Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Computer repair Ad Popups

This is a discussion on Computer repair Ad Popups within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, been a long time since I needed your assistance, but so glad you guys are here to help -


 
 
Thread Tools Search this Thread
Old 03-24-2016, 10:20 PM   #1
Registered Member
 
Join Date: Oct 2006
Location: Great Lakes
Posts: 31
OS: Win7 64Bit

My System


Hello,
been a long time since I needed your assistance, but so glad you guys are here to help - you do a great job and it's so appreciated!
My problem is a troublesome pop-up problem you've seen a thousand times before. Using Chrome Browser, Windows 7 machine and whenever i visit a regular website, i get so many popups, mostly advertising computer repair software, or a notice to update flash player and many other small windowed ads - script error notices - click here to leave this page popups, etc. etc. all rendering the browser useless. strangely, i'm not seeing the popups as I write this nor in facebook or gmail. . . Anyway - thanks so much for your time and your help!!!

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18231 BrowserJavaVersion: 11.31.2
Run by Don at 0:34:10 on 2016-03-25
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.2325 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
SP: Microsoft Security Essentials *Enabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\Nero\Nero 2014\Nero BackItUp\NBService\NBService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\GWX\GWX.exe
C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler64.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\vVX3000.exe
C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\HP Officejet 4630 series\Bin\HPNetworkCommunicatorCom.exe
C:\Users\Don\AppData\Roaming\Spotify\SpotifyWebHelper.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Don\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files\CCleaner\CCleaner64.exe
C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\WUDFHost.exe
C:\PROGRA~1\SketchUp\SKETCH~1\SketchUp.exe
C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Don\Downloads\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uSearch Page = hxxp://www.google.com
uProxyServer = localhost:21320
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit = userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll
BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll
uRun: [GoogleChromeAutoLaunch_F7AAF1AF98DA9322EDD7EAFC54A5354D] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [HP Officejet 4630 series (NET)] "C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN47G390D505Y0:NW" -scfn "HP Officejet 4630 series (NET)" -AutoStart 1
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Spotify Web Helper] "C:\Users\Don\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
uRun: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [SpybotPostWindows10UpgradeReInstall] "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
StartupFolder: C:\Users\Don\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Don\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print\SmartPrintSetup.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
TCP: NameServer = 82.163.143.171 82.163.142.173
TCP: NameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{3FBDFE79-548B-41A6-BF6D-22373F0EA2FE} : NameServer = 82.163.143.171 82.163.142.173
TCP: Interfaces\{3FBDFE79-548B-41A6-BF6D-22373F0EA2FE} : DHCPNameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{806CCD13-C306-487A-8881-7DF2FBFA4237} : NameServer = 82.163.143.171 82.163.142.173
TCP: Interfaces\{806CCD13-C306-487A-8881-7DF2FBFA4237} : DHCPNameServer = 82.163.143.171
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - <orphaned>
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.87\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
mASetup: {A6EADE66-0000-0000-484E-7E8A45000000} - "C:\Windows\SysWOW64\Rundll32.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll",CreateReaderUserSettings
x64-BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [VX3000] C:\Windows\vVX3000.exe
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print\SmartPrintSetup.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - <orphaned>
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 Spyware Info | Spyware Info
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2015-11-13 289120]
R2 c2cautoupdatesvc;Skype Click to Call Updater;C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2016-1-8 1433216]
R2 c2cpnrsvc;Skype Click to Call PNR Service;C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2016-1-8 1773696]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 GfExperienceService;NVIDIA GeForce Experience Service;C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [2014-9-28 1155216]
R2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [2015-3-28 89840]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2013-7-18 762192]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2014-9-28 1871504]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2015-7-30 5544592]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-8-21 1738168]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-8-21 2088408]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-8-21 171928]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2015-9-27 409800]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2014-2-28 232728]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2014-2-28 1448216]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2014-2-28 97560]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2014-2-28 1617176]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2014-3-11 133816]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2016-1-29 374344]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-1-22 77824]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-1-22 180224]
