Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Odd Hiding Virus Problem

  • Please log in to reply
1 reply to this topic

#1 Hyenadon


  • Members
  • 1 posts

Posted 10 September 2016 - 09:59 AM



I've been having this odd problem, my computer was infected with a virus and I removed it through many sessions of malware bits and antivirus, but I think there's a remnant of the virus hiding away somewhere in my computer. So far my spyware cannot find it and says there's nothing there, but every time I start up xSplit there's pops up on twitch alerts link in like it would pop up in a web page. When I open up firefox, chrome, and IE this doesn't happen at all but somehow the infection is making the pop ups when xSplit tries to connect to twitch alerts. Any ideas of where the virus could be hiding? I've tried scanning the xSplit folder and nothing is showing up. Attached File  virus.jpg   74.16KB   0 downloadsAttached File  bugthing.png   79.61KB   0 downloads




Attached File  FRST.txt   865.95KB   8 downloads

Attached File  Addition.txt   135.51KB   2 downloads


Revised in: Unfortunately my computer keeps freezing up when I try to copy and paste. 

Edited by Hyenadon, 10 September 2016 - 10:21 AM.

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,182 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 12 September 2016 - 08:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Remove these programs via the Control Panel > programs > Programs and Features.
Amazon 1Button App (x32 Version: 2.3.4 - Amazon) Hidden <==== ATTENTION
AVG SafeGuard toolbar (HKLM-x32\...\AVG SafeGuard toolbar) (Version: - AVG Technologies)
StreamOptimizer (HKU\S-1-5-21-2639983801-997881072-764508990-1005\...\StreamOptimizer) (Version: - ) <==== ATTENTION
Yahoo Search Set (HKLM-x32\...\Yahoo! SearchSet) (Version: - Yahoo Inc.)

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.5.0\ToolbarUpdater.exe
() C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [1707080 2016-08-22] ()
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShortcutTarget: Curse.lnk -> C:\Users\hyena_000\AppData\Roaming\Curse Client\Bin\Curse.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2639983801-997881072-764508990-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2639983801-997881072-764508990-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com?cid={7FAE5712-42B2-4C9C-B568-F3D273886C8C}&mid=143664b8174a47cda1d90982cc8a89fd-b1839ac5948fbc7b3111d5dd9f46240a5ca8f90f&lang=en&ds=oc011&coid=avgtbdisoc&cmpid=0715tb&pr=sa&d=2015-07-02 23:58:43&v=
SearchScopes: HKU\S-1-5-21-2639983801-997881072-764508990-1002 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={7FAE5712-42B2-4C9C-B568-F3D273886C8C}&mid=143664b8174a47cda1d90982cc8a89fd-b1839ac5948fbc7b3111d5dd9f46240a5ca8f90f&lang=en&ds=oc011&coid=avgtbdisoc&cmpid=0715tb&pr=sa&d=2015-07-02 23:58:43&v={searchTerms}
SearchScopes: HKU\S-1-5-21-2639983801-997881072-764508990-1005 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={7FAE5712-42B2-4C9C-B568-F3D273886C8C}&mid=143664b8174a47cda1d90982cc8a89fd-b1839ac5948fbc7b3111d5dd9f46240a5ca8f90f&lang=en&ds=oc011&coid=avgtbdisoc&cmpid=0716tb&pr=sa&d=2015-07-02 23:58:43&v={searchTerms}
Toolbar: HKLM - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\\AVG SafeGuard toolbar_toolbar.dll [2016-08-22] (AVG Secure Search)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\\AVG SafeGuard toolbar_toolbar.dll [2016-08-22] (AVG Secure Search)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\19.5.0\ViProtocol.dll [2016-08-22] (AVG Secure Search)
FF DefaultSearchEngine: AVG Secure Search
FF SelectedSearchEngine: AVG Secure Search
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\19.5.0\\npsitesafety.dll [No File]
FF SearchPlugin: C:\Users\hyena_000\AppData\Roaming\Mozilla\Firefox\Profiles\qxmqen4w.default\searchplugins\avg-secure-search.xml [2016-08-22]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml [2016-08-22]
CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=G8Lzftptn095001AU,4af29e1c-502d-4124-8a07-8c51815ec2a2,&vp=ch&prd=set_ch"
CHR Extension: (BetterTTV) - C:\Users\hyena_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-07-17]
CHR Extension: (TwitchAlerts Stream Labels) - C:\Users\hyena_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgmggmdngboajiakmbpdknfpdelbjbcg [2016-08-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\hyena_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Trend Micro Toolbar) - C:\Users\hyena_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf [2016-09-02]
CHR HKLM-x32\...\Chrome\Extension: [aaffhmecfaelkngcbnfdkcckmillnoki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nogdfjjfhknacchjpiccacoimeelkajb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
R2 Amazon 1Button App Service; C:\Program Files (x86)\Amazon\Amazon1ButtonApp\Amazon1ButtonService64.Exe [436032 2016-02-17] (Amazon Inc.)
R2 vToolbarUpdater19.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.5.0\ToolbarUpdater.exe [1277512 2016-08-22] (AVG Secure Search)
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
CustomCLSID: HKU\S-1-5-21-2639983801-997881072-764508990-1005_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-63D282E6467D}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
Task: {08EC785E-FA56-4FC2-B34D-E4B6D0F3F8A9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {0FBBFF66-4B43-422C-8AF9-F1C35FD8D430} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {18954005-7766-43C8-863A-17496B3F1010} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {235389BE-6DC3-4363-87F5-A76EF4498371} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {24B59A12-D3E9-4AD7-9856-A7B86C039248} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {2DF54520-AD0C-4AD5-B3C3-B70095DC161F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {390DE366-F25A-4158-831C-CD141F515E14} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {523D9675-BEA9-458B-94FE-CAD282411E54} - \WPD\SqmUpload_S-1-5-21-2639983801-997881072-764508990-1002 -> No File <==== ATTENTION
Task: {737782E1-CFCC-44A9-A634-6E81A47BB1A6} - \GTFKUNKLETOWN -> No File <==== ATTENTION
Task: {849CBC56-5BDE-46F1-92BD-4D3B6A67655F} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {890EBE30-A58E-4AA8-A42F-E52AE75D060D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {8C78883E-EC67-4541-9604-90A091ED13BA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {98E13A7B-F6B9-4B41-82AE-2C73B273754E} - System32\Tasks\{574F279D-8F09-9953-DCE8-F26D6B5B3C28} => Regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\b85ff8c5\f6fae1b3.dll" <==== ATTENTION
Task: {A9D04656-6C4E-40B6-83DC-BD71C66738E2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {B7B17940-4FB3-4D5D-AF90-0A88C6E6B71B} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {D85F4BAF-EB94-404F-BE11-227AC9CD5AD7} - \Chromium -> No File <==== ATTENTION
Task: {DFB53064-AC15-4407-ABF2-5A34D1463AB4} - \WPD\SqmUpload_S-1-5-21-2639983801-997881072-764508990-1001 -> No File <==== ATTENTION
Task: {FFF00A69-C9DB-4792-A125-8C8B4DB79A80} - \WPD\SqmUpload_S-1-5-21-2639983801-997881072-764508990-1005 -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Chromium.job => C:\Users\Jessica\AppData\Local\Chromium\APPLIC~1\450244~1.0\INSTAL~1\UNINST~1.EXE
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->
C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
C:\Program Files (x86)\SrpnFiles

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

I suggest you remove all traces of AVG from this computer.
Download and run the Removal tool suggested on this site.

Please post the Fixlog and let me know what problem persists.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users