Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox redirecting upon opening, false microsoft ads saying files will delete


  • Please log in to reply
10 replies to this topic

#1 Tsuki17

Tsuki17

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 AM

Posted 22 February 2017 - 04:10 PM

Upon opening Firefox my Grandmothers computer is redirecting immediately to a pop up that says it's from microsoft and that unless she calls xxx phone number her files will be deleted. It's not ransom ware, I think, as it's able to be closed from task manager and nothing appears affected. The address for the site also mentions termination pest control or something like that if that's any help. IE doesn't seem affected by it at the moment but I didn't really try much on it. It started 2 weeks ago and I booted into safe mode without networking and ran maleware bytes and microsoft essentials which found a few things and they were quarantined. Everything seemed fine until today. It's just like before so it's something I'm unable to find. I'm worried because before she called me she clicked through a few prompts on the fake ad even though I've told her before not to. I'm also hoping to get a recommendation of something that could be added to her browsers, IE9 (she doesn't want this gone.) and Firefox (I'm finally convincing and getting her to use this) that could potentially help prevent this in the future and she also needs a good freeware replacement for Microsoft Essentials as she's on Windows Vista if that's possible? In advance thank you for any and all help! :)

 

FRST Report:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-02-2017 01
Ran by Mams Speed Machine (administrator) on MAMSSPEEDMAC-PC (22-02-2017 15:56:26)
Running from C:\Users\Mams Speed Machine\Downloads
Loaded Profiles: Mams Speed Machine (Available Profiles: Mams Speed Machine)
Platform: Windows Vista ™ Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agr64svc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
() C:\Program Files (x86)\Nova Development\Print Artist Craft Studio\ReminderApp.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
() C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HP Remote Software] => C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [172032 2009-02-06] ()
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [915512 2009-03-05] (Hewlett-Packard)
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2008-12-04] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Health Check Scheduler] => c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75016 2008-12-04] (Hewlett-Packard)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] => c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] => c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] => c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe [210216 2009-02-02] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe [1328424 2009-04-10] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe [185640 2009-04-10] (CyberLink)
HKLM-x32\...\Run: [DVDAgent] => c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe [1148200 2009-03-19] (CyberLink Corp.)
HKLM-x32\...\Run: [WinPatrol] => "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ReminderApp_EEAC3053-7055-4143-B8A0-306758055099] => C:\Program Files (x86)\Nova Development\Print Artist Craft Studio\ReminderApp.exe [139776 2013-05-30] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-575212393-84608004-1612600079-1000\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1689144 2010-06-29] (Hewlett-Packard)
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2006-11-02] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk [2011-07-23]
ShortcutTarget: NETGEAR WG111v3 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk [2009-05-01]
ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{004DD533-337D-4FA5-A83E-81CD6DCB1AB4}: [DhcpNameServer] 24.197.160.17 24.197.160.18
Tcpip\..\Interfaces\{6AF8589A-9D57-4A20-AA3D-C262D4AB88A8}: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{BF3B7F7A-3782-453D-A658-63A8AC5D09D9}: [DhcpNameServer] 97.81.22.195 24.177.176.38 24.178.162.3

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-575212393-84608004-1612600079-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aol.com
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Old Start Page = hxxp://www.aol.com/
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.com/?ocid=EIE9HP&PC=UP51
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {E4AC6792-B4AA-4C34-9858-E84C94B89383} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-21] (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-21] (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-24] (Oracle Corporation)
BHO-x32: ChromeFrame BHO -> {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} -> C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll [2014-02-01] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-21] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-21] (Google Inc.)
Toolbar: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-21] (Google Inc.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll [2014-02-01] (Google Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default [2017-02-22]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\35smt0z2.default -> Google
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\35smt0z2.default -> Google
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\35smt0z2.default -> Yahoo
FF SearchEngineOrder.2: Mozilla\Firefox\Profiles\35smt0z2.default ->
FF Homepage: Mozilla\Firefox\Profiles\35smt0z2.default -> hxxp://www.aol.com/
FF NetworkProxy: Mozilla\Firefox\Profiles\35smt0z2.default -> type", 0
FF Extension: (BeFrugal Coupons Add-On) - C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\Extensions\shopcbtoolbar2@befrugal.com [2016-05-11]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\features\{97266037-762f-4d15-b352-7e27062eef99}\disableSHA1rollout@mozilla.org.xpi [2017-02-18]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-22] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - C:\Program Files (x86)\Fiddler2\FiddlerHook
FF Extension: (FiddlerHook) - C:\Program Files (x86)\Fiddler2\FiddlerHook [2009-12-24] [not signed]
FF HKU\S-1-5-21-575212393-84608004-1612600079-1000\...\Firefox\Extensions: [moveplayer@movenetworks.com] - C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks
FF Extension: (Move Media Player) - C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks [2009-11-26] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-02-14] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-24] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll [2014-11-14] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-575212393-84608004-1612600079-1000: @movenetworks.com/Quantum Media Player -> C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll [2009-11-26] (Move Networks)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 HP Health Check Service; c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-12-04] (Hewlett-Packard) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-03-17] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.266\McCHSvc.exe [289256 2015-12-02] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
S3 athrusb; C:\Windows\System32\DRIVERS\athrxusb.sys [1064448 2007-11-29] (Atheros Communications, Inc.)
S1 Beep; no ImagePath
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R2 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187; system32\DRIVERS\wg111v2.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-22 15:56 - 2017-02-22 15:57 - 00017733 _____ C:\Users\Mams Speed Machine\Downloads\FRST.txt
2017-02-22 15:55 - 2017-02-22 15:55 - 02423296 _____ (Farbar) C:\Users\Mams Speed Machine\Downloads\FRST64.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-22 15:56 - 2014-02-12 18:20 - 00000000 ____D C:\FRST
2017-02-22 15:55 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-22 15:55 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-22 15:51 - 2016-11-16 19:14 - 00000000 ____D C:\Users\Mams Speed Machine\AppData\LocalLow\Mozilla
2017-02-22 15:05 - 2012-05-18 12:14 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-02-22 14:24 - 2012-03-16 06:47 - 00003766 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E99DC1AA-56A1-4C6A-BDFB-9C99CD6B1991}
2017-02-22 13:37 - 2014-03-26 17:19 - 00000000 ____D C:\Users\Mams Speed Machine\AppData\Roaming\HpUpdate
2017-02-20 10:35 - 2009-05-01 01:24 - 00003600 _____ C:\Windows\System32\Tasks\HP Health Check
2017-02-14 16:38 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\PolicyDefinitions
2017-02-14 16:00 - 2006-11-02 08:34 - 00000000 ____D C:\Windows\system32\spool
2017-02-14 16:00 - 2006-11-02 08:34 - 00000000 ____D C:\Windows\system32\Msdtc
2017-02-14 16:00 - 2006-11-02 07:33 - 78118912 _____ C:\Windows\system32\config\software_previous
2017-02-14 16:00 - 2006-11-02 07:33 - 22282240 _____ C:\Windows\system32\config\system_previous
2017-02-14 15:59 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\registration
2017-02-14 15:54 - 2006-11-02 07:33 - 81002496 _____ C:\Windows\system32\config\components_previous
2017-02-14 15:54 - 2006-11-02 07:33 - 00262144 _____ C:\Windows\system32\config\sam_previous
2017-02-14 15:05 - 2012-05-18 12:14 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-02-14 15:05 - 2012-05-18 12:14 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-02-14 15:05 - 2012-05-18 12:14 - 00000000 ____D C:\Windows\system32\Macromed
2017-02-14 15:05 - 2011-07-10 00:34 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-14 15:05 - 2009-05-01 00:52 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-02-14 13:51 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\inf
2017-02-14 13:51 - 2006-11-02 07:46 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-14 13:49 - 2009-08-15 17:53 - 00000000 ____D C:\Users\Mams Speed Machine
2017-02-14 13:44 - 2006-11-02 10:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-14 12:52 - 2006-11-02 07:33 - 01310720 _____ C:\Windows\system32\config\default_previous
2017-02-14 12:52 - 2006-11-02 07:33 - 00262144 _____ C:\Windows\system32\config\security_previous
2017-02-10 12:40 - 2015-10-07 20:14 - 00000000 ____D C:\Users\Mams Speed Machine\Desktop\Mam's Election Stuff
2017-02-07 15:43 - 2016-11-16 18:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-07 15:43 - 2012-06-10 15:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-02-07 15:42 - 2006-11-02 10:42 - 00032572 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-02-03 17:30 - 2015-05-09 21:53 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-24 00:27 - 2014-08-15 12:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-01-24 00:27 - 2013-04-30 13:25 - 00000000 ____D C:\Program Files (x86)\Java
2017-01-24 00:25 - 2014-08-15 12:25 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

