0 B
systemprofile => 96564354 B
LocalService => 3007368 B
NetworkService => 67124 B
Administrator => 440820 B
 

 

AdwCleanerCx.txt contents

 

# AdwCleaner v6.000 - Logfile created 14/08/2016 at 11:47:15
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-13.3 [Server]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : Administrator - YOUR-DA9A3C7920
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner_6.000.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****

[-] Service deleted: YahooAUService


***** [ Folders ] *****

[-] Folder deleted: C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[-] Folder deleted: C:\Documents and Settings\All Users\Documents\Downloaded Installers
[-] Folder deleted: C:\Program Files\driverupdate
[!] Folder not deleted: C:\Program Files\driverupdate
[-] Folder deleted: C:\Program Files\Yahoo!\Companion


***** [ Files ] *****

[-] File deleted: C:\Program Files\Yahoo!\Common\unyt.exe


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\ColaBrowser.LHExplorerBar
[-] Key deleted: HKLM\SOFTWARE\Classes\ColaBrowser.LHExplorerBar.1
[-] Key deleted: HKLM\SOFTWARE\Classes\GPRoot.GPRBEHScriptHost
[-] Key deleted: HKLM\SOFTWARE\Classes\GPRoot.GPRBEHScriptHost.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
[-] Key deleted: HKLM\SOFTWARE\Classes\Search.BrowserWndAPI
[-] Key deleted: HKLM\SOFTWARE\Classes\Search.BrowserWndAPI.1
[-] Key deleted: HKLM\SOFTWARE\Classes\Search.PugiObj
[-] Key deleted: HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin
[-] Key deleted: HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin.6
[-] Key deleted: HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin
[-] Key deleted: HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin.4
[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin
[-] Key deleted: HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YMERemote.YMECompPlugin
[-] Key deleted: HKLM\SOFTWARE\Classes\YMERemote.YMECompPlugin.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.DataStore
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.DataStore.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.StringList
[-] Key deleted: HKLM\SOFTWARE\Classes\YPUBC.StringList.1
[-] Key deleted: HKLM\SOFTWARE\Classes\yt.CacheLoader
[-] Key deleted: HKLM\SOFTWARE\Classes\yt.CacheLoader.1
[-] Key deleted: HKLM\SOFTWARE\Classes\yt.Clickstream
[-] Key deleted: HKLM\SOFTWARE\Classes\yt.Clickstream.1
[-] Key deleted: HKLM\SOFTWARE\Classes\yt.YTHelper
[-] Key deleted: HKLM\SOFTWARE\Classes\yt.YToolbarBand
[-] Key deleted: HKLM\SOFTWARE\Classes\YTabBar.YTabBarControl
[-] Key deleted: HKLM\SOFTWARE\Classes\YTabBar.YTabBarControl.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ytbbroker.YTBAutoUpdaterAssistant
[-] Key deleted: HKLM\SOFTWARE\Classes\ytbbroker.YTBAutoUpdaterAssistant.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ytbbroker.YTBCustomizerAssistant
[-] Key deleted: HKLM\SOFTWARE\Classes\ytbbroker.YTBCustomizerAssistant.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ytbbroker.YTBMessengerAssistant
[-] Key deleted: HKLM\SOFTWARE\Classes\ytbbroker.YTBMessengerAssistant.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YTBM.YTBMButton
[-] Key deleted: HKLM\SOFTWARE\Classes\YTBM.YTBMButton.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YTNavAssist.NameSpaceCF
[-] Key deleted: HKLM\SOFTWARE\Classes\YTNavAssist.NameSpaceCF.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YTNavAssist.NameSpacePP
[-] Key deleted: HKLM\SOFTWARE\Classes\YTNavAssist.NameSpacePP.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YTNavAssist.YTNavAssistPlugin
[-] Key deleted: HKLM\SOFTWARE\Classes\YTNavAssist.YTNavAssistPlugin.1
[-] Key deleted: HKLM\SOFTWARE\Classes\YTSingleInstance.SingleInstance
[-] Key deleted: HKLM\SOFTWARE\Classes\YTSingleInstance.SingleInstance.1
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{07CDAAD9-1226-4C6D-B774-C00E7B323484}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{35860EFB-1589-4F32-A618-99E847A502B2}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{39DCCEAF-C749-4390-9953-527CF916935C}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{41D7CEE0-D91F-498C-BC88-4A6BEE46C2BC}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{9EDCCD11-960D-49AE-B523-C6B5AB7E1345}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{EB2BA65E-41F6-4F64-92A6-216CDFFDF577}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{EFC0651C-B6D7-49CD-A6E0-B1CE9AB5FE46}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{9F9C4C5C-2BA8-4E00-A697-9F710BB1026B}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{B7A0E898-93E5-43f4-B99A-6C70B303699C}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{C60CCE95-6AF9-4E74-B66B-3212D19F1D2F}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{D40A62D1-8FC0-4F03-90C4-0DE03BE73A41}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{DDCED22E-D018-471D-9A5C-A4EA2F21133D}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E1A2D448-6334-45ec-8800-6D7F71DC87FC}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{F51C15D4-3D0A-4DBA-A095-EBCC09F24DA2}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{F9A10D86-182A-4946-869B-70C3D109D14D}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{FBE30D66-39A2-4b72-8B43-6D4C335A6F34}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{63EDCDD3-8AFC-4358-A90F-F7FB8F5C64FF}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{BD5843ED-13C4-4EFF-ACE9-56CEE22BC087}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{F56ACA29-1C99-40F1-AC64-2E44C4F6BC71}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{11D5E9EA-3117-4389-8E58-742F0975C980}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{12D3E096-0FDF-42CC-8F44-04944F9C1648}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{22389F39-2CF4-47C4-B8B2-273BB16BF70C}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{23E3CEB3-D63A-433E-A5D0-4DB1C501B915}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{26A3152F-CF87-4C5B-8093-4D4B9EC084EB}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{2723E96B-905F-4C64-8999-D868A08E6370}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{29E3319C-4B3C-479F-8692-BDD2CA30BEDD}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{2FCB4E7E-E5C7-4D07-BB2C-78DF2DA867AD}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{367BD1CD-74A3-451F-B1A4-6A2DE4129A2D}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{3D592FCB-FEFD-43A6-9A4F-BDE2D4607D07}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{49F018EE-F362-4B5B-8EC8-BCF9246ABF21}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{63B73044-FC1A-4FE1-991B-FDBD4CDAA868}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{67E5E37C-E6B8-4782-877D-E9437C4CD982}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{686D40BC-FA43-4317-8474-E634E6B487F2}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{7207E52B-821E-4C05-A8D6-2965B2BE77CF}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{863FCF5D-DC39-4DA9-AF32-CB0025990EEE}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{A310B105-FB7D-4497-A7E8-E046462B012F}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{B09E015A-4D4E-4F8D-A436-95E19140947D}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{B1E712C4-03AA-495F-B0F5-0F057E126E2A}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{D13DC65C-C77B-4986-9078-DEA3D34C71BB}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{DF522774-8CA0-4B15-A93A-5F61AB95DA1C}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{F9A10D86-182A-4946-869B-70C3D109D14D}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{B722ED8B-0B38-408E-BB89-260C73BCF3D4}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{AD34BE7D-2603-43DD-8D1F-E4431D42C44E}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{B82D18E0-1649-48DE-92D7-AA89BBB5F0AD}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{D2EA97F6-6235-4B2D-B5AA-A4472B9CE557}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{0548C79F-7B8C-455D-B228-97D35371BB62}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{4A1E52AC-64F2-49E9-BFD7-0806D9494DBB}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{61A2027D-B837-4080-A925-6E30E10DEF32}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{78DB07DF-483E-4829-AB44-ED7952083584}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{8A1AB044-787D-4309-8410-709768E484AB}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{A2C55651-A23E-43CA-B63D-C10B99EFF7E0}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[-] Key deleted: HKU\.DEFAULT\Software\AVG Secure Search
[-] Key deleted: HKU\.DEFAULT\Software\AVG Security Toolbar
[-] Key deleted: HKU\S-1-5-21-2308246308-1038398630-221080490-500\Software\SlimWare Utilities Inc
[-] Key deleted: HKU\S-1-5-21-2308246308-1038398630-221080490-500\Software\Yahoo\Companion
[-] Key deleted: HKU\S-1-5-21-2308246308-1038398630-221080490-500\Software\Yahoo\YFriendsBar
[#] Key deleted on reboot: HKU\S-1-5-18\Software\AVG Secure Search
[#] Key deleted on reboot: HKU\S-1-5-18\Software\AVG Security Toolbar
[#] Key deleted on reboot: HKCU\Software\SlimWare Utilities Inc
[#] Key deleted on reboot: HKCU\Software\Yahoo\Companion
[#] Key deleted on reboot: HKCU\Software\Yahoo\YFriendsBar
[-] Key deleted: HKLM\SOFTWARE\AVG Secure Search
[-] Key deleted: HKLM\SOFTWARE\AVG Security Toolbar
[-] Key deleted: HKLM\SOFTWARE\Trymedia Systems
[-] Key deleted: HKLM\SOFTWARE\Yahoo\Companion
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Eusing Free Registry Cleaner
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Eusing Free Registry Cleaner
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YMERemote.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YCAPlugin.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YPUBC.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\yt.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YTabBar.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\ytbbroker.EXE
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YTBM.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YTMsgr.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YTNavAssist.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YTSingleInstance.DLL


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [12461 Bytes] - [14/08/2016 11:47:15]
C:\AdwCleaner\AdwCleaner[S0].txt - [11909 Bytes] - [14/08/2016 11:37:11]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [12609 Bytes] ##########
 

 

With this being my uncle's computer I've not been able to bring the virus popup back apart from restoring his Firefox session when I first started his computer after he brought it to me. That is why I ran all his scans (which found nothing) and came here. He said it happened twice from some tractor parts website he found through Yahoo search. I could use he computer for web browsing to see if anything happens, at which point I'll let you know here.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 14 August 2016 - 12:49 PM

I will leave this topic open for 6 days, if you need to return please do.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 kmssd

kmssd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 17 August 2016 - 07:49 AM

I believe the computer is clean. I have been using it alot to see if that pop-up reappears, thankfully it hasn't.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 17 August 2016 - 08:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users