R3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2014-9-28 19600]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2015-11-5 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2015-11-5 125112]
S2 CouponArificService64;CouponArificService64;C:\Program Files (x86)\35556262-902E-49AE-8622-66E14F1F041C\arrmeapsie64.exe [2014-9-29 172544]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2015-7-9 327296]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2014-8-17 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2014-2-28 232728]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2014-2-28 1448216]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2014-2-28 97560]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2014-1-22 108800]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2016-3-9 114688]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2015-7-30 47976]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-8-17 19456]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2014-1-22 206080]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-8-17 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-8-17 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-8-17 1255736]
.
=============== Created Last 30 ================
.
2016-03-25 01:59:03 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A32DD6E5-3176-4483-A132-FA6E0A884B00}\offreg.952.dll
2016-03-24 14:24:05 5306560 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2016-03-23 18:49:06 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A32DD6E5-3176-4483-A132-FA6E0A884B00}\offreg.936.dll
2016-03-23 15:35:45 1190000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{144567EC-BE2F-4A4C-A8F4-32EC57699B90}\gapaengine.dll
2016-03-23 15:35:17 11249080 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A32DD6E5-3176-4483-A132-FA6E0A884B00}\mpengine.dll
2016-03-22 15:35:18 11249080 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2016-03-21 12:49:01 -------- d-----w- C:\ProgramData\f46db541-7a37-0
2016-03-21 12:49:00 -------- d-----w- C:\ProgramData\f46db541-5897-1
2016-03-21 06:49:02 -------- d-----w- C:\ProgramData\f46db541-52b3-0
2016-03-21 06:49:01 -------- d-----w- C:\ProgramData\f46db541-3b21-1
2016-03-21 00:49:03 -------- d-----w- C:\ProgramData\f46db541-5945-0
2016-03-21 00:49:02 -------- d-----w- C:\ProgramData\f46db541-2c31-1
2016-03-20 18:49:07 -------- d-----w- C:\ProgramData\f46db541-4a41-0
2016-03-20 18:49:06 -------- d-----w- C:\ProgramData\f46db541-22f7-1
2016-03-20 01:41:37 -------- d-----w- C:\REX Texture Direct
2016-03-15 01:55:44 -------- d-----w- C:\Program Files\Common Files\AV
2016-03-15 00:49:01 -------- d-----w- C:\ProgramData\f46db541-0b11-0
2016-03-15 00:44:17 -------- d-----w- C:\ProgramData\f46db541-0c01-0
2016-03-15 00:44:15 -------- d-----w- C:\ProgramData\c75ed112
2016-03-15 00:44:10 -------- d-----w- C:\ProgramData\{132aeda2-212c-0}
2016-03-15 00:44:08 -------- d-----w- C:\ProgramData\{02fc2dd9-712c-1}
2016-03-15 00:44:08 -------- d-----w- C:\ProgramData\{02fc2dd9-712c-0}
2016-03-14 02:43:38 -------- d-----w- C:\Users\Don\AppData\Roaming\Orbx systems
2016-03-12 22:09:29 -------- d-----w- C:\Downloads
2016-03-09 14:36:55 994760 ----a-w- C:\Windows\System32\ucrtbase.dll
2016-03-09 14:31:51 696832 ----a-w- C:\Windows\System32\invagent.dll
2016-03-09 14:31:51 689152 ----a-w- C:\Windows\System32\generaltel.dll
2016-03-09 14:31:51 499200 ----a-w- C:\Windows\System32\devinv.dll
2016-03-09 14:31:51 1373184 ----a-w- C:\Windows\System32\appraiser.dll
2016-03-09 14:31:51 1168896 ----a-w- C:\Windows\System32\aeinv.dll
2016-03-09 14:31:50 76800 ----a-w- C:\Windows\System32\acmigration.dll
2016-03-09 14:31:50 38336 ----a-w- C:\Windows\System32\CompatTelRunner.exe
.
==================== Find3M ====================
.
2016-03-24 14:24:15 797376 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-03-24 14:24:15 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2016-02-23 06:24:20 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2016-02-23 06:24:20 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2016-02-23 06:24:20 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2016-02-23 06:24:20 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2016-02-12 18:52:23 98816 ----a-w- C:\Windows\System32\wudriver.dll
2016-02-12 18:52:23 3169792 ----a-w- C:\Windows\System32\wucltux.dll
2016-02-12 18:52:23 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2016-02-12 18:44:43 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2016-02-12 18:39:55 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2016-02-12 18:18:22 37888 ----a-w- C:\Windows\System32\wuapp.exe
2016-02-12 18:18:05 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2016-02-12 18:05:17 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2016-02-12 18:05:13 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2016-02-11 18:56:28 5572032 ----a-w- C:\Windows\System32\ntoskrnl.exe
2016-02-11 18:56:26 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2016-02-11 18:56:26 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2016-02-11 18:52:52 1733592 ----a-w- C:\Windows\System32\ntdll.dll
2016-02-11 18:49:42 362496 ----a-w- C:\Windows\System32\wow64win.dll
2016-02-11 18:49:42 243712 ----a-w- C:\Windows\System32\wow64.dll