==================== Files in the root of some directories =======

2009-08-22 07:30 - 2016-11-03 16:12 - 0009966 _____ () C:\Users\Mams Speed Machine\AppData\Roaming\wklnhst.dat
2009-08-15 19:54 - 2016-12-16 19:01 - 0005324 _____ () C:\Users\Mams Speed Machine\AppData\Local\d3d9caps.dat
2011-07-20 19:39 - 2015-10-23 03:58 - 0000732 _____ () C:\Users\Mams Speed Machine\AppData\Local\d3d9caps64.dat
2011-02-01 03:31 - 2014-04-29 09:36 - 0007680 _____ () C:\Users\Mams Speed Machine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-02-11 14:43 - 2014-02-11 14:44 - 0353964 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistMSI08F9.txt
2014-02-11 14:43 - 2014-02-11 14:44 - 0014814 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistUI08F9.txt
2010-12-28 20:51 - 2010-12-28 20:51 - 1771963 _____ () C:\Users\Mams Speed Machine\AppData\Local\tmpPC280334.JPG
2010-03-29 19:18 - 2014-12-27 02:15 - 0012716 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
2017-01-24 00:11 - 2017-01-24 00:11 - 0739904 _____ (Oracle Corporation) C:\Users\Mams Speed Machine\AppData\Local\temp\jre-8u121-windows-au.exe
2016-04-21 00:24 - 2016-04-21 00:24 - 0739904 _____ (Oracle Corporation) C:\Users\Mams Speed Machine\AppData\Local\temp\jre-8u91-windows-au.exe
2014-12-27 01:58 - 2010-05-04 12:46 - 0353112 _____ (Microsoft Corporation) C:\Users\Mams Speed Machine\AppData\Local\temp\MSNA58C.exe
2014-02-17 15:18 - 2010-05-04 12:46 - 0353112 _____ (Microsoft Corporation) C:\Users\Mams Speed Machine\AppData\Local\temp\MSND9E5.exe
2014-01-28 07:33 - 2014-02-17 08:55 - 0360071 _____ () C:\Users\Mams Speed Machine\AppData\Local\temp\Quarantine.exe
2017-02-22 15:53 - 2017-02-22 15:53 - 0011432 ____T (Tarma Software Research Pty Ltd) C:\Users\Mams Speed Machine\AppData\Local\temp\_TinDel.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-14 13:54

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:50 AM

Posted 25 February 2017 - 09:23 AM

Hi,

 

If you still need help you can see if adwcleaner can drag anything up. After that you can re-set Firefox back to its defaults. We can go from there.

Usually only on the site once or twice per day so you may not get a reply back from me until the following day.

 

Please download adwcleaner and save to your desktop.

    http://www.bleepingcomputer.com/download/adwcleaner/

    double click to start adwcleaner
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.

   You can copy/paste the log file in your next reply.

 

To "refresh" Firefox see this link:

https://malwaretips.com/blogs/reset-firefox-settings/

 


How Can I Reduce My Risk to Malware?


#3 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 AM

Posted 26 February 2017 - 09:04 PM

I most definitely still need help! Thanks for taking the time to help me. :D

 

AdwCleaner refuses to run. I get "catastrophic error" message when I try to run it. I'm attaching the jpg of it. Once I was able to close out the error message and hit scan and it looked like it was working but when it got to the end, after finding 78 threats, the whole thing crashes and it's unable to fix what it finds nor can it generate a report.

 

Do I still go ahead with resetting Firefox?

 

 

 

Attached File  AdwCleanerError.jpg   116.46KB   0 downloads

 

 

ETA: Once after the catastrophic message I had a *sqlite3.dll is corrupted or has been replaced. I got that message when I ran it in safe mode.


Edited by Tsuki17, 26 February 2017 - 09:05 PM.


#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:50 AM

Posted 27 February 2017 - 04:56 PM

Lets run FRST to remove some items. Then you can try running adwcleaner again and go ahead and reset Fire Fox also.

 

Copy whats below into notepad and save it as fixlist.txt in the same location where you have FRST saved to.

Start FRST like before except this time click on the Fix button once.

Machine will reboot to finish. Upon reboot it will display a new log called fixlog.txt which you can copy/paste in your reply.

HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ReminderApp_EEAC3053-7055-4143-B8A0-306758055099] => C:\Program Files (x86)\Nova Development\Print Artist Craft Studio\ReminderApp.exe [139776 2013-05-30] ()
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-575212393-84608004-1612600079-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.com/?ocid=EIE9HP&PC=UP51
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {E4AC6792-B4AA-4C34-9858-E84C94B89383} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL =
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187; system32\DRIVERS\wg111v2.sys [X]
2009-08-22 07:30 - 2016-11-03 16:12 - 0009966 _____ () C:\Users\Mams Speed Machine\AppData\Roaming\wklnhst.dat
2009-08-15 19:54 - 2016-12-16 19:01 - 0005324 _____ () C:\Users\Mams Speed Machine\AppData\Local\d3d9caps.dat
2011-07-20 19:39 - 2015-10-23 03:58 - 0000732 _____ () C:\Users\Mams Speed Machine\AppData\Local\d3d9caps64.dat
2011-02-01 03:31 - 2014-04-29 09:36 - 0007680 _____ () C:\Users\Mams Speed Machine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-02-11 14:43 - 2014-02-11 14:44 - 0353964 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistMSI08F9.txt
2014-02-11 14:43 - 2014-02-11 14:44 - 0014814 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistUI08F9.txt
2010-12-28 20:51 - 2010-12-28 20:51 - 1771963 _____ () C:\Users\Mams Speed Machine\AppData\Local\tmpPC280334.JPG
2010-03-29 19:18 - 2014-12-27 02:15 - 0012716 _____ () C:\ProgramData\hpzinstall.log
AlternateDataStreams: C:\ProgramData\Temp:0B4227B4 [181]
Empty Temp:

How Can I Reduce My Risk to Malware?


#5 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 AM

Posted 27 February 2017 - 09:37 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-02-2017 01
Ran by Mams Speed Machine (27-02-2017 21:21:57) Run:2
Running from C:\Users\Mams Speed Machine\Desktop
Loaded Profiles: Mams Speed Machine (Available Profiles: Mams Speed Machine)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ReminderApp_EEAC3053-7055-4143-B8A0-306758055099] => C:\Program Files (x86)\Nova Development\Print Artist Craft Studio\ReminderApp.exe [139776 2013-05-30] ()
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-575212393-84608004-1612600079-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.com/?ocid=EIE9HP&PC=UP51
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {E4AC6792-B4AA-4C34-9858-E84C94B89383} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL =
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187; system32\DRIVERS\wg111v2.sys [X]
2009-08-22 07:30 - 2016-11-03 16:12 - 0009966 _____ () C:\Users\Mams Speed Machine\AppData\Roaming\wklnhst.dat
2009-08-15 19:54 - 2016-12-16 19:01 - 0005324 _____ () C:\Users\Mams Speed Machine\AppData\Local\d3d9caps.dat
2011-07-20 19:39 - 2015-10-23 03:58 - 0000732 _____ () C:\Users\Mams Speed Machine\AppData\Local\d3d9caps64.dat
2011-02-01 03:31 - 2014-04-29 09:36 - 0007680 _____ () C:\Users\Mams Speed Machine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-02-11 14:43 - 2014-02-11 14:44 - 0353964 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistMSI08F9.txt
2014-02-11 14:43 - 2014-02-11 14:44 - 0014814 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistUI08F9.txt
2010-12-28 20:51 - 2010-12-28 20:51 - 1771963 _____ () C:\Users\Mams Speed Machine\AppData\Local\tmpPC280334.JPG
2010-03-29 19:18 - 2014-12-27 02:15 - 0012716 _____ () C:\ProgramData\hpzinstall.log
AlternateDataStreams: C:\ProgramData\Temp:0B4227B4 [181]
Empty Temp:
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ReminderApp_EEAC3053-7055-4143-B8A0-306758055099 => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-575212393-84608004-1612600079-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E4AC6792-B4AA-4C34-9858-E84C94B89383} => key removed successfully
HKCR\CLSID\{E4AC6792-B4AA-4C34-9858-E84C94B89383} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-575212393-84608004-1612600079-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-575212393-84608004-1612600079-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f} => key removed successfully
HKCR\CLSID\{b0441a0e-a49a-4e16-afc1-74ecced1921f} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} => key removed successfully
HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => key not found.
HKLM\System\CurrentControlSet\Services\IpInIp => key removed successfully
IpInIp => service removed successfully
HKLM\System\CurrentControlSet\Services\NwlnkFlt => key removed successfully
NwlnkFlt => service removed successfully
HKLM\System\CurrentControlSet\Services\NwlnkFwd => key removed successfully
NwlnkFwd => service removed successfully
HKLM\System\CurrentControlSet\Services\RTL8187 => key removed successfully
RTL8187 => service removed successfully
C:\Users\Mams Speed Machine\AppData\Roaming\wklnhst.dat => moved successfully
C:\Users\Mams Speed Machine\AppData\Local\d3d9caps.dat => moved successfully
C:\Users\Mams Speed Machine\AppData\Local\d3d9caps64.dat => moved successfully
C:\Users\Mams Speed Machine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistMSI08F9.txt => moved successfully
C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistUI08F9.txt => moved successfully
C:\Users\Mams Speed Machine\AppData\Local\tmpPC280334.JPG => moved successfully
C:\ProgramData\hpzinstall.log => moved successfully
C:\ProgramData\Temp => ":0B4227B4" ADS removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 282755818 B
Java, Flash, Steam htmlcache => 106366 B
Windows/system/drivers => 258976322 B
Edge => 0 B
Chrome => 0 B
Firefox => 498214197 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 18785324 B
systemprofile32 => 17978963 B
LocalService => 17162800 B
LocalService => 0 B
NetworkService => 49540360 B
NetworkService => 0 B
Mams Speed Machine => 3125542810 B

RecycleBin => 0 B
EmptyTemp: => 4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:23:04 ====

 

 

I still get catastrophic error with AdwCleaner even after running the fixit list and deleting and redownloading it. I was able to refresh FireFox. :D



#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:50 AM

Posted 28 February 2017 - 08:01 PM

Hold off on running adwcleaner. You see the popup only in Fire Fox or in Internet explorer also?

 

Can you tell if its a local popup or is the browser really getting redirected to a website, then you get the popup?

 

Try disabling any addons, plugins or extensions in Fire Fox to see if its one of those. Especially if its something you dont recognize or installed yourself.

 

Come to think of it a FireFox refresh might set all these back to defaults anyway, not sure. you can look and check. Tools>Addons.


How Can I Reduce My Risk to Malware?


#7 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 AM

Posted 28 February 2017 - 09:53 PM

While I was waiting those first couple of days for a response to my initial post I went through the browser history and found that both times happened when my Grandmother used the aol search bar area on the aol page, not the google search box on the web browser. (Firefox appears to be the only one affected so far as I can tell.) She has aol as her homepage. From what I saw in the history it redirected from the search results immediately to another site and the pop-ups. Both times the pop-ups were the same and she was redirected to the same site. I checked the addons, plugins and extensions and disabled one I didn't know at all and the other was a wildtangent app thing. All others were FireFox installed.

 

 

Should I worry that adwcleaner isn't wanting to run?



#8 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 AM

Posted 28 February 2017 - 10:11 PM

Weird, I just got this popup that opened a new tab and then displayed a little message in a box. I closed it all out after taking a screenshot.

 

Attached File  PopUp.jpg   64.64KB   0 downloads

 

ETA: This happened when I was using google.com, not the search bar attached to the browser itself. It happened after clicking open 3-4 links in new tabs when I was looking up the term rosie posie. lol

 

Also I don't know if I'll have internet access tomorrow. We have severe storms and tornadoes moving through the area tonight and tomorrow and our internet tends to be fickle when it's stormy and windy. So if I don't respond for a few days it's because the Internet's down. If that happens I'll see if my friend can post on here for me. (I'm without a smartphone, mine broke, so I'm stuck with an old brick cell until I get a new one... LOL )


Edited by Tsuki17, 01 March 2017 - 03:11 PM.


#9 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:50 AM

Posted 01 March 2017 - 05:07 PM

Ok thanks for the info, Not sure why adwcleaner wont run.  For sure thats not a legit Firefox critical update. Try running this tool which is along the lines of adwcleaner;

 

Please download Junkware Removal Tool to your desktop.

     https://www.malwarebytes.com/junkwareremovaltool/

    Double click the icon or Right click for Vista/W7,8 and select Run as administrator
    The tool will open and start scanning.
    Please be patient as this can take a while to complete.
    On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    Post the contents of JRT.txt into your next message

 

Also please rerun FRST like you did the first time to get two new (updated) logs. Just to compare. Good luck  with the storm. Will be looking for your reply.

 

You could also do a online scan at one of these;

 

https://www.eset.com/us/home/online-scanner/

https://www.bitdefender.co.uk/scanner/online/free.html

 


How Can I Reduce My Risk to Malware?


#10 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 AM

Posted 05 March 2017 - 01:50 PM

Ok! Internets up and back in business. Sorry for the delay! We came through the storms ok except for the barn roofs and a storage house roof that got blown and peeled up from the winds. Easily fixed. All in all not bad, nothing dire. :)

 

Junkware text:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.1 (02.11.2017)
Operating System: Windows ™ Vista Home Premium x64
Ran by Mams Speed Machine (Administrator) on Sun 03/05/2017 at  2:50:15.02
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 18

Successfully deleted: C:\ProgramData\apn (Folder)
Successfully deleted: C:\Users\Mams Speed Machine\Appdata\LocalLow\iac (Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1GSEUIE3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\813AL71T (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J3ZFOMTR (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RFVCNC4L (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCOPFQ5Z (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UL12YERW (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQVPRCGS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Mams Speed Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X08R5NM6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1GSEUIE3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\813AL71T (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J3ZFOMTR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RFVCNC4L (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCOPFQ5Z (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UL12YERW (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQVPRCGS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X08R5NM6 (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/05/2017 at  2:52:39.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Bitdefender found nothing.

 

Eset found the following which I have not cleaned out yet. Is it safe to do so? I've left the scan window open with the results.

Also not sure why AdwCleaner's showing unless it was from several years ago when I came to this forum and was told to use it then?

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EIPlug.dll.vir    Win32/Toolbar.MyWebSearch potentially unwanted application    
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EZSETP.dll.vir    Win32/Toolbar.MyWebSearch potentially unwanted application    
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyPC Backup\MPCBClient.dll.vir    a variant of Win32/MyPCBackup.D potentially unwanted application    
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MyPC Backup\MyPC Backup.exe.vir    a variant of MSIL/MyPCBackup.A potentially unwanted application    
C:\FRST\Quarantine\APNSetup.exe12-02-2014_18-49-08    a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application    
C:\FRST\Quarantine\BackupSetup.exe12-02-2014_18-49-08    MSIL/MyPCBackup.D potentially unwanted application,a variant of Win32/MyPCBackup.D potentially unwanted application,a variant of MSIL/MyPCBackup.A potentially unwanted application    
C:\FRST\Quarantine\NP39EISB.dll12-02-2014_18-49-07    Win32/Toolbar.MyWebSearch potentially unwanted application    
C:\FRST\Quarantine\nsbB78F.exe12-02-2014_18-49-09    Win32/Conduit.SearchProtect.V potentially unwanted application,a variant of Win32/Toolbar.Conduit.AU potentially unwanted application    
C:\FRST\Quarantine\nsbE150.exe12-02-2014_18-49-09    Win32/Conduit.SearchProtect.V potentially unwanted application,a variant of Win32/Toolbar.Conduit.AU potentially unwanted application    
C:\FRST\Quarantine\nslDE33.exe12-02-2014_18-49-09    Win32/Conduit.SearchProtect.V potentially unwanted application,a variant of Win32/Toolbar.Conduit.AU potentially unwanted application    
C:\FRST\Quarantine\nswBACB.exe12-02-2014_18-49-09    Win32/Conduit.SearchProtect.V potentially unwanted application,a variant of Win32/Toolbar.Conduit.AU potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\Main\bin\CltMngSvc.exe    a variant of Win32/Conduit.SearchProtect.I potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\Main\bin\SPTool.dll    a variant of Win32/Conduit.SearchProtect.I potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\Main\bin\uninstall.exe    a variant of Win32/Toolbar.Conduit.AR potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\cltmng.exe    a variant of Win32/Conduit.SearchProtect.I potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPTool64.exe    a variant of Win64/Conduit.SearchProtect.A potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC32.dll    a variant of Win32/Conduit.SearchProtect.H potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC32Loader.dll    a variant of Win32/Conduit.SearchProtect.H potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC64.dll    a variant of Win64/Conduit.SearchProtect.A potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC64Loader.dll    a variant of Win64/Conduit.SearchProtect.A potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\bin\cltmngui.exe    a variant of Win32/Conduit.SearchProtect.I potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\settings.html    Win32/Conduit.SearchProtect.AQ potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\bubble\bubble.html    Win32/Conduit.SearchProtect.AW potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\libs\main.js    Win32/Conduit.SearchProtect.AV potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\protection\protection.html    Win32/Conduit.SearchProtect.AX potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\protection\protection.js    Win32/Conduit.SearchProtect.AS potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\settings\settings.html    Win32/Conduit.SearchProtect.AO potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\settings\settings.js    Win32/Conduit.SearchProtect.AV potentially unwanted application    
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\dialogs\uninstall\uninstall.html    Win32/Conduit.SearchProtect.AN potentially unwanted application    
C:\FRST\Quarantine\Websteroids12-02-2014_18-49-09\Uninstall.exe    a variant of Win32/Adware.PullUpdate.G application    
C:\FRST\Quarantine\Websteroids12-02-2014_18-49-09\IE\common.dll    a variant of Win32/ExFriendAlert.B potentially unwanted application    
C:\Users\Mams Speed Machine\Downloads\iepv\iepv.exe    a variant of Win32/PSWTool.IEPassView.NAE potentially unsafe application    
C:\Windows\Installer\MSI5BA8.tmp    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    
C:\Windows\Installer\MSI66F3.tmp    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    
C:\Windows\Installer\MSI7BAF.tmp    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    
C:\Windows\Installer\MSIF2C2.tmp    a variant of Win32/Bundled.Toolbar.Ask.O potentially unsafe application    
Autostart locations    virus    
 

 

Updated FRST Log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-03-2017
Ran by Mams Speed Machine (administrator) on MAMSSPEEDMAC-PC (05-03-2017 13:46:52)
Running from C:\Users\Mams Speed Machine\Desktop
Loaded Profiles: Mams Speed Machine (Available Profiles: Mams Speed Machine)
Platform: Windows Vista ™ Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agr64svc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ESET spol. s r.o.) C:\Users\Mams Speed Machine\Downloads\esetonlinescanner_enu.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HP Remote Software] => C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [172032 2009-02-06] ()
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [915512 2009-03-05] (Hewlett-Packard)
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2008-12-04] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Health Check Scheduler] => c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75016 2008-12-04] (Hewlett-Packard)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] => c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] => c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] => c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe [210216 2009-02-02] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe [1328424 2009-04-10] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe [185640 2009-04-10] (CyberLink)
HKLM-x32\...\Run: [DVDAgent] => c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe [1148200 2009-03-19] (CyberLink Corp.)
HKLM-x32\...\Run: [WinPatrol] => "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-575212393-84608004-1612600079-1000\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1689144 2010-06-29] (Hewlett-Packard)
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2006-11-02] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk [2011-07-23]
ShortcutTarget: NETGEAR WG111v3 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk [2009-05-01]
ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{004DD533-337D-4FA5-A83E-81CD6DCB1AB4}: [DhcpNameServer] 24.197.160.17 24.197.160.18
Tcpip\..\Interfaces\{6AF8589A-9D57-4A20-AA3D-C262D4AB88A8}: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{BF3B7F7A-3782-453D-A658-63A8AC5D09D9}: [DhcpNameServer] 97.81.22.195 24.177.176.38 24.178.162.3

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aol.com
HKU\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main,Old Start Page = hxxp://www.aol.com/
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-21] (Google Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-21] (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-24] (Oracle Corporation)
BHO-x32: ChromeFrame BHO -> {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} -> C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll [2014-02-01] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-21] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-21] (Google Inc.)
Toolbar: HKU\S-1-5-21-575212393-84608004-1612600079-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-21] (Google Inc.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll [2014-02-01] (Google Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\pv9btp2c.default-1488248876040 [2017-03-05]
FF Homepage: Mozilla\Firefox\Profiles\pv9btp2c.default-1488248876040 -> hxxps://www.aol.com/
FF Extension: (Bitdefender QuickScan) - C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\pv9btp2c.default-1488248876040\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2017-03-05]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\pv9btp2c.default-1488248876040\features\{73dcb562-a80d-4a9e-bec7-9b6937b3e299}\disableSHA1rollout@mozilla.org.xpi [2017-03-03]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-22] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - C:\Program Files (x86)\Fiddler2\FiddlerHook
FF Extension: (FiddlerHook) - C:\Program Files (x86)\Fiddler2\FiddlerHook [2009-12-24] [not signed]
FF HKU\S-1-5-21-575212393-84608004-1612600079-1000\...\Firefox\Extensions: [moveplayer@movenetworks.com] - C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks
FF Extension: (Move Media Player) - C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks [2009-11-26] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-02-14] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-24] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll [2014-11-14] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-575212393-84608004-1612600079-1000: @movenetworks.com/Quantum Media Player -> C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll [2009-11-26] (Move Networks)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 HP Health Check Service; c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-12-04] (Hewlett-Packard) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-03-17] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.266\McCHSvc.exe [289256 2015-12-02] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
S3 athrusb; C:\Windows\System32\DRIVERS\athrxusb.sys [1064448 2007-11-29] (Atheros Communications, Inc.)
S1 Beep; no ImagePath
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R2 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-05 13:46 - 2017-03-05 13:47 - 00015122 _____ C:\Users\Mams Speed Machine\Desktop\FRST.txt
2017-03-05 13:46 - 2017-03-05 13:46 - 00000000 ____D C:\Users\Mams Speed Machine\Desktop\FRST-OlderVersion
2017-03-05 13:41 - 2017-03-05 13:41 - 00010844 _____ C:\Users\Mams Speed Machine\Desktop\Eset.txt
2017-03-05 02:55 - 2017-03-05 13:42 - 00000000 ____D C:\Users\Mams Speed Machine\AppData\Roaming\QuickScan
2017-03-05 02:53 - 2017-03-05 02:53 - 06751360 _____ (ESET spol. s r.o.) C:\Users\Mams Speed Machine\Downloads\esetonlinescanner_enu.exe
2017-03-05 02:53 - 2017-03-05 02:53 - 00000000 ____D C:\Users\Mams Speed Machine\AppData\Local\ESET
2017-03-05 02:52 - 2017-03-05 02:52 - 00003447 _____ C:\Users\Mams Speed Machine\Desktop\JRT.txt
2017-03-05 02:49 - 2017-03-05 02:49 - 01663736 _____ (Malwarebytes) C:\Users\Mams Speed Machine\Desktop\JRT.exe
2017-02-27 21:24 - 2017-02-27 21:24 - 00003584 _____ C:\Users\Mams Speed Machine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-02-27 21:19 - 2017-03-05 13:46 - 02423808 _____ (Farbar) C:\Users\Mams Speed Machine\Desktop\FRST64.exe
2017-02-26 20:52 - 2017-02-26 20:53 - 00001157 _____ C:\DelFix.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-05 13:46 - 2014-02-12 18:20 - 00000000 ____D C:\FRST
2017-03-05 13:42 - 2016-11-16 19:14 - 00000000 ____D C:\Users\Mams Speed Machine\AppData\LocalLow\Mozilla
2017-03-05 13:38 - 2012-03-16 06:47 - 00003766 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E99DC1AA-56A1-4C6A-BDFB-9C99CD6B1991}
2017-03-05 13:05 - 2012-05-18 12:14 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-03-05 12:41 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-05 12:41 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-05 02:49 - 2014-02-13 17:01 - 00000000 ____D C:\Users\Mams Speed Machine\Desktop\Beckys Computer Info
2017-03-01 14:29 - 2014-03-26 17:19 - 00000000 ____D C:\Users\Mams Speed Machine\AppData\Roaming\HpUpdate
2017-02-27 21:31 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\inf
2017-02-27 21:31 - 2006-11-02 07:46 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-27 21:28 - 2009-05-01 01:24 - 00003600 _____ C:\Windows\System32\Tasks\HP Health Check
2017-02-27 21:24 - 2006-11-02 10:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-27 21:23 - 2006-11-02 10:42 - 00032572 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-02-26 20:56 - 2014-02-14 11:44 - 00000000 ____D C:\AdwCleaner
2017-02-26 20:39 - 2012-09-26 21:21 - 01369926 _____ C:\Windows\ntbtlog.txt
2017-02-26 20:05 - 2015-05-09 21:53 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-25 22:44 - 2016-11-16 18:49 - 00000000 ____D C:\Users\Mams Speed Machine\Desktop\AAG Info
2017-02-25 22:38 - 2015-10-07 20:14 - 00000000 ____D C:\Users\Mams Speed Machine\Documents\Mam's Election Stuff
2017-02-23 03:02 - 2013-08-15 02:03 - 00000000 ____D C:\Windows\system32\MRT
2017-02-23 03:00 - 2006-11-02 07:35 - 138020592 ____C (Microsoft Corporation) C:\Windows\system32\mrt.exe
2017-02-14 16:38 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\PolicyDefinitions
2017-02-14 16:00 - 2006-11-02 08:34 - 00000000 ____D C:\Windows\system32\spool
2017-02-14 16:00 - 2006-11-02 08:34 - 00000000 ____D C:\Windows\system32\Msdtc
2017-02-14 16:00 - 2006-11-02 07:33 - 78118912 _____ C:\Windows\system32\config\software_previous
2017-02-14 16:00 - 2006-11-02 07:33 - 22282240 _____ C:\Windows\system32\config\system_previous
2017-02-14 15:59 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\registration
2017-02-14 15:54 - 2006-11-02 07:33 - 81002496 _____ C:\Windows\system32\config\components_previous
2017-02-14 15:54 - 2006-11-02 07:33 - 00262144 _____ C:\Windows\system32\config\sam_previous
2017-02-14 15:05 - 2012-05-18 12:14 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-02-14 15:05 - 2012-05-18 12:14 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-02-14 15:05 - 2012-05-18 12:14 - 00000000 ____D C:\Windows\system32\Macromed
2017-02-14 15:05 - 2011-07-10 00:34 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-14 15:05 - 2009-05-01 00:52 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-02-14 13:49 - 2009-08-15 17:53 - 00000000 ____D C:\Users\Mams Speed Machine
2017-02-14 12:52 - 2006-11-02 07:33 - 01310720 _____ C:\Windows\system32\config\default_previous
2017-02-14 12:52 - 2006-11-02 07:33 - 00262144 _____ C:\Windows\system32\config\security_previous
2017-02-07 15:43 - 2016-11-16 18:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-07 15:43 - 2012-06-10 15:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2017-02-27 21:24 - 2017-02-27 21:24 - 0003584 _____ () C:\Users\Mams Speed Machine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-05 10:11

==================== End of FRST.txt ============================

 

FRST Addition text will be attached. :)

 

Also my smartphone came yesterday and will be set up tomorrow so I can check the forum on the go again! ;w; So happy. <3

Attached Files


Edited by Tsuki17, 05 March 2017 - 01:51 PM.


#11 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:50 AM

Posted 05 March 2017 - 04:42 PM

Glad you made out ok. You sound like that storm stuff has happened before.

 

Junkware removal tool removed some stuff: good

 

Looks like theres a old Adwcleaner quarantine folder ESET flagged along with the FRST quarantine folder. You may as well leave everything as is since everything  ESET found is already in quarantine.

New logs look ok.

You want to try completely uninstalling Fire Fox then reinstalling it. you could export the bookmarks first:

 

https://support.mozilla.org/t5/Basic-Browsing/Export-Firefox-bookmarks-to-an-HTML-file-to-back-up-or-transfer/ta-p/2145

 

Remove Firefox: Also remove user data and settings:

https://support.mozilla.org/t5/Install-and-Update/Uninstall-Firefox-from-your-computer/ta-p/1364

 

Reboot machine then reinstall Fire Fox:

https://www.mozilla.org/en-US/firefox/new/


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users