Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Adware all over my browsers, including Steam.

This is a discussion on Adware all over my browsers, including Steam. within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi there, A few weeks back I seemed to acquire some weird adware programs which caused desktop and google chrome


 
 
Thread Tools Search this Thread
Old 03-25-2016, 03:56 PM   #1
Registered Member
 
Join Date: Mar 2015
Posts: 24
OS: windows 7


Cry

Hi there,

A few weeks back I seemed to acquire some weird adware programs which caused desktop and google chrome popups. The programs were called things like "easyshopper" or "search pro" or something similar. One seemed to install a collection of others.

I thought I rooted out the issues with a powerful uninstall from Iobit uninstaller, but recently I've had some issues with my browser, (and more noticably Steam [the games platform] creates endless ads and popups when i load onto it's store page. The adware also likes changing my google chrome homepage/search engines etc.

I've already tries many adware removers, including Malwarebytes and HitmanPro. My current anti-virus is Avast home edition. I am running Win7 home edition too.

I've done the initial steps, I do have access to my windows CD + key, and I've done the dds scripts. See below.

Thanks in advance.
-Toby

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18231 BrowserJavaVersion: 11.73.2
Run by Toby at 22:47:49 on 2016-03-25
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8141.5179 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
C:\Program Files (x86)\Skype\Updater\Updater.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\puush\puush.exe
C:\Users\Toby\AppData\Local\Discord\app-0.0.286\Discord.exe
C:\Program Files\CCleaner\CCleaner64.exe
C:\Program Files (x86)\Origin\Origin.exe
C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDMedia.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology enterprise\IAStorIcon.exe
C:\Users\Toby\AppData\Local\Discord\app-0.0.286\Discord.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDPop3.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech Gaming Software\Applets\LCDRSS.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe
C:\Users\Toby\AppData\Local\Discord\app-0.0.286\Discord.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe
C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe
C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\GWX\GWX.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Skype for Business Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [puush] C:\Program Files (x86)\puush\puush.exe
uRun: [Discord] C:\Users\Toby\AppData\Local\Discord\app-0.0.286\Discord.exe
uRun: [GalaxyClient] C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe /launchViaAutoStart
uRun: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
uRun: [EADM] "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
mRun: [Dolby Home Theater v4] "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology enterprise\IAStorIcon.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
TCP: NameServer = 8.8.8.8,8.8.8.4
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{8B117D54-1A13-48CF-ABB0-B044415C4C74} : DHCPNameServer = 192.168.0.1
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.87\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: ExplorerWnd Helper: {10921475-03CE-4E04-90CE-E2E7EF20C814} - C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll
x64-BHO: Skype for Business Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Toby\AppData\Roaming\Mozilla\Firefox\Profiles\5nbq0otx.default\
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2015-12-30 74544]
R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2015-12-30 287016]
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2015-12-30 567216]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2015-12-30 24496]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2015-12-30 21616]
R1 aswKbd;aswKbd;C:\Windows\System32\drivers\aswKbd.sys [2016-2-18 37144]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswsnx.sys [2015-12-30 1070904]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2015-12-30 463744]