2016-02-11 18:49:42 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2016-02-11 18:49:24 215040 ----a-w- C:\Windows\System32\winsrv.dll
2016-02-11 18:49:19 210432 ----a-w- C:\Windows\System32\wdigest.dll
2016-02-11 18:49:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2016-02-11 18:49:00 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2016-02-11 18:49:00 135680 ----a-w- C:\Windows\System32\sspicli.dll
2016-02-11 18:48:58 503808 ----a-w- C:\Windows\System32\srcore.dll
2016-02-11 18:48:58 50176 ----a-w- C:\Windows\System32\srclient.dll
2016-02-11 18:48:16 28160 ----a-w- C:\Windows\System32\secur32.dll
2016-02-11 18:48:14 344064 ----a-w- C:\Windows\System32\schannel.dll
2016-02-11 18:48:12 1214464 ----a-w- C:\Windows\System32\rpcrt4.dll
2016-02-11 18:47:33 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2016-02-11 18:45:59 312320 ----a-w- C:\Windows\System32\ncrypt.dll
2016-02-11 18:45:56 315392 ----a-w- C:\Windows\System32\msv1_0.dll
2016-02-11 18:45:51 60416 ----a-w- C:\Windows\System32\msobjs.dll
2016-02-11 18:45:35 146432 ----a-w- C:\Windows\System32\msaudite.dll
2016-02-11 18:44:45 3994560 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2016-02-11 18:44:45 3938240 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2016-02-11 18:44:42 1461248 ----a-w- C:\Windows\System32\lsasrv.dll
2016-02-11 18:44:34 730112 ----a-w- C:\Windows\System32\kerberos.dll
2016-02-11 18:44:34 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2016-02-11 18:42:25 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2016-02-11 18:42:24 43520 ----a-w- C:\Windows\System32\cryptbase.dll
2016-02-11 18:42:24 22016 ----a-w- C:\Windows\System32\credssp.dll
2016-02-11 18:38:24 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2016-02-11 18:38:24 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2016-02-11 18:38:24 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2016-02-11 18:38:23 275456 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2016-02-11 18:38:07 171520 ----a-w- C:\Windows\SysWow64\wdigest.dll
2016-02-11 18:38:00 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2016-02-11 18:37:53 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2016-02-11 18:37:11 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2016-02-11 18:37:09 251392 ----a-w- C:\Windows\SysWow64\schannel.dll
2016-02-11 18:35:14 223232 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2016-02-11 18:35:09 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2016-02-11 18:35:06 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2016-02-11 18:34:26 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2016-02-11 18:33:30 553472 ----a-w- C:\Windows\SysWow64\kerberos.dll
2016-02-11 18:31:25 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2016-02-11 17:48:11 64000 ----a-w- C:\Windows\System32\auditpol.exe
2016-02-11 17:43:48 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2016-02-11 17:41:42 338432 ----a-w- C:\Windows\System32\conhost.exe
2016-02-11 17:40:09 296960 ----a-w- C:\Windows\System32\rstrui.exe
2016-02-11 17:34:45 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2016-02-11 17:34:01 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2016-02-11 17:33:54 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2016-02-11 17:32:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2016-02-11 17:32:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2016-02-11 17:32:45 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2016-02-11 17:32:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
2016-02-11 17:32:25 30720 ----a-w- C:\Windows\System32\lsass.exe
2016-02-11 17:32:18 112640 ----a-w- C:\Windows\System32\smss.exe
2016-02-11 17:31:01 36352 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2016-02-11 17:30:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2016-02-11 17:30:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2016-02-11 17:30:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2016-02-11 17:30:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2016-02-09 09:57:08 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2016-02-09 09:56:09 5120 ----a-w- C:\Windows\System32\msdxm.ocx
2016-02-09 09:56:09 5120 ----a-w- C:\Windows\System32\dxmasf.dll
2016-02-09 09:55:34 30720 ----a-w- C:\Windows\System32\seclogon.dll
2016-02-09 09:54:38 9728 ----a-w- C:\Windows\System32\spwmp.dll
2016-02-09 09:51:32 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2016-02-09 09:13:14 4096 ----a-w- C:\Windows\SysWow64\msdxm.ocx
2016-02-09 09:13:14 4096 ----a-w- C:\Windows\SysWow64\dxmasf.dll
2016-02-09 09:13:10 8192 ----a-w- C:\Windows\SysWow64\spwmp.dll
2016-02-08 20:51:13 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2016-02-08 20:39:06 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2016-02-08 20:39:06 496640 ----a-w- C:\Windows\SysWow64\vbscript.dll
2016-02-08 20:38:29 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2016-02-08 20:38:20 341504 ----a-w- C:\Windows\SysWow64\html.iec
2016-02-08 20:37:31 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2016-02-08 20:28:52 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2016-02-08 20:28:32 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2016-02-08 20:16:21 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2016-02-08 20:10:37 4611072 ----a-w- C:\Windows\SysWow64\jscript9.dll
2016-02-08 20:01:48 2050560 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2016-02-08 20:01:43 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2016-02-08 19:43:04 2121216 ----a-w- C:\Windows\SysWow64\wininet.dll
.
============= FINISH: 0:34:50.21 ===============

tried for an hour to upload the attach text tile but the popups overwhelmed the manage attachments operation. Can I try to copy it in the message?

this is so weird!! Not to mention maddening!
surlybonds is offline  
Sponsored Links
Advertisement
 
Old 03-25-2016, 12:41 AM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello surlybonds,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

========================================================
Quote:
Can I try to copy it in the message?
Please try it.

========================================================

Quote:
uProxyServer = localhost:21320
Did you set this proxy yourself?
__________________
tekir06 is offline  
Old 03-26-2016, 06:13 PM   #3
Registered Member
 
Join Date: Oct 2006
Location: Great Lakes
Posts: 31
OS: Win7 64Bit

My System


I'm operating from a different computer now since I could not even log in to the site on the infected machine. the popups are blocking my way to the site and keep coming. never seen anything like this. I'm posting the 'attach.txt' file from the infected machine below:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 8/17/2014 8:49:18 AM
System Uptime: 3/24/2016 9:16:44 AM (15 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P6X58D PREMIUM
Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz | LGA1366 | 3800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 931 GiB total, 431.071 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 279 GiB total, 157.113 GiB free.
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: High Definition Audio Device
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0889&SUBSYS_104383C0&REV_1000\4&24EAAE2F&0&0001
Manufacturer: Microsoft
Name: High Definition Audio Device
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0889&SUBSYS_104383C0&REV_1000\4&24EAAE2F&0&0001
Service: HdAudAddService
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: NVIDIA Virtual Audio Device (Wave Extensible) (WDM)
Device ID: ROOT\UNNAMED_DEVICE\0000
Manufacturer: NVIDIA
Name: NVIDIA Virtual Audio Device (Wave Extensible) (WDM)
PNP Device ID: ROOT\UNNAMED_DEVICE\0000
Service: nvvad_WaveExtensible
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: netfilter64
Device ID: ROOT\LEGACY_NETFILTER64\0000
Manufacturer:
Name: netfilter64
PNP Device ID: ROOT\LEGACY_NETFILTER64\0000
Service: netfilter64
.
==== System Restore Points ===================
.
RP275: 3/23/2016 11:34:54 AM - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.22 (x64 edition)
Adobe Acrobat Reader DC
Adobe Flash Player 21 ActiveX
Adobe Flash Player 21 NPAPI
Adobe Refresh Manager
Aerosoft's - Aerosoft Launcher
aerosoft's - USCitiesX - Detroit
Belarc Advisor 8.4
CCleaner
Cisco WebEx Meetings
Creative Audio Control Panel
Creative Console Launcher
Creative Software AutoUpdate
Defraggler
Dropbox
EndItAll 2.0
Free Download Manager 3.9.7
FSCubed v2.0 FSX
FSCubed v2.0 FSXSE
FTX Global Base Pack
Google Chrome
Google Earth
Google Update Helper
HP FWUpdateEDO2
HP Officejet 4630 series Basic Device Software
HP Officejet 4630 series Help
HP Photo Creations
HP Support Solutions Framework
HP Update
HPDiagnosticAlert
I.R.I.S. OCR
Java 8 Update 31
Java Auto Updater
Marvell Miniport Driver
Microsoft .NET Framework 4.6.1
Microsoft ASP.NET MVC 4 Runtime
Microsoft Corporation
Microsoft Flight Simulator SimConnect Client v10.0.61259.0
Microsoft Flight Simulator SimConnect Client v10.0.62615.0
Microsoft Flight Simulator X: Steam Edition
Microsoft LifeCam
Microsoft Mouse and Keyboard Center
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2012 Express LocalDB
Microsoft Streets & Trips 2008
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NEC Electronics USB 3.0 Host Controller Driver
Nero BackItUp 2014
Nero BurnLite 10
Nero Control Center 10
Nero ControlCenter
Nero ControlCenter 10 Help (CHM)
Nero ControlCenter Help (CHM)
Nero Core Components
Nero Core Components 10
Nero Info
Nero Update
nero.backitup.msi
NVIDIA 3D Vision Controller Driver 340.50
NVIDIA 3D Vision Driver 341.44
NVIDIA Control Panel 341.44
NVIDIA GeForce Experience 2.5.12.11
NVIDIA GeForce Experience Service
NVIDIA Graphics Driver 341.44
NVIDIA Install Application
NVIDIA LED Visualizer 1.0
NVIDIA Network Service
NVIDIA PhysX
NVIDIA PhysX System Software 9.13.1220
NVIDIA ShadowPlay 2.5.12.11
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 2.5.12.11
NVIDIA Update Core
NVIDIA Virtual Audio 1.2.30
OpenAL
paint.net
Picasa 3
Plan-G v3.1.3 version 3.1.3
Prerequisite installer
Product Improvement Study for HP Officejet 4630 series
REX 4 - Texture Direct with Soft Clouds - SP6 Hotfix 1
REX 4 Texture Direct (with Soft Clouds)
SAMSUNG USB Driver for Mobile Phones
Security Update for Microsoft .NET Framework 4.6.1 (KB3122661)
Security Update for Microsoft .NET Framework 4.6.1 (KB3127233)
Security Update for Microsoft .NET Framework 4.6.1 (KB3136000)
Security Update for Microsoft Office 2007 suites (KB2596650) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687409) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2825645) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2880507) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2880508) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2881067) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2881069) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2956110) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB3085549) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB3085616) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB3085620) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB3114742) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB2596614) 32-Bit Edition
Security Update for Microsoft Office Compatibility Pack Service Pack 3 (KB3114745) 32-Bit Edition
Security Update for Microsoft Office Compatibility Pack Service Pack 3 (KB3114900) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB3114741) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB3114426) 32-Bit Edition
Security Update for Microsoft Office Outlook 2007 (KB2880510) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB3114429) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2880506) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB3114901) 32-Bit Edition
SHIELD Streaming
SHIELD Wireless Controller Driver
SketchUp 2014
SketchUp 2015
Skype Click to Call
Skype™ 7.18
SpeedFan (remove only)
Spotify
Spybot - Search & Destroy
Steam
Tongass Fjords FSX
Ultimate Alaska X V1.0
Ultimate Terrain X - Canada
Ultimate Terrain X - USA
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596787) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2965286) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB3114894) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
.
==== Event Viewer Messages From Past Week ========
.
3/24/2016 9:20:50 AM, Error: Service Control Manager [7023] - The HP Network Devices Support service terminated with the following error: The specified module could not be found.
3/24/2016 9:18:54 AM, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Internal Timer Error Processor ID: 6 The details view of this entry contains further information.
3/24/2016 9:18:54 AM, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Internal Timer Error Processor ID: 4 The details view of this entry contains further information.
3/24/2016 9:18:54 AM, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Internal Timer Error Processor ID: 2 The details view of this entry contains further information.
3/24/2016 9:18:54 AM, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Internal Timer Error Processor ID: 0 The details view of this entry contains further information.
3/24/2016 9:18:49 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: netfilter64
3/24/2016 9:18:49 AM, Error: Service Control Manager [7024] - The CouponArificService64 service terminated with service-specific error %%-1.
3/24/2016 9:18:49 AM, Error: Service Control Manager [7022] - The CouponArificService64 service hung on starting.
3/24/2016 9:18:49 AM, Error: Service Control Manager [7000] - The netfilter64 service failed to start due to the following error: The system cannot find the file specified.
3/24/2016 4:14:45 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
3/23/2016 9:11:39 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
3/23/2016 9:11:39 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
3/22/2016 9:39:19 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
3/22/2016 9:31:42 PM, Error: Schannel [36887] - The following fatal alert was received: 40.
3/20/2016 10:31:51 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Support Solutions Framework Service service to connect.
3/20/2016 10:31:51 AM, Error: Service Control Manager [7000] - The HP Support Solutions Framework Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================


No, I would have no idea how to set the proxy server. . .

Thanks as always!!!
Donn
surlybonds is offline  
Sponsored Links
Advertisement
 
Old 03-27-2016, 02:46 PM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello surlybonds,

Thanks for the log. Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 03-27-2016, 07:31 PM   #5
Registered Member
 
Join Date: Oct 2006
Location: Great Lakes
Posts: 31
OS: Win7 64Bit

My System


# AdwCleaner v5.106 - Logfile created 27/03/2016 at 21:22:11
# Updated 27/03/2016 by Xplode
# Database : 2016-03-27.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Don - DON-PC
# Running from : C:\Users\Don\Desktop\AdwCleaner.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****

[-] Service Deleted : CouponArificService64
[-] Service Deleted : netfilter64

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\CouponArific
[-] Folder Deleted : C:\ProgramData\c75ed112
[-] Folder Deleted : C:\ProgramData\e0953347-14b7-1
[-] Folder Deleted : C:\ProgramData\e0953347-4437-0
[-] Folder Deleted : C:\ProgramData\f46db541-01b5-0
[-] Folder Deleted : C:\ProgramData\f46db541-0b11-0
[-] Folder Deleted : C:\ProgramData\f46db541-0c01-0
[-] Folder Deleted : C:\ProgramData\f46db541-22f7-1
[-] Folder Deleted : C:\ProgramData\f46db541-2c31-1
[-] Folder Deleted : C:\ProgramData\f46db541-3731-1
[-] Folder Deleted : C:\ProgramData\f46db541-3b21-1
[-] Folder Deleted : C:\ProgramData\f46db541-4a41-0
[-] Folder Deleted : C:\ProgramData\f46db541-52b3-0
[-] Folder Deleted : C:\ProgramData\f46db541-5897-1
[-] Folder Deleted : C:\ProgramData\f46db541-5945-0
[-] Folder Deleted : C:\ProgramData\f46db541-7a37-0
[-] Folder Deleted : C:\ProgramData\f46db541-7fb1-0
[-] Folder Deleted : C:\ProgramData\{02fc2dd9-712c-0}
[-] Folder Deleted : C:\ProgramData\{02fc2dd9-712c-1}
[-] Folder Deleted : C:\ProgramData\{132aeda2-212c-0}
[-] Folder Deleted : C:\Users\Don\AppData\Local\slimware utilities inc
[-] Folder Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdabfienifkbhoihedcgeogidfmibmhp
[-] Folder Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceopoaldcnmhechacafgagdkklcogkgd

***** [ Files ] *****

[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ceopoaldcnmhechacafgagdkklcogkgd_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_d19tqk5t6qcjac.cloudfront.net_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_d19tqk5t6qcjac.cloudfront.net_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_hdapp1008-a.akamaihd.net_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_hdapp1008-a.akamaihd.net_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_nps.pastaleads.com_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_nps.pastaleads.com_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.eshopcomp.com_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.eshopcomp.com_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_nps.pastaleads.com_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_nps.pastaleads.com_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.eshopcomp.com_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.eshopcomp.com_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markable00.re-markable.net_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markable00.re-markable.net_0.localstorage-journal
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_utop.it_0.localstorage
[-] File Deleted : C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_utop.it_0.localstorage-journal

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c75ed112}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
[-] Key Deleted : HKCU\Software\Headlight
[-] Key Deleted : HKCU\Software\UpdateFiles
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E1527582-8509-4011-B922-29E3FB548882}_is1
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38509127-DAE6-40CE-92B8-820504E76058}
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3FBDFE79-548B-41A6-BF6D-22373F0EA2FE} [NameServer]
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{806CCD13-C306-487A-8881-7DF2FBFA4237} [NameServer]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\bestpriceninja.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\eshopcomp.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\nps.pastaleads.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\pastaleads.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\pricepeep.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\pstatic.bestpriceninja.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\pstatic.eshopcomp.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\re-markable.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\re-markit.co
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\static.pricepeep00.pricepeep.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\static.re-markable00.re-markable.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\static.re-markit00.re-markit.co
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\utop.it

***** [ Web browsers ] *****

[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : mysearch.avg.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : toolbar.inbox.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : websearch.ask.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : trovi.search
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : mysearchdial.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : search.conduit.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : istart123
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : palikan.com
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : booedmolknjekdopkepjjeckmjkdpfgl
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : ceopoaldcnmhechacafgagdkklcogkgd
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : cmclajginlihohopoeofghddnhpplhom
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : flpcjncodpafbgdpnkljologafpionhb
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : ljibkigjccbegnbeojkoafejpoiachej
[-] [C:\Users\Don\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : pdabfienifkbhoihedcgeogidfmibmhp

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [10628 bytes] - [27/03/2016 21:22:11]
C:\AdwCleaner\AdwCleaner[S1].txt - [10510 bytes] - [27/03/2016 21:20:12]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [10776 bytes] ##########
Attached Files
File Type: txt FRST.txt (75.7 KB, 18 views)
File Type: txt Addition.txt (110.2 KB, 19 views)
surlybonds is offline  
Old 03-28-2016, 10:53 PM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello surlybonds,

Thanks for the logs.

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

==========================================================

Please do the below steps.

STEP 1

Please go to: VirusTotal

Click the Choose File button.
Please copy/paste the following bolded text into the 'File name:' box:

C-Temp14\OrbxFTXNAPAJN100\OrbxFTXNAPAJN100.exe


Click Open then click the Scan it! button just below.
This will scan the file. Please be patient.
If you get a message saying File already analyzed: click Reanalyse
Once scanned, copy and paste the URL from your browser address bar in your next reply.

Please do the above instructions for the following file

C-Temp15\Prodact.exe

STEP 2

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
HKLM-x32\...\Run: [] => [X]
ProxyServer: [S-1-5-21-3555595148-3114840531-2816408531-1000] => localhost:21320
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
Folder:C-Temp16
Folder:C-Temp17
Folder:C-Temp3
Folder:C-Temp6
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 03-29-2016, 07:49 PM   #7
Registered Member
 
Join Date: Oct 2006
Location: Great Lakes
Posts: 31
OS: Win7 64Bit

My System


Thanks Tolga for your continued assistance.

First, the C-Temp14\OrbxFTXNAPAJN100\OrbxFTXNAPAJN100.exe file exceeded the 128 Mb limit of the program. This file, i recognize however as it was recently downloaded and ran to install scenery for my flight simulator program.

The other file howver: C-Temp15\Prodact.exe I do not recognize and it shouldn't be in that folder as it is not a recognized flight sim file, but it could have been downloaded attached to the other legitimate files. here is the URL from the browser following running virustotal.com for this file - it ran 13 out of 55:

https://virustotal.com/en/file/798a9...is/1459305309/

Attached is the log from fixlog.txt:

Thanks again!!!
Surlybonds
Attached Files
File Type: txt Fixlog.txt (1.8 KB, 11 views)
surlybonds is offline  
Old 03-30-2016, 12:01 AM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Thanks for the log and information. Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


Code:
CreateRestorePoint:
FirewallRules: [{23933D3B-CB0F-4C32-976B-34A7A00209BA}] => (Allow) C:\C-Temp15\Prodact.exe
FirewallRules: [{F0A066A6-28A9-454E-9CF9-A0828AFC129C}] => (Allow) C:\C-Temp15\Prodact.exe
Folder: C-Temp16
Folder: C-Temp17
Folder: C-Temp3
Folder: C-Temp6
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 03-30-2016, 01:17 AM   #9
Registered Member
 
Join Date: Oct 2006
Location: Great Lakes
Posts: 31
OS: Win7 64Bit

My System


Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Don (2016-03-30 04:07:15) Run:2
Running from C:\Users\Don\Desktop
Loaded Profiles: Don (Available Profiles: Don)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
FirewallRules: [{23933D3B-CB0F-4C32-976B-34A7A00209BA}] => (Allow) C:\C-Temp15\Prodact.exe
FirewallRules: [{F0A066A6-28A9-454E-9CF9-A0828AFC129C}] => (Allow) C:\C-Temp15\Prodact.exe
Folder: C-Temp16
Folder: C-Temp17
Folder: C-Temp3
Folder: C-Temp6
EmptyTemp:
*****************

Restore point was successfully created.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{23933D3B-CB0F-4C32-976B-34A7A00209BA} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F0A066A6-28A9-454E-9CF9-A0828AFC129C} => value removed successfully

========================= Folder: C-Temp16 ========================

not found.

====== End of Folder: ======


========================= Folder: C-Temp17 ========================

not found.

====== End of Folder: ======


========================= Folder: C-Temp3 ========================

not found.

====== End of Folder: ======


========================= Folder: C-Temp6 ========================

not found.

====== End of Folder: ======

EmptyTemp: => 20.2 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 04:07:52 ====
surlybonds is offline  
Old 03-31-2016, 12:02 AM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello

Please do the below steps and tell me How is the machine behaving ?

STEP 1

Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:

  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.
At the end of the installation, a database update will be performed.
Click on Scan Now.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.


STEP 2

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.

=========================================================

Things I need to see in your next post:

1- MBAM log
2- ESET report
__________________
tekir06 is offline  
Old 04-02-2016, 05:43 AM   #11
Registered Member
 
Join Date: Oct 2006
Location: Great Lakes
Posts: 31
OS: Win7 64Bit

My System


Thanks for your hard work on this!!! It appears to be back to normal. I can use the internet again. I have always been so careful - never opening attachments. these must have come in through downloads unknown to me.

C:\AdwCleaner\FileQuarantine\C\ProgramData\c75ed112\81ae14f0.dll.vir a variant of Win32/Adware.Adposhel.B application cleaned by deleting
C:\Users\Don\Downloads\burnsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application deleted
C:\Users\Don\Downloads\fl_setup (1).exe a variant of Win32/Adware.iBryte.BO application cleaned by deleting

Thanks Again!!!!!
Any other advice for me?
Attached Files
File Type: txt malwarebytes-4-1-16-Scan.txt (73.5 KB, 16 views)
surlybonds is offline  
Old 04-02-2016, 03:02 PM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello surlybonds,

You're Welcome!
Quote:
It appears to be back to normal. I can use the internet again.
I'm glad to hear that.

Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows 7

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 04-02-2016, 08:48 PM   #13
Registered Member
 
Join Date: Oct 2006
Location: Great Lakes
Posts: 31
OS: Win7 64Bit

My System


Thank you Tolga!! You did a great job - you are so good at working with people and very knowledgeable!! It was a pleasure working with you!! Thanks again!
surlybonds is offline  
Old 04-03-2016, 11:18 PM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello,

You're Welcome! Thank you for your patience and cooperation.
__________________
tekir06 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Update acting weird!
I don't think this is a problem, more of a curiosity, hence posting here. If it turns out that it is a problem, I'll get someone to move it to the appropriate forum. Got a notification earlier that new updates are available. As you will see from the pics, "4 important updates available" but only...
Deejay100six Offline 13 04-09-2014 08:19 AM
BSOD help Windows 7 64 bit
Over the last months I have had different BSOD's. I have little time have not been really been able to post information, but today I have some time finally (plus getting tired of it). Could you help me out identifying what the driver, hardware, problem is? Thanks so much in advance! ...
HardTrance9 BSOD, App Crashes And Hangs 24 02-18-2014 06:01 PM
[SOLVED] help!!!! guy gone crazy with bluscreans!!!:@:@
i have an intel dh55hc motherboard in my pc i built my pc during summertime and at that time i got the patriot ram ... the whole stock had problems .. (they work with onestick bt the pc wont boot with 2 sticks) so i had a stick of 2gigs of that ram .. then i upgraded it with a kingston ram ..and...
avok95 Motherboards, Bios & CPU 21 11-17-2013 06:14 AM
Power Supply Information and Selection
:smile: CHOOSING AND UNDERSTANDING A POWER SUPPLY UNIT The power supply unit in today’s modern computer assumes a role probably more critical than any other single component in your system even when compared to the CPU and motherboard. Therefore, there are multiple factors that must...
Tumbleweed36 RAM and Power Supply Support 0 07-09-2006 03:41 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:02 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts