Tech Support Forum banner
Status
Not open for further replies.

Need Help With Malware Issues

1K views 8 replies 3 participants last post by  amateur 
#1 ·
All,

I followed the instructions and ran DDS since I've been having some spyware issues. The results are below; please let me know if you have any questions. Thanks for your help!

FYI; I also do not have access to a boot CD.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18015 BrowserJavaVersion: 10.5.1
Run by Home at 11:42:15 on 2015-09-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.883 [GMT -4:00]
.
AV: Ad-Aware Antivirus *Disabled/Outdated* {B0CC18C6-E527-6EE6-874C-9D19920E5619}
SP: Ad-Aware Antivirus *Disabled/Outdated* {0BADF922-C31D-6168-BDFC-A66BE9891CA4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: Ad-Aware Firewall *Disabled* {88F799E3-AF48-6FBE-AC13-342C6CDD1162}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BBSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Windows\system32\GWX\GWX.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\daugava\Ejemidvlf64.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.8.586.8535\AdAwareTray.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Download Manager\DownloadManager.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.8.586.8535\AdAwareService.exe
C:\Users\Home\AppData\Roaming\Spotify\SpotifyWebHelper.exe
C:\Users\Home\AppData\Roaming\Spotify\Spotify.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Users\Home\AppData\Roaming\GVU Technologies\Free YouTube Downloader Converter\CertifiedBrowserService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Users\Home\AppData\Roaming\Spotify\Spotify.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\Home\AppData\Roaming\Spotify\Spotify.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\consent.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\GWX\GWXConfigManager.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Download Manager: {E5C66DD8-308B-4a4f-AF0A-3D04F25B5343} -
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll
uRun: [DownloadManager] "C:\Program Files (x86)\Download Manager\DownloadManager.exe" /as
uRun: [Spotify Web Helper] "C:\Users\Home\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
uRun: [Google Update] "C:\Users\Home\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SpybotPostWindows10UpgradeReInstall] "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
uRun: [Spotify] "C:\Users\Home\AppData\Roaming\Spotify\Spotify.exe" -autostart -minimized
uRun: [GoogleChromeAutoLaunch_F8F9C1389199C5D42EF0F1FE1D081D59] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"Troubleshoot problems installing Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2 - Windows Help" /build:7601
StartupFolder: C:\Users\Home\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\Home\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print\SmartPrintSetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
TCP: NameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{3DE02E36-3C2C-40C4-8E90-A7B28B29CF40} : DHCPNameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{66962012-7C72-4938-B010-F294F7B57AE4} : DHCPNameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{8AD655ED-AC8E-4780-955D-3428D5A509C1} : DHCPNameServer = 64.233.217.2 64.233.217.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} -
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Run: [daugava64] C:\Program Files\daugava\Ejemidvlf64.exe
x64-Run: [AdAwareTray] "C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.8.586.8535\AdAwareTray.exe"
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={B7AD0FC7-DF2A-11E2-B7D0-6431503402C2}&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: C:\Users\Home\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll
FF - plugin: C:\Users\Home\AppData\Roaming\GVU Technologies\Free YouTube Downloader Converter\npCertifiedBrowser.dll
FF - plugin: C:\Users\Home\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Home\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110014
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 583dcb0f0000000000006431503402c2
FF - user.js: extensions.BabylonToolbar_i.hardId - 583dcb0f0000000000006431503402c2
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15399
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:40:43
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2010-11-22 75904]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2010-11-22 38016]
R1 cherimoya;cherimoya;C:\Windows\System32\drivers\cherimoya.sys [2015-7-22 61336]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-11-22 203264]
R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BBSvc.EXE [2014-3-11 193696]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-8-20 92216]
R2 LavasoftAdAwareService11;Ad-Aware Service 11;C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.8.586.8535\AdAwareService.exe [2015-8-27 712432]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2009-10-7 191000]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2010-11-22 1119768]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-9-11 399344]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2015-9-4 1738168]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2015-9-4 2088408]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2015-9-4 171928]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R2 Updater By SweetPacks;Updater By SweetPacks;C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [2013-6-27 188760]
R2 YouTubeDownloaderConverter;YouTubeDownloaderConverter;C:\Users\Home\AppData\Roaming\GVU Technologies\Free YouTube Downloader Converter\CertifiedBrowserService.exe [2013-6-5 104448]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\Windows\System32\drivers\bcmwlhigh664.sys [2011-4-19 1254464]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2009-10-7 30232]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2010-11-22 1002848]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-11-22 349800]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-11-22 38456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2014-4-11 124088]
S3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.EXE [2014-3-11 247968]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-9-9 114688]
S3 LVUVC64;Logitech Webcam 120(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-8-10 6379288]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-2-6 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-2-6 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile="C:\Windows\System32\NOTEPAD.EXE" %1
FileExt: .ini: inifile="C:\Windows\System32\NOTEPAD.EXE" %1
FileExt: .inf: inffile="C:\Windows\System32\NOTEPAD.EXE" %1
.
=============== Created Last 30 ================
.
2015-09-22 11:19:37 18819272 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2015-09-19 20:45:40 -------- d-----w- C:\Windows\System32\uopi
2015-09-19 20:45:31 -------- d-----w- C:\Windows\TEMPfolder
2015-09-09 16:45:26 41984 ----a-w- C:\Windows\System32\UtcResources.dll
2015-09-09 16:44:54 1941504 ----a-w- C:\Windows\System32\authui.dll
2015-09-09 16:43:59 98304 ----a-w- C:\Windows\System32\wudriver.dll
2015-09-05 08:51:45 -------- d-----w- C:\Users\Home\AppData\Local\CEF
2015-09-05 04:22:44 -------- d-----w- C:\Users\Home\AppData\Roaming\LavasoftStatistics
2015-09-05 04:21:22 -------- d-----w- C:\Program Files\Lavasoft
2015-09-05 04:20:28 -------- d-----w- C:\Program Files\Common Files\Lavasoft
2015-09-05 03:11:35 -------- d-----w- C:\Program Files\Common Files\AV
2015-09-05 03:02:42 21040 ----a-w- C:\Windows\System32\sdnclean64.exe
2015-09-05 03:02:37 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
.
==================== Find3M ====================
.
2015-09-22 11:19:40 780488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2015-09-22 11:19:40 142536 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-09-02 03:04:49 41984 ----a-w- C:\Windows\System32\lpk.dll
2015-09-02 03:04:46 100864 ----a-w- C:\Windows\System32\fontsub.dll
2015-09-02 03:04:44 14336 ----a-w- C:\Windows\System32\dciman32.dll
2015-09-02 03:04:42 46080 ----a-w- C:\Windows\System32\atmlib.dll
2015-09-02 02:48:31 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2015-09-02 02:48:28 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
2015-09-02 02:48:25 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2015-09-02 02:47:18 25600 ----a-w- C:\Windows\SysWow64\lpk.dll
2015-09-02 01:51:28 3209216 ----a-w- C:\Windows\System32\win32k.sys
2015-09-02 01:47:08 372736 ----a-w- C:\Windows\System32\atmfd.dll
2015-09-02 01:33:48 299520 ----a-w- C:\Windows\SysWow64\atmfd.dll
2015-08-27 18:18:27 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2015-08-27 18:18:27 1887232 ----a-w- C:\Windows\System32\msxml3.dll
2015-08-27 18:13:03 2048 ----a-w- C:\Windows\System32\msxml6r.dll
2015-08-27 18:13:03 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2015-08-27 17:58:14 1391104 ----a-w- C:\Windows\SysWow64\msxml6.dll
2015-08-27 17:58:14 1241088 ----a-w- C:\Windows\SysWow64\msxml3.dll
2015-08-27 17:51:26 2048 ----a-w- C:\Windows\SysWow64\msxml6r.dll
2015-08-27 17:51:26 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2015-08-26 18:07:11 3165696 ----a-w- C:\Windows\System32\wucltux.dll
2015-08-26 18:07:11 192000 ----a-w- C:\Windows\System32\wuwebv.dll
2015-08-26 18:06:43 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2015-08-26 18:06:33 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2015-08-26 18:06:30 37376 ----a-w- C:\Windows\System32\wuapp.exe
2015-08-26 17:56:25 93184 ----a-w- C:\Windows\SysWow64\wudriver.dll
2015-08-26 17:56:25 173056 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2015-08-26 17:55:37 34816 ----a-w- C:\Windows\SysWow64\wuapp.exe
2015-08-15 06:34:10 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2015-08-15 06:33:56 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2015-08-15 06:18:47 66560 ----a-w- C:\Windows\System32\iesetup.dll
2015-08-15 06:18:00 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2015-08-15 06:17:54 417792 ----a-w- C:\Windows\System32\html.iec
2015-08-15 06:17:49 585216 ----a-w- C:\Windows\System32\vbscript.dll
2015-08-15 06:17:25 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2015-08-15 06:04:47 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2015-08-15 06:04:46 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2015-08-15 06:04:25 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2015-08-15 06:00:44 5923328 ----a-w- C:\Windows\System32\jscript9.dll
2015-08-15 05:57:20 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2015-08-15 05:53:22 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2015-08-15 05:46:15 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2015-08-15 05:40:29 504832 ----a-w- C:\Windows\SysWow64\vbscript.dll
2015-08-15 05:40:12 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2015-08-15 05:39:32 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2015-08-15 05:39:22 341504 ----a-w- C:\Windows\SysWow64\html.iec
2015-08-15 05:38:34 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2015-08-15 05:29:36 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2015-08-15 05:29:12 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2015-08-15 05:22:47 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2015-08-15 05:22:03 2126336 ----a-w- C:\Windows\System32\inetcpl.cpl
2015-08-15 05:16:37 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2015-08-15 05:10:32 4520448 ----a-w- C:\Windows\SysWow64\jscript9.dll
2015-08-15 05:07:28 2427392 ----a-w- C:\Windows\System32\wininet.dll
2015-08-15 05:01:47 2052608 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2015-08-15 05:01:23 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2015-08-15 04:43:00 1951232 ----a-w- C:\Windows\SysWow64\wininet.dll
2015-08-05 17:56:14 1110016 ----a-w- C:\Windows\System32\schedsvc.dll
2015-08-05 17:56:07 24576 ----a-w- C:\Windows\System32\jnwmon.dll
2015-08-05 17:56:06 275456 ----a-w- C:\Windows\System32\InkEd.dll
2015-08-05 17:40:50 216064 ----a-w- C:\Windows\SysWow64\InkEd.dll
2015-08-04 18:03:10 692672 ----a-w- C:\Windows\System32\winload.efi
2015-08-04 18:00:24 616360 ----a-w- C:\Windows\System32\winresume.efi
2015-08-04 17:56:54 63488 ----a-w- C:\Windows\System32\setbcdlocale.dll
2015-08-04 17:56:37 59392 ----a-w- C:\Windows\System32\appidapi.dll
2015-08-04 17:56:37 32768 ----a-w- C:\Windows\System32\appidsvc.dll
2015-08-04 17:55:57 17920 ----a-w- C:\Windows\System32\appidcertstorecheck.exe
2015-08-04 17:55:57 147456 ----a-w- C:\Windows\System32\appidpolicyconverter.exe
2015-08-04 17:47:42 50688 ----a-w- C:\Windows\SysWow64\appidapi.dll
2015-08-04 16:58:09 61440 ----a-w- C:\Windows\System32\drivers\appid.sys
2015-07-30 18:06:57 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2015-07-30 18:06:57 1648128 ----a-w- C:\Windows\System32\DWrite.dll
2015-07-30 18:06:57 1180160 ----a-w- C:\Windows\System32\FntCache.dll
2015-07-30 17:57:30 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2015-07-30 17:57:30 1251328 ----a-w- C:\Windows\SysWow64\DWrite.dll
2015-07-30 13:13:38 103120 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-07-30 13:13:11 124624 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2015-07-28 20:09:44 17344 ----a-w- C:\Windows\System32\CompatTelRunner.exe
2015-07-28 20:05:53 774656 ----a-w- C:\Windows\System32\invagent.dll
2015-07-28 20:05:50 743424 ----a-w- C:\Windows\System32\generaltel.dll
2015-07-28 20:05:47 437760 ----a-w- C:\Windows\System32\devinv.dll
2015-07-28 20:05:45 1116672 ----a-w- C:\Windows\System32\appraiser.dll
2015-07-28 20:05:44 69120 ----a-w- C:\Windows\System32\acmigration.dll
2015-07-28 20:05:44 227328 ----a-w- C:\Windows\System32\aepdu.dll
2015-07-28 19:55:14 1148416 ----a-w- C:\Windows\System32\aeinv.dll
2015-07-23 00:06:26 5568960 ----a-w- C:\Windows\System32\ntoskrnl.exe
2015-07-23 00:06:25 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2015-07-23 00:06:25 155584 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2015-07-23 00:03:19 1730496 ----a-w- C:\Windows\System32\ntdll.dll
2015-07-23 00:03:07 362496 ----a-w- C:\Windows\System32\wow64win.dll
2015-07-23 00:03:07 243712 ----a-w- C:\Windows\System32\wow64.dll
2015-07-23 00:03:07 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2015-07-23 00:03:06 215040 ----a-w- C:\Windows\System32\winsrv.dll
2015-07-23 00:01:53 31232 ----a-w- C:\Windows\System32\lsass.exe
2015-07-23 00:01:39 338432 ----a-w- C:\Windows\System32\conhost.exe
2015-07-23 00:01:32 64000 ----a-w- C:\Windows\System32\auditpol.exe
2015-07-22 23:58:17 60416 ----a-w- C:\Windows\System32\msobjs.dll
2015-07-22 23:57:53 146432 ----a-w- C:\Windows\System32\msaudite.dll
2015-07-22 23:51:59 686080 ----a-w- C:\Windows\System32\adtschema.dll
.
============= FINISH: 11:44:04.38 ===============
 

Attachments

See less See more
#2 ·
Hello percival203,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

:arrowr: If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
:arrowr: First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
:arrowr: Please download to and run all requested tools from your Desktop.
:arrowr: Perform everything in the correct order. Sometimes one step requires the previous one.
:arrowr: If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
:arrowr: Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
:arrowr: Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
:arrowr: If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:arrowr: Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
:arrowr: My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Can you give you information about problems in the computer?

Please do the following steps.

STEP 1

:arrowr: Please download AdwCleaner on to your desktop.
:arrowr: Close all open programs and internet browsers.
:arrowr: Right-click on AdwCleaner.exe and select Run as administrator to run the tool.
:arrowr: Click on Scan.
:arrowr: After the scan is complete click on "Cleaning"
:arrowr: Confirm each time with Ok.
:arrowr: Your computer will be rebooted automatically. A text file will open after the restart.
:arrowr: Please post the content of that logfile with your next answer.
:arrowr: If need be, you can also find the logfile at C:\AdwCleaner\AdwCleaner[S0].txt as well.

====================================================

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

:arrowr: Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
:arrowr: Make sure the Addition.txt button is ticked.
:arrowr: Press Scan button.
:arrowr: It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
:arrowr: The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
 
#3 ·
see below for the AdwCleaner Log Text:
-----------------------------------------------------------------------------------------

# AdwCleaner v5.009 - Logfile created 30/09/2015 at 23:10:39
# Updated 27/09/2015 by Xplode
# Database : 2015-09-30.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Home - HOME-HP
# Running from : C:\Users\Home\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib

***** [ Services ] *****

[-] Service Deleted : cherimoya
[-] Service Deleted : Updater By SweetPacks

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\Updater By SweetPacks
[-] Folder Deleted : C:\Program Files\daugava
[-] Folder Deleted : C:\Program Files (x86)\download Manager
[-] Folder Deleted : C:\Users\Home\AppData\Local\DownloadManager
[-] Folder Deleted : C:\Users\Home\AppData\LocalLow\BabylonToolbar
[-] Folder Deleted : C:\Users\Home\AppData\LocalLow\SweetIM
[-] Folder Deleted : C:\Users\Home\AppData\LocalLow\DownloadManager
[-] Folder Deleted : C:\Users\Home\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ortmp

***** [ Files ] *****

[-] File Deleted : C:\user.js
[-] File Deleted : C:\ProgramData\uninstaller.exe
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage-journal
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage-journal
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.azlyrics.com_0.localstorage
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.azlyrics.com_0.localstorage-journal
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage-journal
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_ad-aware.en.softonic.com_0.localstorage
[-] File Deleted : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_ad-aware.en.softonic.com_0.localstorage-journal
[-] File Deleted : C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\user.js
[-] File Deleted : C:\Windows\Sysnative\drivers\cherimoya.sys

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : Cawlez
[-] Task Deleted : Adobe Flash Player Updater

***** [ Registry ] *****

[-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [DownloadManager]
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\b
[-] Key Deleted : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
[-] Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}]
[-] Value Deleted : [x64] HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}]
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E5C66DD8-308B-4A4F-AF0A-3D04F25B5343}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5C66DD8-308B-4A4F-AF0A-3D04F25B5343}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E5C66DD8-308B-4A4F-AF0A-3D04F25B5343}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E5C66DD8-308B-4A4F-AF0A-3D04F25B5343}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{EEE6C35B-6118-11DC-9C72-001320C79847}]
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{EEE6C35C-6118-11DC-9C72-001320C79847}]
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{250BECD2-5C43-48CF-A3C6-666338526D67}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43}
[-] Key Deleted : HKCU\Software\IM
[-] Key Deleted : HKCU\Software\WNLT
[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
[-] Key Deleted : HKLM\SOFTWARE\Updater By Sweetpacks
[!] Key Not Deleted : [x64] HKCU\Software\IM
[!] Key Not Deleted : [x64] HKCU\Software\WNLT
[-] Key Deleted : [x64] HKLM\SOFTWARE\Updater By Sweetpacks
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f179b4aa-3249-4e0e-a45a-8519d6bcd424}_is1
[!] Key Not Deleted : HKU\S-1-5-21-1711144829-5549640-2036380566-1001\Software\AppDataLow\Software\adawarebp
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\A97CEC23332751B47BA4B95BAA50C9D0
[!] Key Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
[!] Key Not Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
[!] Key Not Deleted : HKU\S-1-5-21-1711144829-5549640-2036380566-1001\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}

***** [ Web browsers ] *****

[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110014");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "583dcb0f0000000000006431503402c2");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.id", "583dcb0f0000000000006431503402c2");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15399");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?AF=110014&babsrc=NT_ss&mntrId=583dcb0f0000000000006431503402c2");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1718:40:43");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.DivXWebPlayer@divx.com.install-event-fired", true);
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:40.0.3");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("searchreset.backup.browser.search.defaultenginename", "Search the web (Babylon)");
[-] [C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\riag9emv.default\prefs.js] [Preference] Deleted : user_pref("searchreset.backup.keyword.URL", "hxxp://search.babylon.com/?AF=110014&babsrc=adbartrp&mntrId=583dcb0f0000000000006431503402c2&q=");

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [12118 bytes] ##########
 
#5 ·
Hello percival203,

Thanks for the logs. Please do the below instructions.

:arrowr: Open Notepad (Start > All Programs > Accessories > Notepad).
:arrowr: Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
:arrowr: Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
HKLM\...\Run: [daugava64] => C:\Program Files\daugava\Ejemidvlf64.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF Keyword.URL: hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={B7AD0FC7-DF2A-11E2-B7D0-6431503402C2}&q=
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2015-08-28] <==== ATTENTION
S3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [452040 2015-01-22] (BitDefender S.R.L.)
EmptyTemp:
:arrowr: Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
:arrowr: Click the Fix button just once, and wait.
:arrowr: If you receive a message that a reboot is required, please make sure you allow it to restart normally.
:arrowr: The tool will complete its run after the restart.
:arrowr: When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
#7 · (Edited)
Hello percival203,

Thanks for the log. Please do the following steps. At the conclusion of these steps, please let me know how the machine is running. We will have more to do, but this will give me an idea of how things are progressing. :smile:

STEP 1

Please download Malwarebytes Anti-Malware and save it to your desktop.

:arrowr: Double-click mbam-setup-2.1.8.1057.exe and follow the prompts to install the program.
:arrowr: At the end, be sure a checkmark is placed next to the following:

  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
:arrowr: Click Finish.
:arrowr: At the end of the installation, a database update will be performed.
:arrowr: Click on Scan Now.
:arrowr: A Threat Scan will begin.
:arrowr: When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
:arrowr: In most cases, a restart will be required and a prompt will be shown.
:arrowr: Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

:arrowr: After the restart once you are back at your desktop, open MBAM once more.
:arrowr: Click on the History tab > Application Logs.
:arrowr: Double click on the scan log which shows the Date and time of the scan just performed.
:arrowr: Click Export.
:arrowr: Click Text file (*.txt)
:arrowr: In the Save File dialog box which appears, click on Desktop.
:arrowr: In the File name: box type a name for your scan log.
:arrowr: A message box named File Saved should appear stating "Your file has been successfully exported".
:arrowr: Click Ok
:arrowr: Attach that saved log to your next reply.

========================================================

STEP 2

Please go to Start > Control Panel > Programs and Features and remove the above Java program(s) installed.
Next, download the latest Java, version 8 Update 60 from the following link

Download Free Java Software

==========================================================

STEP 3

:arrowr: Please go HERE then click on: Run Eset Online Scanner
:arrowr: Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

:arrowr: Select the option YES, I accept the Terms of Use then click on Start buton.
:arrowr: When prompted allow the Add-On/Active X to install.
:arrowr: Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
:arrowr: Now click on Advanced Settings and select the following:

  • Scan for potentially unwanted applications
  • Scan Archives
  • Enable Anti-Stealth Technology
:arrowr: Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
:arrowr: Tick all the boxes that correspond to your external/inserted drives.
:arrowr: Click Start. The virus signature database will begin to download. This may take some time.
:arrowr: Wait for the scan to finish.
:arrowr: When completed, click on Finish.
:arrowr: When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
:arrowr: Save that text file to your desktop, and then copy/paste the contents in your next reply.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top