R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2015-12-30 37656]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswmonflt.sys [2015-12-30 107792]
R2 aswStm;aswStm;C:\Windows\System32\drivers\aswStm.sys [2015-12-30 165344]
R2 avast! Antivirus;Avast Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2016-2-18 237096]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2016-1-9 2828016]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 GfExperienceService;NVIDIA GeForce Experience Service;C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [2015-12-30 1156216]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2015-12-30 171688]
R2 LGCoreTemp;Logitech CPU Core Tempurature;C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\LgCoreTemp.sys [2015-6-21 14184]
R2 LogiRegistryService;Logitech Gaming Registry Service;C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe [2016-2-17 193656]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2015-12-30 1872504]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2015-12-30 6477432]
R2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2015-7-9 327296]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2016-2-16 426040]
R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;C:\Windows\System32\drivers\FLxHCIc.sys [2011-11-4 221440]
R3 LGBusEnum;Logitech Gaming Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2015-6-11 37408]
R3 LGJoyXlCore;Logitech Translation Layer Driver (LGS);C:\Windows\System32\drivers\LGJoyXlCore.sys [2015-6-11 68384]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2015-6-11 26912]
R3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2015-12-30 19576]
R3 NvStreamNetworkSvc;NVIDIA Streamer Network Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [2015-12-30 8185464]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2015-12-30 50472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2015-11-5 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2015-11-5 125112]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe [2015-12-30 7168]
S2 LiveUpdateSvc;LiveUpdate;C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2016-2-16 2945312]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;C:\Windows\System32\drivers\FLxHCIh.sys [2012-11-8 77040]
S3 GalaxyClientService;GalaxyClientService;C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [2016-2-12 227896]
S3 GalaxyCommunication;GalaxyCommunication;C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [2016-2-12 5971000]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2016-3-9 114688]
S3 Origin Client Service;Origin Client Service;C:\Program Files (x86)\Origin\OriginClientService.exe [2016-3-8 2104840]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2016-2-21 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2016-2-21 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2016-2-21 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-12-30 1255736]
.
=============== File Associations ===============
.
ShellExec: SZBrowser.exe: open="C:\Program Files\AVAST Software\SZBrowser\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2016-03-25 22:42:39 3599032 ----a-w- C:\ProgramData\cis2D66.exe
2016-03-25 22:41:04 3599032 ----a-w- C:\ProgramData\cisB940.exe
2016-03-25 22:25:32 -------- d-----w- C:\ProgramData\HitmanPro
2016-03-25 22:13:00 -------- d-----w- C:\ProgramData\Malwarebytes
2016-03-25 11:09:47 -------- d-----w- C:\Users\Toby\AppData\Local\Steam
2016-03-25 11:03:33 -------- d-----w- C:\Program Files (x86)\Steam
2016-03-25 10:51:11 11249080 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D1CE5D6B-A8AA-43AE-9B69-30D201F28374}\mpengine.dll
2016-03-15 14:43:45 -------- d-----w- C:\Users\Toby\AppData\Local\Logitech
2016-03-15 14:43:15 -------- d-----w- C:\Program Files\Logitech Gaming Software
2016-03-15 14:42:40 -------- d-----w- C:\Users\Toby\AppData\Roaming\Logishrd
2016-03-15 11:38:51 -------- d-----w- C:\ProgramData\4365978
2016-03-10 10:52:17 -------- d-----w- C:\Users\Toby\AppData\Local\DAI
2016-03-08 18:24:49 -------- d-----w- C:\Users\Toby\AppData\Local\DAIToolsSuite_Loader
2016-03-08 18:22:38 -------- d--h--w- C:\Program Files (x86)\Common Files\EAInstaller
2016-03-08 16:39:46 -------- d-----w- C:\Program Files (x86)\Origin Games
2016-03-08 16:37:19 -------- d-----w- C:\Users\Toby\AppData\Roaming\Origin
2016-03-08 16:37:16 -------- d-----w- C:\Users\Toby\AppData\Local\Origin
2016-03-08 16:36:37 -------- d-----w- C:\ProgramData\Origin
2016-03-08 16:36:37 -------- d-----w- C:\ProgramData\Electronic Arts
2016-03-08 16:36:06 -------- d-----w- C:\Program Files (x86)\Origin
2016-03-03 10:31:46 -------- d-----w- C:\Users\Toby\AppData\Local\SUPERHOT_Sp_z_o.o
2016-03-02 13:56:55 -------- d-----w- C:\Users\Toby\AppData\Local\gtk-2.0
2016-03-02 13:56:55 -------- d-----w- C:\Users\Toby\.thumbnails
2016-03-02 13:51:49 -------- d-----w- C:\Users\Toby\AppData\Local\gegl-0.2
2016-03-02 13:51:49 -------- d-----w- C:\Users\Toby\.gimp-2.8
2016-03-02 13:51:09 -------- d-----w- C:\Program Files\GIMP 2
2016-03-02 13:30:07 -------- d-----w- C:\Users\Toby\AppData\Local\fontconfig
2016-03-02 13:29:26 -------- d-----w- C:\Users\Toby\AppData\Roaming\inkscape
2016-03-02 13:28:49 -------- d-----w- C:\Program Files\Inkscape
2016-03-02 13:13:44 -------- d-----w- C:\Windows\SysWow64\spool
.
==================== Find3M ====================
.
2016-03-09 19:05:35 107792 ----a-w- C:\Windows\System32\drivers\aswmonflt.sys
2016-03-09 19:05:35 1070904 ----a-w- C:\Windows\System32\drivers\aswsnx.sys
2016-02-21 11:07:27 97888 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2016-02-19 19:02:43 38336 ----a-w- C:\Windows\System32\CompatTelRunner.exe
2016-02-19 18:54:11 1168896 ----a-w- C:\Windows\System32\aeinv.dll
2016-02-19 14:07:35 1373184 ----a-w- C:\Windows\System32\appraiser.dll
2016-02-18 09:46:35 287016 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2016-02-18 09:46:09 74544 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2016-02-18 09:46:09 37656 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
2016-02-18 09:46:09 165344 ----a-w- C:\Windows\System32\drivers\aswStm.sys
2016-02-18 09:46:09 103064 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2016-02-18 09:46:07 52184 ----a-w- C:\Windows\avastSS.scr
2016-02-18 09:46:05 37144 ----a-w- C:\Windows\System32\drivers\aswKbd.sys
2016-02-18 09:46:04 478128 ----a-w- C:\Windows\System32\drivers\aswNdisFlt.sys
2016-02-12 18:52:23 98816 ----a-w- C:\Windows\System32\wudriver.dll
2016-02-12 18:52:23 3169792 ----a-w- C:\Windows\System32\wucltux.dll
2016-02-12 18:52:23 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2016-02-12 18:44:43 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2016-02-12 18:39:55 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2016-02-12 18:18:22 37888 ----a-w- C:\Windows\System32\wuapp.exe
2016-02-12 18:18:05 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2016-02-12 18:05:17 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2016-02-12 18:05:13 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2016-02-11 18:56:28 5572032 ----a-w- C:\Windows\System32\ntoskrnl.exe
2016-02-11 18:56:26 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2016-02-11 18:56:26 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2016-02-11 18:52:52 1733592 ----a-w- C:\Windows\System32\ntdll.dll
2016-02-11 18:49:42 362496 ----a-w- C:\Windows\System32\wow64win.dll
2016-02-11 18:49:42 243712 ----a-w- C:\Windows\System32\wow64.dll
2016-02-11 18:49:42 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2016-02-11 18:49:24 215040 ----a-w- C:\Windows\System32\winsrv.dll
2016-02-11 18:49:19 210432 ----a-w- C:\Windows\System32\wdigest.dll
2016-02-11 18:49:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2016-02-11 18:49:00 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2016-02-11 18:49:00 135680 ----a-w- C:\Windows\System32\sspicli.dll
2016-02-11 18:48:58 503808 ----a-w- C:\Windows\System32\srcore.dll
2016-02-11 18:48:58 50176 ----a-w- C:\Windows\System32\srclient.dll
2016-02-11 18:48:16 28160 ----a-w- C:\Windows\System32\secur32.dll
2016-02-11 18:48:14 344064 ----a-w- C:\Windows\System32\schannel.dll
2016-02-11 18:48:12 1214464 ----a-w- C:\Windows\System32\rpcrt4.dll
2016-02-11 18:47:33 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2016-02-11 18:45:59 312320 ----a-w- C:\Windows\System32\ncrypt.dll
2016-02-11 18:45:56 315392 ----a-w- C:\Windows\System32\msv1_0.dll
2016-02-11 18:45:51 60416 ----a-w- C:\Windows\System32\msobjs.dll
2016-02-11 18:45:35 146432 ----a-w- C:\Windows\System32\msaudite.dll
2016-02-11 18:44:45 3994560 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2016-02-11 18:44:45 3938240 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2016-02-11 18:44:42 1461248 ----a-w- C:\Windows\System32\lsasrv.dll
2016-02-11 18:44:34 730112 ----a-w- C:\Windows\System32\kerberos.dll
2016-02-11 18:44:34 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2016-02-11 18:42:25 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2016-02-11 18:42:24 43520 ----a-w- C:\Windows\System32\cryptbase.dll
2016-02-11 18:42:24 22016 ----a-w- C:\Windows\System32\credssp.dll
2016-02-11 18:38:24 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2016-02-11 18:38:24 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2016-02-11 18:38:24 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2016-02-11 18:38:23 275456 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2016-02-11 18:38:07 171520 ----a-w- C:\Windows\SysWow64\wdigest.dll
2016-02-11 18:38:00 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2016-02-11 18:37:53 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2016-02-11 18:37:11 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2016-02-11 18:37:09 251392 ----a-w- C:\Windows\SysWow64\schannel.dll
2016-02-11 18:35:14 223232 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2016-02-11 18:35:09 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2016-02-11 18:35:06 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2016-02-11 18:34:26 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2016-02-11 18:33:30 553472 ----a-w- C:\Windows\SysWow64\kerberos.dll
2016-02-11 18:31:25 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2016-02-11 17:48:11 64000 ----a-w- C:\Windows\System32\auditpol.exe
2016-02-11 17:43:48 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2016-02-11 17:41:42 338432 ----a-w- C:\Windows\System32\conhost.exe
2016-02-11 17:40:09 296960 ----a-w- C:\Windows\System32\rstrui.exe
2016-02-11 17:34:45 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2016-02-11 17:34:01 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2016-02-11 17:33:54 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2016-02-11 17:32:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2016-02-11 17:32:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2016-02-11 17:32:45 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2016-02-11 17:32:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
2016-02-11 17:32:25 30720 ----a-w- C:\Windows\System32\lsass.exe
2016-02-11 17:32:18 112640 ----a-w- C:\Windows\System32\smss.exe
2016-02-11 17:31:01 36352 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2016-02-11 17:30:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2016-02-11 17:30:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2016-02-11 17:30:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2016-02-11 17:30:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2016-02-11 14:07:46 689152 ----a-w- C:\Windows\System32\generaltel.dll
2016-02-09 09:57:08 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2016-02-09 09:56:09 5120 ----a-w- C:\Windows\System32\msdxm.ocx
2016-02-09 09:56:09 5120 ----a-w- C:\Windows\System32\dxmasf.dll
2016-02-09 09:55:34 30720 ----a-w- C:\Windows\System32\seclogon.dll
2016-02-09 09:54:38 9728 ----a-w- C:\Windows\System32\spwmp.dll
2016-02-09 09:51:32 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2016-02-09 09:13:14 4096 ----a-w- C:\Windows\SysWow64\msdxm.ocx
2016-02-09 09:13:14 4096 ----a-w- C:\Windows\SysWow64\dxmasf.dll
2016-02-09 09:13:10 8192 ----a-w- C:\Windows\SysWow64\spwmp.dll
2016-02-09 05:41:27 6368824 ----a-w- C:\Windows\System32\nvcpl.dll
2016-02-09 05:41:27 2993720 ----a-w- C:\Windows\System32\nvsvc64.dll
2016-02-09 05:41:25 81856 ----a-w- C:\Windows\System32\nv3dappshextr.dll
2016-02-09 05:41:25 69568 ----a-w- C:\Windows\System32\nvshext.dll
.
============= FINISH: 22:48:03.68 ===============
Attached Files
File Type: txt attach.txt (6.6 KB, 20 views)
Baronyx is offline  
Sponsored Links
Advertisement
 
Old 03-25-2016, 04:19 PM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Toby,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 03-25-2016, 05:11 PM   #3
Registered Member
 
Join Date: Mar 2015
Posts: 24
OS: windows 7



Hi Tolga,

Thanks so much for a quick response. I have done as asked, please see logs below/attached.

# AdwCleaner v5.105 - Logfile created 26/03/2016 at 00:03:54
# Updated 21/03/2016 by Xplode
# Database : 2016-03-25.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Toby - TOBY-PC
# Running from : C:\Users\Toby\Downloads\AdwCleaner.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\SOUND+

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : HKCU\Software\DAILYPCCLEAN
[-] Key Deleted : HKCU\Software\Microsoft\Tinstalls
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKCU\Software\WTools
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SU
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www-searching.com

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1436 bytes] - [26/03/2016 00:03:54]
C:\AdwCleaner\AdwCleaner[S1].txt - [1785 bytes] - [26/03/2016 00:01:46]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1582 bytes] ##########
Attached Files
File Type: txt FRST.txt (67.9 KB, 19 views)
File Type: txt Addition.txt (37.9 KB, 18 views)
Baronyx is offline  
Sponsored Links
Advertisement
 
Old 03-27-2016, 02:25 PM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello

Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
Task: {2D2294D4-C29C-4229-9A11-BD95DB6EC58F} -  System32\Tasks\Microsoft\Windows\Apps\UpService =>  C:\ProgramData\UpService\UpService.exe <==== ATTENTION
Task: {31B995C1-9E60-4DA1-AD5E-3786BEC2D4FB} - \{0C040447-7F0C-7E0D-0A11-080D080B1105} -> No File <==== ATTENTION
Task:  {3650092D-54F9-42F1-A5F8-355D9E0128EA} -  System32\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} =>  C:\ProgramData\cis2D66.exe [2016-03-25] (COMODO) <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2016-03-25 22:42 - 2016-03-25 22:42 - 03599032 _____ (COMODO) C:\ProgramData\cis2D66.exe
2016-03-25 22:42 - 2016-03-25 22:42 - 3599032 _____ (COMODO) C:\ProgramData\cis2D66.exe
2016-03-25 22:41 - 2016-03-25 22:41 - 3599032 _____ (COMODO) C:\ProgramData\cisB940.exe
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 03-28-2016, 10:44 AM   #5
Registered Member
 
Join Date: Mar 2015
Posts: 24
OS: windows 7



Here is my fixlog results.

Incidentally I have gained a new symptom. It is difficult to describe, but I can only try to explain - My opened program windows seem to "flicker" back and forth from desktop (or the windows beneath them) usually for no reason, but more often when I am clicking within the window. This issue is most prominent when playing games.

Thanks

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Toby (2016-03-28 18:36:00) Run:1
Running from C:\Users\Toby\Desktop\FRST
Loaded Profiles: Toby (Available Profiles: Toby)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
Task: {2D2294D4-C29C-4229-9A11-BD95DB6EC58F} - System32\Tasks\Microsoft\Windows\Apps\UpService => C:\ProgramData\UpService\UpService.exe <==== ATTENTION
Task: {31B995C1-9E60-4DA1-AD5E-3786BEC2D4FB} - \{0C040447-7F0C-7E0D-0A11-080D080B1105} -> No File <==== ATTENTION
Task: {3650092D-54F9-42F1-A5F8-355D9E0128EA} - System32\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} => C:\ProgramData\cis2D66.exe [2016-03-25] (COMODO) <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2016-03-25 22:42 - 2016-03-25 22:42 - 03599032 _____ (COMODO) C:\ProgramData\cis2D66.exe
2016-03-25 22:42 - 2016-03-25 22:42 - 3599032 _____ (COMODO) C:\ProgramData\cis2D66.exe
2016-03-25 22:41 - 2016-03-25 22:41 - 3599032 _____ (COMODO) C:\ProgramData\cisB940.exe
EmptyTemp:
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2D2294D4-C29C-4229-9A11-BD95DB6EC58F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2D2294D4-C29C-4229-9A11-BD95DB6EC58F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{31B995C1-9E60-4DA1-AD5E-3786BEC2D4FB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31B995C1-9E60-4DA1-AD5E-3786BEC2D4FB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0C040447-7F0C-7E0D-0A11-080D080B1105}" => key removed successfully
Task: {3650092D-54F9-42F1-A5F8-355D9E0128EA} - System32\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} => C:\ProgramData\cis2D66.exe [2016-03-25] (COMODO) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"C:\ProgramData\cis2D66.exe" => not found.
"C:\ProgramData\cis2D66.exe" => not found.
C:\ProgramData\cisB940.exe => moved successfully
EmptyTemp: => 2.8 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 18:36:54 ====
Baronyx is offline  
Old 03-29-2016, 05:00 AM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Baronyx,

Thanks for the log and info. Please do the following.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8 users, right-click > Run as Administrator)
Copy/paste the contents of the following codebox into the main textfield:
Code:
:folderfind
easyshopper
search pro

:regfind
easyshopper
search pro
Click the Look button to start the scan.
Please be patient, as it may take a while.
:aarowr: When finished, a Notepad file will open with the results of the scan.
Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
__________________
tekir06 is offline  
Old 03-29-2016, 05:15 AM   #7
Registered Member
 
Join Date: Mar 2015
Posts: 24
OS: windows 7



Thank you again.

SystemLook 30.07.11 by jpshortstuff
Log created at 13:10 on 29/03/2016 by Toby
Administrator - Elevation successful

========== folderfind ==========

Searching for "easyshopper"
No folders found.

Searching for "search pro"
No folders found.

========== regfind ==========

Searching for "easyshopper"
No data found.

Searching for "search pro"
[HKEY_CURRENT_USER\AppEvents\EventLabels\SearchProviderDiscovered]
@="Search Provider Discovered"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3B07977C-7A38-455D-AAD5-88500A360D24}]
@="Windows Media Center Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07398dcf-2e0b-4ece-99dd-56b262db948b}]
@="Search Protocol URL Generator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35C61CC2-5851-4F2D-89B6-4F9BB4B4193F}]
@="Microsoft Search Property System Change Notify Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48E277F6-4E74-4cd6-BA6F-FA4F42898223}]
@="Windows Search OpenSearch Provider"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{565E978D-AC10-443A-A2C8-165C2DA1B5FC}]
@="Sticky Notes Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A11B5FA-3C92-4E8B-8382-3C71B757D679}]
@="IE RSS Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A9F738C8-6B96-41FA-A155-15ECD67275D0}]
@="Windows Search Protocol Handler Search Connector Creator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE0BDDFA-8373-4cc4-85D8-0618E453187C}]
@="IE History Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Explorer.AssocProtocol.search-ms]
@="Windows Search Protocol"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPH.HistoryHandler]
@="IE History Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPH.RSSHandler]
@="IE RSS Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search]
@="Windows Search Protocol"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search-ms]
@="Windows Search Protocol"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Search.OneIndexHandler]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Search.OneIndexHandler.2]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Search.StickyNotesHandler]
@="Sticky Notes Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Search.StickyNotesHandler.1]
@="Sticky Notes Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07398dcf-2e0b-4ece-99dd-56b262db948b}]
@="Search Protocol URL Generator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35C61CC2-5851-4F2D-89B6-4F9BB4B4193F}]
@="Microsoft Search Property System Change Notify Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E277F6-4E74-4cd6-BA6F-FA4F42898223}]
@="Windows Search OpenSearch Provider"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A11B5FA-3C92-4E8B-8382-3C71B757D679}]
@="IE RSS Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9F738C8-6B96-41FA-A155-15ECD67275D0}]
@="Windows Search Protocol Handler Search Connector Creator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE0BDDFA-8373-4cc4-85D8-0618E453187C}]
@="IE History Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{3B07977C-7A38-455D-AAD5-88500A360D24}]
@="Windows Media Center Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Classes\Search.OneIndexHandler]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Classes\Search.OneIndexHandler.2]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\ChangeNotifyHandlers\{35C61CC2-5851-4F2D-89B6-4F9BB4B4193F}]
@="Microsoft Search Property System Change Notify Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\ChangeNotifyHandlers\{35C61CC2-5851-4F2D-89B6-4F9BB4B4193F}]
@="Microsoft Search Property System Change Notify Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{07398dcf-2e0b-4ece-99dd-56b262db948b}]
@="Search Protocol URL Generator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{35C61CC2-5851-4F2D-89B6-4F9BB4B4193F}]
@="Microsoft Search Property System Change Notify Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{48E277F6-4E74-4cd6-BA6F-FA4F42898223}]
@="Windows Search OpenSearch Provider"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{8A11B5FA-3C92-4E8B-8382-3C71B757D679}]
@="IE RSS Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A9F738C8-6B96-41FA-A155-15ECD67275D0}]
@="Windows Search Protocol Handler Search Connector Creator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}]
@="Microsoft OneNote Windows Desktop Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{EE0BDDFA-8373-4cc4-85D8-0618E453187C}]
@="IE History Search Protocol Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{3B07977C-7A38-455D-AAD5-88500A360D24}]
@="Windows Media Center Search Protocol Handler"
[HKEY_USERS\S-1-5-21-4105909331-1130796397-2258616020-1000\AppEvents\EventLabels\SearchProviderDiscovered]
@="Search Provider Discovered"

-= EOF =-
Baronyx is offline  
Old 03-29-2016, 05:25 AM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Please do the following.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
__________________
tekir06 is offline  
Old 03-29-2016, 06:26 AM   #9
Registered Member
 
Join Date: Mar 2015
Posts: 24
OS: windows 7



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Home Premium x64
Ran by Toby (Administrator) on 29/03/2016 at 14:23:29.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 19

Failed to delete: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XQP3NUA (Temporary Internet Files Folder)
Failed to delete: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71N9CTPK (Temporary Internet Files Folder)
Failed to delete: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LXBL1GT7 (Temporary Internet Files Folder)
Failed to delete: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SUF788NG (Temporary Internet Files Folder)
Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\Toby\AppData\Roaming\productdata (Folder)
Successfully deleted: C:\Windows\system32\Tasks\Uninstaller_SkipUac_Toby (Task)
Successfully deleted: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NE19RN2 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64YYGCFL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\70UBWD4D (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Toby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPC8IVCK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XQP3NUA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NE19RN2 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64YYGCFL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\70UBWD4D (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71N9CTPK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPC8IVCK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LXBL1GT7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SUF788NG (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 29/03/2016 at 14:25:22.15
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Baronyx is offline  
Old 03-29-2016, 06:41 AM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Baronyx,

How is the machine behaving now? What problems do you still have? Is your problem continue?
__________________
tekir06 is offline  
Old 03-29-2016, 07:34 AM   #11
Registered Member
 
Join Date: Mar 2015
Posts: 24
OS: windows 7



The popups appear to have ceased for now. However the program windows are still constantly flickering back and forth as I interact with them. On my taskbar at the bottom of the screen, the Icons seem to Disappear, reappear and then shuffle backwards somewhat.

Thanks
Baronyx is offline  
Old 03-29-2016, 11:37 PM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Baronyx,

It looks like Windows OS issues. My training on the cleaning malware. Therefore, I don't have much information about the issue. You can also ask for help from our Windows 7 forum about your problems.

Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows 7

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 04-02-2016, 03:59 PM   #13
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Since the malware issue appears resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

Surf Safely and Think Prevention!
__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Adware on browser startup
I currently have adware that only effects my browsers. When I open a fresh window of any of my browsers it goes to random adware sites, but if I open a new tab it goes to the normal tab window. This is the only time the adware effects my browsers, but when it opens for the first time my desktop...
Vivid Inactive Malware Help Topics 3 02-09-2016 02:57 PM
Valve: Steam user database hacked, no evidence of personal info taken
From Valve: Steam user database hacked, no evidence of personal info taken | Joystiq
koala Gaming Discussion 8 11-27-2011 08:47 AM
Redirecting and virus problems
My computer is redirecting and im sure i have a virus. When i try to run gmer it shuts my computer down even when only checking sections and c drive. Here is the logs that i could get. Thanks in advance. Timmy This is not the same computer as my previous problems. Thanks timmy DDS...
toliver30471 Resolved HJT Threads 21 02-23-2011 05:09 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:24 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts