User Tag List

Infected Laptop

This is a discussion on Infected Laptop within the Resolved HJT Threads forums, part of the Tech Support Forum category. My laptop has been taken over by a virus/trojan/malware. I visited a site that I thought would download a program


 
 
Thread Tools Search this Thread
Old 05-22-2015, 01:55 PM   #1
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



My laptop has been taken over by a virus/trojan/malware. I visited a site that I thought would download a program to update my android version on my smart phone. I thought I removed the file but my wife went online to a site to order some products and answered a survey she thought the site was conducting. It was not. I now have programs installed including Optimizer Pro v3.2, 3D Bubble Sound, Crossbrowse, GamesDesktop. I tried uninstalling unsuccessfully, went into safemode and attempted to find all the files downloaded that day and delete them. That was a mistake. I have run the SPTD program and the dds. Here are the results of the dds:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17801
Run by Steve at 15:30:37 on 2015-05-22
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3561.644 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\Steve\AppData\Roaming\0F46E5CF-1432050311-E111-9065-DC0EA1F74031\nse7855.tmp
C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\FlashBeat\FlashBeat.exe
C:\Program Files (x86)\CinemaPlus-3.2cV20.05\690e598e-741d-48b3-a1a3-97770dcbf56d-6.exe
C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Windows\system32\CxAudMsg64.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Users\Steve\AppData\Roaming\0F46E5CF-1432153016-E111-9065-DC0EA1F74031\jnsvD0B8.tmp
C:\Users\Steve\AppData\Local\0F46E5CF-1432138831-E111-9065-DC0EA1F74031\cnswA9CC.tmp
C:\Users\Steve\AppData\Roaming\0F46E5CF-1432050311-E111-9065-DC0EA1F74031\hnsk96BB.tmp
C:\Program Files (x86)\Infonaut_1.10.0.14\Service\insvc.exe
C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
C:\Program Files (x86)\Optimizer Pro 3.92\OptProSmartScan.exe
C:\Program Files (x86)\CinemaPlus-3.2cV20.05\690e598e-741d-48b3-a1a3-97770dcbf56d-1-6.exe
C:\Program Files (x86)\Optimizer Pro 3.92\OptProReminder.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\SysWOW64\svchost.exe -k ORBTR
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\FlashBeat\FlashBeat.exe
C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
C:\Users\Steve\AppData\Roaming\0F46E5CF-1432050311-E111-9065-DC0EA1F74031\jnsp79E6.tmp
C:\Program Files (x86)\Coupoon\UpdateCheck.exe
C:\Users\Steve\AppData\Local\0F46E5CF-1432138849-E111-9065-DC0EA1F74031\snswE5D0.tmp
C:\ProgramData\tuQOQplJ\aXXPBKHeXXG.exe
C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe
C:\Program Files\WebBar\2.0.5574.22315\wb.exe
C:\Users\Steve\AppData\Local\Temp\isdk86ATFa7p\ISightHost.exe
C:\PROGRA~2\SEARCH~1\SearchProtect\bin\cltmng.exe
C:\PROGRA~2\SEARCH~1\UI\bin\cltmngui.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Steve\AppData\Local\gmsd_us_592\upgmsd_us_592.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\BubbleSound\3D BubbleSound.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Coupoon\UpdateCheck.exe
C:\Users\Steve\AppData\Local\Akamai\netsession_win.exe
C:\Users\Steve\AppData\Local\Akamai\netsession_win.exe
C:\Users\Steve\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Steve\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
C:\Users\Public\Documents\windows.exe
C:\ProgramData\DesktopSearch\DesktopSearch.exe
C:\Users\Steve\AppData\Local\0F46E5CF-1432138831-E111-9065-DC0EA1F74031\ansrA826.exe
C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\LockKey\LockKey.exe
C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe
C:\Program Files (x86)\USB Camera\VM331_STI.EXE
C:\Users\Steve\AppData\Local\SmartWeb\SmartWebHelper.exe
C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
C:\Program Files (x86)\CodePlex\XPS2OneNote\XPS2OneNote.exe
C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Imgtask.exe
C:\Users\Steve\AppData\Local\SmartWeb\SmartWebApp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Steve\AppData\Local\Temp\nsl97CE.tmp
C:\Program Files (x86)\gmsd_us_592\gmsd_us_592.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
C:\Users\Public\DOCUME~1\windows.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
C:\Users\Steve\AppData\Local\Temp\nss16EF.tmp
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\ProgramData\Uenoiageirh\1.0.1.0\jroknaur.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\ProgramData\Uenoiageirh\1.0.1.0\jroknaur.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\config\systemprofile\sndvol.exe
C:\Windows\System32\WUDFHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\HP Officejet 6500 E710n-z\Bin\HPCustPartic.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\config\systemprofile\sndvol.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\config\systemprofile\sndvol.exe
C:\Windows\SysWOW64\config\systemprofile\sndvol.exe
C:\Windows\SysWOW64\config\systemprofile\sndvol.exe
C:\Windows\SysWOW64\config\systemprofile\sndvol.exe
C:\Windows\SysWOW64\config\systemprofile\sndvol.exe
C:\Program Files (x86)\CinemaPlus-3.2cV20.05\690e598e-741d-48b3-a1a3-97770dcbf56d-10.exe
C:\Program Files (x86)\Coupoon\UpdateCheck.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.trovi.com/?gd=&ctid=CT3333887&octid=EB_ORIGINAL_CTID&ISID=M8D677D7F-0F1E-4582-BA3A-B2E17958F415&SearchSource=55&CUI=&UM=8&UP=SP672F9005-8D2A-486C-956B-4B2A10C086BC&D=052015&SSPV=
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe
BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\AMD\SteadyVideo\SteadyVideo.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
EB: MasterCook Bar: {C92041C1-6D22-4069-BA0E-66246AA752B0} -
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Akamai NetSession Interface] "C:\Users\Steve\AppData\Local\Akamai\netsession_win.exe"
uRun: [Amazon Cloud Player] "C:\Users\Steve\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe"
uRun: [Google Update] "C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [SansaDispatch] C:\Users\Steve\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
uRun: [Plex Media Server] "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe"
uRun: [Application] C:\Users\Public\Documents\windows.exe
uRun: [Hawker] C:\Program Files (x86)\Hawker\VersionControl.exe
uRun: [PCPrivacyDock] "C:\Program Files (x86)\PC Privacy Dock\PCPrivacyDock.exe" /minimized
uRun: [YTDownloader] "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot
uRun: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro 3.92\OptProLauncher.exe
uRun: [GoogleChromeAutoLaunch_2F8DF7AC038289A0FA4543C428E17AA7] "C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe" --no-startup-window
uRun: [DesktopSearch] C:\ProgramData\DesktopSearch\DesktopSearch.exe -ros
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LockKey] C:\Program Files (x86)\LockKey\LockKey.exe
mRun: [Dolby Advanced Audio v2] "C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart
mRun: [331BigDog] C:\Program Files (x86)\USB Camera\VM331_STI.EXE
mRun: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe"
mRun: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s
mRun: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun: [VeriFaceManager] C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [BingDesktop] C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktop.exe /fromkey
mRun: [Conime] C:\Windows\System32\conime.exe
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [EKStatusMonitor] C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe
mRun: [ImgTask] C:\Windows\Imgtask.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ospd_us_1071] <no file>
mRunOnce: [upgmsd_us_592.exe] C:\Users\Steve\AppData\Local\gmsd_us_592\upgmsd_us_592.exe -runonce
dRunOnce: [KodakHomeCenter] "C:\Program Files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe"
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CROSSB~1.LNK - C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SmartWeb.lnk - C:\Users\Steve\AppData\Local\SmartWeb\SmartWebHelper.exe
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\XPS2ON~1.LNK - C:\Users\Steve\AppData\Roaming\Microsoft\Installer\{6DD7A9DA-6732-47D2-8362-6A12BD0EA053}\_FBB2488C0F33C1DFE6AC1F.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEA~1.LNK - C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEA~2.LNK - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: MasterCook: Select Image - C:\Users\Steve\AppData\LocalLow\MasterCook Web Import\MCIEContext.hta
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
TCP: NameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{49C7584E-790B-441B-A822-1BB1770659C6} : DHCPNameServer = 172.27.35.1
TCP: Interfaces\{971A657D-3718-4386-B7E0-FC63B0F831F0} : DHCPNameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{971A657D-3718-4386-B7E0-FC63B0F831F0}\1425259435D264231313 : DHCPNameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{971A657D-3718-4386-B7E0-FC63B0F831F0}\348627F6D6563616374773437333 : DHCPNameServer = 192.168.255.249
TCP: Interfaces\{971A657D-3718-4386-B7E0-FC63B0F831F0}\3736F6275626F6162746 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{971A657D-3718-4386-B7E0-FC63B0F831F0}\84F4D454D244533423 : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{971A657D-3718-4386-B7E0-FC63B0F831F0}\C45736B6973456461627 : DHCPNameServer = 64.233.217.2 64.233.217.3 192.168.1.1
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll C:\ProgramData\FlashBeat\FlashBeat32.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.152\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: {A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C} - <orphaned>
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
x64-Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe
x64-Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [3D BubbleSound] "C:\Program Files\BubbleSound\3D BubbleSound.exe"
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\embjxs80.default\
FF - prefs.js: browser.search.selectedEngine - Trovi
FF - prefs.js: browser.startup.homepage - hxxp://www.trovi.com/?gd=&ctid=CT3333887&octid=EB_ORIGINAL_CTID&ISID=M8D677D7F-0F1E-4582-BA3A-B2E17958F415&SearchSource=55&CUI=&UM=8&UP=SP672F9005-8D2A-486C-956B-4B2A10C086BC&D=052015&SSPV=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Steve\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1
.
.
.
.
.
.
.
.
.
.
.
.
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2015-05-22 18:59:11 -------- d-----w- C:\ProgramData\Uenoiageirh
2015-05-20 20:43:38 -------- d-----w- C:\Users\Steve\AppData\Local\WebBar
2015-05-20 20:43:02 -------- d-----w- C:\Program Files\BubbleSound
2015-05-20 20:42:59 -------- d-----w- C:\ProgramData\tuQOQplJ
2015-05-20 20:42:49 -------- d-----w- C:\ProgramData\DesktopSearch
2015-05-20 20:42:45 -------- d-----w- C:\ProgramData\InstallSightSDK
2015-05-20 20:42:40 -------- d-----w- C:\Program Files\WebBar
2015-05-20 20:33:11 -------- d-----w- C:\Users\Steve\AppData\Local\gmsd_us_592
2015-05-20 20:33:11 -------- d-----w- C:\Program Files (x86)\gmsd_us_592
2015-05-20 20:31:37 -------- d-----w- C:\Program Files (x86)\bb11f101-c797-45eb-a909-19cc926b3749
2015-05-20 20:31:18 -------- d-----w- C:\Users\Steve\AppData\Local\globalUpdate
2015-05-20 20:31:18 -------- d-----w- C:\Program Files (x86)\globalUpdate
2015-05-20 20:31:03 -------- d-----w- C:\Program Files (x86)\CinemaPlus-3.2cV20.05
2015-05-20 20:30:37 -------- d-----w- C:\Users\Steve\AppData\Local\Crossbrowse
2015-05-20 20:30:03 -------- d-----w- C:\Program Files (x86)\Crossbrowse
2015-05-20 20:30:01 -------- d-----w- C:\Program Files (x86)\Coupoon
2015-05-20 20:21:47 -------- d-----w- C:\Users\Steve\AppData\Roaming\Optimizer Pro
2015-05-20 20:20:49 -------- d-----w- C:\Users\Steve\AppData\Local\0F46E5CF-1432138849-E111-9065-DC0EA1F74031
2015-05-20 20:20:31 -------- d-----w- C:\Users\Steve\AppData\Local\0F46E5CF-1432138831-E111-9065-DC0EA1F74031
2015-05-20 20:18:14 -------- d-----w- C:\Users\Steve\AppData\Local\0F46E5CF-1432138694-E111-9065-DC0EA1F74031
2015-05-20 20:16:56 -------- d-----w- C:\Users\Steve\AppData\Roaming\Eppink
2015-05-20 20:16:56 -------- d-----w- C:\Users\Steve\AppData\Roaming\0F46E5CF-1432153016-E111-9065-DC0EA1F74031
2015-05-20 20:16:08 -------- d-----w- C:\Program Files (x86)\Infonaut_1.10.0.14
2015-05-20 20:16:04 -------- d-----w- C:\Program Files (x86)\Optimizer Pro 3.92
2015-05-20 20:15:42 -------- d-----w- C:\Program Files (x86)\predm
2015-05-20 18:34:31 -------- d-----w- C:\Users\Steve\AppData\Local\avabvbxvh
2015-05-20 18:34:18 -------- d-----w- C:\Users\Steve\AppData\Local\SearchProtect
2015-05-20 18:34:15 -------- d-----w- C:\Program Files (x86)\SearchProtect
2015-05-20 18:34:15 -------- d-----w- C:\Program Files (x86)\ORBTR
2015-05-20 18:33:45 -------- d-----w- C:\Users\Steve\AppData\Local\SmartWeb
2015-05-20 18:32:44 -------- d-----w- C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c
2015-05-20 18:32:43 -------- d-----w- C:\ProgramData\28341ff220e0446c9fff27c4493d622e
2015-05-20 18:32:42 -------- d-----w- C:\ProgramData\FlashBeat
2015-05-20 12:33:06 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{10485071-8181-491B-A160-25D8AB0182EB}\offreg.892.dll
2015-05-20 12:28:03 12214312 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{10485071-8181-491B-A160-25D8AB0182EB}\mpengine.dll
2015-05-19 21:03:25 -------- d-----w- C:\ProgramData\5bbda6cc00007ad8
2015-05-19 16:43:07 -------- d-----w- C:\Users\Steve\AppData\Roaming\0F46E5CF-1432053786-E111-9065-DC0EA1F74031
2015-05-19 16:40:55 -------- d-----w- C:\ProgramData\{ec5c2cf3-9e5a-d974-ec5c-c2cf39e5b3ce}
2015-05-19 15:56:40 -------- d-----w- C:\ProgramData\lomlpfccfcfcaiijdbgkpnmcgnjblmln
2015-05-19 15:55:25 -------- d-----w- C:\ProgramData\PastaLeadsAgent
2015-05-19 15:55:03 -------- d-----w- C:\Program Files\Common Files\PastaLeads
2015-05-19 15:54:45 48776 ----a-w- C:\Windows\System32\drivers\{8560d1c7-38e6-4170-bb12-fa9b26d9a20a}Gw64.sys
2015-05-19 15:47:57 -------- d-----w- C:\Program Files\Coupoon
2015-05-19 15:47:38 -------- d-----w- C:\ProgramData\abc
2015-05-19 15:46:30 -------- d-----w- C:\Users\Steve\AppData\Roaming\0F46E5CF-1432050390-E111-9065-DC0EA1F74031
2015-05-19 15:45:11 -------- d-----w- C:\Users\Steve\AppData\Roaming\0F46E5CF-1432050311-E111-9065-DC0EA1F74031
2015-05-19 15:42:13 -------- d-----w- C:\ProgramData\10616819731799978296
2015-05-19 15:41:44 -------- d-----w- C:\ProgramData\enfblhegihiljmkhokfjlagbpeidgban
2015-05-19 00:48:39 12214312 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-05-16 23:22:34 1187344 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BC7497D6-2D25-4622-A683-2E3AB224779E}\gapaengine.dll
2015-05-14 14:47:39 124112 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2015-05-14 14:47:39 102608 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 12:17:10 460800 ----a-w- C:\Windows\System32\certcli.dll
2015-05-13 12:17:10 342016 ----a-w- C:\Windows\SysWow64\certcli.dll
2015-05-13 12:17:10 342016 ----a-w- C:\Windows\System32\schannel.dll
2015-05-13 12:17:10 248832 ----a-w- C:\Windows\SysWow64\schannel.dll
2015-05-13 12:15:59 50176 ----a-w- C:\Windows\System32\srclient.dll
2015-05-13 12:14:59 938496 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2015-04-30 14:12:56 -------- d-----w- C:\Users\Steve\AppData\Local\Apps
2015-04-23 18:13:04 -------- d-----w- C:\Users\Steve\AppData\Local\Plex Media Server
2015-04-23 18:10:34 -------- d-----w- C:\Program Files (x86)\Plex
2015-04-23 18:10:10 -------- d-----w- C:\ProgramData\Package Cache
.
==================== Find3M ====================
.
2015-05-13 13:03:48 263952 ----a-w- C:\Windows\apppatch\AppPatch64\VCLdr64.dll
2015-05-13 13:03:48 223504 ----a-w- C:\Windows\apppatch\nbin\VC32Loader.dll
2015-04-27 19:28:36 5569984 ----a-w- C:\Windows\System32\ntoskrnl.exe
2015-04-27 19:28:35 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2015-04-27 19:28:35 155584 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2015-04-27 19:26:21 1728960 ----a-w- C:\Windows\System32\ntdll.dll
2015-04-27 19:22:57 47104 ----a-w- C:\Windows\System32\typeperf.exe
2015-04-27 19:22:57 404992 ----a-w- C:\Windows\System32\tracerpt.exe
2015-04-27 19:22:53 112640 ----a-w- C:\Windows\System32\smss.exe
2015-04-27 19:22:47 296960 ----a-w- C:\Windows\System32\rstrui.exe
2015-04-27 19:22:46 43008 ----a-w- C:\Windows\System32\relog.exe
2015-04-27 19:22:35 31232 ----a-w- C:\Windows\System32\lsass.exe
2015-04-27 19:22:34 104448 ----a-w- C:\Windows\System32\logman.exe
2015-04-27 19:22:26 19456 ----a-w- C:\Windows\System32\diskperf.exe
2015-04-27 19:22:08 338432 ----a-w- C:\Windows\System32\conhost.exe
2015-04-27 19:21:37 64000 ----a-w- C:\Windows\System32\auditpol.exe
2015-04-27 19:18:37 60416 ----a-w- C:\Windows\System32\msobjs.dll
2015-04-27 19:18:25 146432 ----a-w- C:\Windows\System32\msaudite.dll
2015-04-27 19:11:55 3934144 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2015-04-27 19:11:54 3989440 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2015-04-27 19:08:02 1310744 ----a-w- C:\Windows\SysWow64\ntdll.dll
2015-04-27 19:05:40 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2015-04-27 19:05:35 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2015-04-27 19:05:34 635392 ----a-w- C:\Windows\SysWow64\tdh.dll
2015-04-27 19:05:32 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2015-04-27 19:05:29 92160 ----a-w- C:\Windows\SysWow64\sechost.dll
2015-04-27 19:05:29 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2015-04-27 19:05:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2015-04-27 19:05:17 221184 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2015-04-27 19:05:11 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2015-04-27 19:04:45 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2015-04-27 19:04:37 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2015-04-27 19:04:33 641536 ----a-w- C:\Windows\SysWow64\advapi32.dll
2015-04-27 19:04:33 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2015-04-27 19:04:24 40448 ----a-w- C:\Windows\SysWow64\typeperf.exe
2015-04-27 19:04:24 364544 ----a-w- C:\Windows\SysWow64\tracerpt.exe
2015-04-27 19:04:19 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2015-04-27 19:04:12 37888 ----a-w- C:\Windows\SysWow64\relog.exe
2015-04-27 19:04:04 82944 ----a-w- C:\Windows\SysWow64\logman.exe
2015-04-27 19:03:58 17408 ----a-w- C:\Windows\SysWow64\diskperf.exe
2015-04-27 19:03:52 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2015-04-27 19:03:36 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2015-04-27 19:03:36 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2015-04-27 19:03:36 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2015-04-27 19:01:33 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2015-04-27 19:01:22 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2015-04-27 1848 36864 ----a-w- C:\Windows\System32\UtcResources.dll
2015-04-27 17:57:32 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2015-04-27 17:57:31 2048 ----a-w- C:\Windows\SysWow64\user.exe
2015-04-27 17:55:03 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2015-04-27 17:55:03 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2015-04-27 17:55:03 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2015-04-27 17:55:03 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2015-04-21 17:08:08 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2015-04-21 17:07:54 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2015-04-21 16:51:08 66560 ----a-w- C:\Windows\System32\iesetup.dll
2015-04-21 16:50:14 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2015-04-21 16:50:12 584192 ----a-w- C:\Windows\System32\vbscript.dll
2015-04-21 16:50:03 417792 ----a-w- C:\Windows\System32\html.iec
2015-04-21 16:48:40 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2015-04-21 16:35:51 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2015-04-21 16:35:40 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2015-04-21 16:34:59 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2015-04-21 16:31:56 6025728 ----a-w- C:\Windows\System32\jscript9.dll
2015-04-21 16:26:35 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2015-04-21 16:25:34 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2015-04-21 16:14:33 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2015-04-21 16:11:10 504320 ----a-w- C:\Windows\SysWow64\vbscript.dll
2015-04-21 16:11:07 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2015-04-21 16:10:12 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2015-04-21 16:09:57 341504 ----a-w- C:\Windows\SysWow64\html.iec
2015-04-21 16:08:41 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2015-04-21 15:58:45 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2015-04-21 15:57:57 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2015-04-21 15:47:04 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2015-04-21 15:46:50 2125824 ----a-w- C:\Windows\System32\inetcpl.cpl
2015-04-21 15:43:28 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2015-04-21 15:31:13 4305920 ----a-w- C:\Windows\SysWow64\jscript9.dll
2015-04-21 15:27:25 2352128 ----a-w- C:\Windows\System32\wininet.dll
2015-04-21 15:25:45 2052608 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2015-04-21 15:24:48 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2015-04-21 15:02:00 1882112 ----a-w- C:\Windows\SysWow64\wininet.dll
2015-04-20 14:05:14 1579520 ----a-w- C:\Users\Steve\AppData\Roaming\nRkQ8UNb33HxuvD1DgPJx87.exe
2015-04-20 14:05:14 1579520 ----a-w- C:\Users\Steve\AppData\Roaming\J6Wlqn9ihspk.exe
2015-04-20 14:05:14 1579520 ----a-w- C:\Users\Steve\AppData\Roaming\DrbKIP6kuAPd5La.exe
2015-04-20 14:05:14 1246720 ----a-w- C:\Users\Steve\AppData\Roaming\XzKyStnyGh5tV39R.exe
2015-04-20 14:05:14 1246720 ----a-w- C:\Users\Steve\AppData\Roaming\jR0cjxFWA5jQOFJkL.exe
2015-04-20 03:17:07 1647104 ----a-w- C:\Windows\System32\DWrite.dll
2015-04-20 03:17:07 1179136 ----a-w- C:\Windows\System32\FntCache.dll
2015-04-20 02:56:29 1250816 ----a-w- C:\Windows\SysWow64\DWrite.dll
2015-04-20 02:11:23 3204608 ----a-w- C:\Windows\System32\win32k.sys
2015-04-15 04:16:36 778416 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2015-04-15 04:16:36 142512 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-04-13 03:28:33 328704 ----a-w- C:\Windows\System32\services.exe
2015-04-10 19:56:56 58224 ----a-w- C:\Windows\System32\drivers\innfd_1_10_0_14.sys
2015-04-08 03:29:07 275456 ----a-w- C:\Windows\System32\InkEd.dll
2015-04-08 03:29:07 24576 ----a-w- C:\Windows\System32\jnwmon.dll
2015-04-08 03:14:07 216064 ----a-w- C:\Windows\SysWow64\InkEd.dll
2015-04-02 22:22:32 46376 ----a-w- C:\Windows\System32\drivers\netfilter64.sys
2015-03-25 03:24:41 98304 ----a-w- C:\Windows\System32\wudriver.dll
.
============= FINISH: 15:59:50.54 ===============
I ran Microsoft security essentials immediately after it happened and it isolated two trojans:
Trojandownloader:Win32/Rottentu.A (twice)
Trojan:Win32/gheugent.A/plock
Restarting the laptop I get a small window that says"landed fsdfggsdgf.com
When trying to use my browser it has a loaded site on it. :trovi.com/?gd=CT3333887&octid=EB_ORIGINAL_CTID&ISID=M8D677DF-0F1E-4582-BA3A- Internet Explorer(Not Responding)
Attached Files
File Type: txt attach.txt (9.4 KB, 33 views)
EPMailman is offline  
Sponsored Links
Advertisement
 
Old 05-22-2015, 02:24 PM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello EPMailman,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

=======================================================

Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click mbam-setup-2.1.6.1022.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.
At the end of the installation, a database update will be performed.
Click on Scan Now.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

=====================================================

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.
__________________
tekir06 is offline  
Old 05-22-2015, 10:25 PM   #3
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



I ran the malwarebytes anti-malware program and am attaching the scan log. There are 3 notices RunDLL showing on my bar along with a pop-up to register optimizer Pro Performance Monitor. In the drop down program menu it is showing to new programs; Optimizer Pro and Desktop search. My Mozilla browser is not showing up and the crossbrowse icon is still on my bar.
I am using my desktop computer to reply and am using a thumb drive between computers to deliver the programs to the infected computer and retrieve the text files you request. I am scanning the thumb drive using Norton's Security Suite prior to moving any files from the drive to the non-infected computer.
Attached Files
File Type: txt Lenovoscan.txt (66.3 KB, 69 views)
EPMailman is offline  
Sponsored Links
Advertisement
 
Old 05-23-2015, 03:07 AM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello EPMailman,

Thanks for the log. Let's move on.

Please do the following instructions.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 05-23-2015, 06:25 AM   #5
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



I have run FarbarRecovery. The two files are attached. Malwarebytes Anti-malware has a whole new batch of threats. Should I click "Remove Selected"?
Attached Files
File Type: txt attach.txt (9.4 KB, 27 views)
File Type: txt FRST.txt (75.7 KB, 36 views)
EPMailman is offline  
Old 05-23-2015, 02:10 PM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hi EPMailmal,
Quote:
Should I click "Remove Selected"?
Yes please do. Once this is done, restart the computer. Then, attach the last scan report, as you did before.
__________________
tekir06 is offline  
Old 05-23-2015, 03:19 PM   #7
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



Here are the results of the latest scan.
Attached Files
File Type: txt Lenovoscan2.txt (66.3 KB, 65 views)
EPMailman is offline  
Old 05-23-2015, 03:34 PM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Thanks for the log.

If you've not already, please restart the computer. Then, re-run FRST tool and please attach both logs generated.
__________________
tekir06 is offline  
Old 05-23-2015, 06:13 PM   #9
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



I have rerun FRST and here are the two logs.
Attached Files
File Type: txt Addition.txt (40.0 KB, 222 views)
File Type: txt FRST.txt (67.6 KB, 27 views)
EPMailman is offline  
Old 05-24-2015, 10:00 AM   #10
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



Malwarebytes ran its nightly scan. Here is the result of that scan. I rebooted and ran FRST again. Those two scans are also included.
Attached Files
File Type: txt Lenovoscan3.txt (1.2 KB, 30 views)
File Type: txt FRST.txt (67.2 KB, 69 views)
File Type: txt Addition.txt (40.2 KB, 26 views)
EPMailman is offline  
Old 05-24-2015, 01:34 PM   #11
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again EPMailman,

Thanks for the logs. Please do the following instructions. Then tell me, How is the machine behaving now? What problems do you still have?

We need to uninstall some programs.

Press the Windows Key + R on your keyboard at the same time. Type appwiz.cpl and click OK.
Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of programs to uninstall:

BubbleSound
Idle Crawler
Optimizer Pro v3.2

========================================================

Download attached fixlist.txt file and save it to the Desktop.

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.

Double-click FRST.exe to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Attached Files
File Type: txt fixlist.txt (11.4 KB, 79 views)
__________________
tekir06 is offline  
Old 05-24-2015, 02:28 PM   #12
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



Salutations Tolga,
When I uninstalled the three programs the system said idle crawler had already been uninstalled and asked if its name should be removed from the list. I clicked yes. After rebooting the laptop Mozilla Firefox , my preferred browser, is not listed in the programs. Going online with the chrome browser I immediately started receiving blocked detections from Malwarebytes. There is still a new program on my desktop called desktop search. I am still getting a message box RunDLL there is a problem starting C:\Progra~1\COMMON~1\System\SysMenu.dll The specific module could not be found.Using IE as my browser created no activity.
Thank you for all you have done so far in resolving this attack.
Fixlog is attached.
Attached Files
File Type: txt Fixlog.txt (26.5 KB, 32 views)
EPMailman is offline  
Old 05-25-2015, 12:03 AM   #13
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again EPMailman,

You're welcome. Please Do the instructions below. Then tell me, Do you still get the message box? and How is the machine behaving now?

Download attached fixlist.txt file and save it to the Desktop.

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.

Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Attached Files
File Type: txt fixlist.txt (738 Bytes, 29 views)
__________________
tekir06 is offline  
Old 05-25-2015, 07:31 AM   #14
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



Salutations Tolga,
Malwarebytes found some more items during its daily scan. That scanlog is attached. Ran the fixlist from FRST and that fixlog is attached.
Starting chrome elicited no new malware detection but a popup to add the Skype extension did.
Desktop search still appears on the desktop and is highlighted as a new program when the program list is dropped down.
The laptop otherwise is working without any popup windows.
After rebooting no additional windows popped up.
Attached Files
File Type: txt Fixlog.txt (1.0 KB, 26 views)
File Type: txt Lenovoscan4.txt (45.6 KB, 29 views)
EPMailman is offline  
Old 05-25-2015, 01:05 PM   #15
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

You appear to have a Developer's build of Chrome installed. Most typical users do not have this build installed.

Why this is not safe:

https://support.google.com/chrome/an...ons&rd=1&hl=en

Please follow the steps outlined below:

Launch Chrome:


Open the Settings Menu in Chrome (upper right hand corner of the browser)
Click the Advanced Sync Settings button
Change the drop down from Sync Everything to Choose what to sync
Uncheck Settings, then click OK

Next, click Start>Control Panel>Programs and features to uninstall Chrome.

When Chrome asks if you want to delete all data, you must place a check in the box.

Then re-install Chrome.

=======================================================

Please go HERE then click on: Run Eset Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on Start buton.
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
Tick all the boxes that correspond to your external/inserted drives.
Click Start. The virus signature database will begin to download. This may take some time.
Wait for the scan to finish.
When completed, click on Finish.
When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
Save that text file to your desktop, and then copy/paste the contents in your next reply.
__________________
tekir06 is offline  
Old 05-25-2015, 08:54 PM   #16
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



Greetings Tolga,
Chrome was uninstalled and reinstalled.
ESET Online Scanner was run (twice) because I clicked finish before exporting the "Threats Found". I did not think I had to do that before clicking finish. Here are the results of that scan:
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$R0GKCQK.tmp a variant of Win32/InstallCore.PK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$R0IXS7K.dll a variant of Win64/NetFilter.A potentially unsafe application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$R1FVY3L.exe a variant of MSIL/RegProCleaner.A potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$R7AJZ14.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RAKEUX6.exe multiple threats
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RGMIYSX.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RIETZBE.tmp a variant of Win32/InstallCore.PK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RJL3VR4.tmp a variant of Win32/InstallCore.PK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$ROBQCCU.tmp a variant of Win32/InstallCore.PK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RZD8S7D.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RAHVUXC\onswFD1E.tmp Win32/Adware.ConvertAd.PD application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RAHVUXC\rnswFD1D.exe a variant of Win32/Adware.ConvertAd.PG application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RAHVUXC\snsgFD0C.tmp a variant of Win32/Adware.ConvertAd.PL application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RAHVUXC\Uninstall.exe Win32/Adware.ConvertAd.PY application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RAJGWL6\JSDriver\1.42.1.1860\jsdrv.exe a variant of Win32/ShopperPro.B potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RDK3WCA\RegBoosterPro.exe a variant of MSIL/RegProCleaner.A potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RE4FA3T\temp\Priceless.exe a variant of Win32/Adware.MultiPlug.EI application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Runner.exe a variant of Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\uninstall.exe Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\CmdProc.dll a variant of Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\CmlProc.dll a variant of Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\CmnUtls.dll Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\InSes.dll Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\ManXec.dll a variant of Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\NavSupp.dll Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\PrfIns.dll Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\WblSupp.dll Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RN9K2KM\Modules\WbSes.dll Win32/GigaClicks.AK potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Installgeforce_8624\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Installshopperpro_23204\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Install_11967\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Install_13329\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Install_21668\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Install_29675\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Install_8301\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\$RECYCLE.BIN\S-1-5-21-3563656697-2128792284-4278413744-1002\$RQ9K56A\Install_8587\DCytdkietut_tutdk_setup.exe a variant of Win32/SpeedBit.F potentially unwanted application
C:\FRST\Quarantine\C\ProgramData\Uenoiageirh\1.0.1.0\jroknaur.exe a variant of MSIL/Adware.PullUpdate.P application
C:\FRST\Quarantine\C\Users\Steve\AppData\Local\0F46E5CF-1432138694-E111-9065-DC0EA1F74031\bnsv8902.exe a variant of Win32/Adware.ConvertAd.PR application
C:\FRST\Quarantine\C\Users\Steve\AppData\Local\Temp\jue1D40.exe.xBAD a variant of MSIL/Adware.Imali.A application
C:\FRST\Quarantine\C\Users\Steve\AppData\Local\Temp\jue3A51.exe.xBAD a variant of MSIL/Adware.Imali.A application
C:\FRST\Quarantine\C\Users\Steve\AppData\Local\Temp\jue9ABB.exe.xBAD a variant of MSIL/Adware.Imali.A application
C:\FRST\Quarantine\C\Users\Steve\AppData\Local\Temp\optprosetup.exe.xBAD multiple threats
C:\FRST\Quarantine\C\Users\Steve\AppData\Roaming\jR0cjxFWA5jQOFJkL.xBAD JS/Toolbar.Crossrider.C potentially unwanted application
C:\ProgramData\Browser\prompt.exe a variant of MSIL/Adware.PullUpdate.L.gen application
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4BDE2H3M\setup_362[1].exe a variant of Win32/Adware.Imali.B application
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NOSJ08TB\sprz[1].exe Win32/Toolbar.Perion.L potentially unwanted application
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UZXU7DU8\Setup[1].exe multiple threats
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UZXU7DU8\SmartWebInstaller[1].exe a variant of Win32/PriceGong.C potentially unwanted application
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WAHMCOT3\dl[1].htm a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WAHMCOT3\FinalInstaller_dotnet4[1].exe a variant of MSIL/Adware.Imali.A application
C:\Users\Steve\AppData\Local\Temp\nsb9D3A.tmp Win32/Adware.ConvertAd.PY application
C:\Users\Steve\AppData\Local\Temp\nsbCAE7.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nsg5C71.tmp multiple threats
C:\Users\Steve\AppData\Local\Temp\nsk93EB.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nsl97CE.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nsq4160.tmp a variant of Win32/Adware.ConvertAd.PR application
C:\Users\Steve\AppData\Local\Temp\nsr3869.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nsu969A.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nsw653B.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nswB0D2.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nsx2B38.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\nsz5ECD.tmp a variant of Win32/Adware.ConvertAd.QI application
C:\Users\Steve\AppData\Local\Temp\Install_28494\ins_shopperpro.exe a variant of Win32/SpeedBit.D potentially unwanted application
C:\Users\Steve\AppData\Local\Temp\Install_30683\sbsetter2.dll a variant of Win32/SpeedBit.F potentially unwanted application
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\11.exe a variant of Win32/Adware.EoRezo.AZ application
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\380.exe a variant of Win32/Adware.EoRezo.AZ application
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\392.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\399.exe a variant of Win32/Adware.EoRezo.AZ application
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\420.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\436.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_boost_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_bubbledock_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_BubbleSound_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_infonaut_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_navright_imali_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_optimizerpro_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_pcrossbrowser_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_pmediaconverter_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_SByoutube_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_sb_driverupdater_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_secureprotect_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_superpct_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-077Q7.tmp\package_superpc_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5F0OM.tmp\393.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5F0OM.tmp\package_bubbledock_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5F0OM.tmp\package_optimizerpro_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5F0OM.tmp\package_SByoutube_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\11.exe a variant of Win32/Adware.EoRezo.AZ application
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\380.exe a variant of Win32/Adware.EoRezo.AZ application
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\385.exe a variant of Win32/Adware.EoRezo.AZ application
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\392.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\399.exe a variant of Win32/Adware.EoRezo.AZ application
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\420.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\436.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_boost_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_bubbledock_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_BubbleSound_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_CubepileShopperz_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_infonaut_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_navright_imali_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_optimizerpro_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_pcrossbrowser_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_pmediaconverter_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_priceless_p_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_pwebbar_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_SByoutube_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_sb_driverupdater_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_secureprotect_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_superpct_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-5J4C0.tmp\package_superpc_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-A1EAR.tmp\package_ceppink_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-A1EAR.tmp\package_optimizerpro_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-CHUTL.tmp\components4 Win32/AdWare.Linkular.AH application
C:\Users\Steve\AppData\Local\Temp\is-F4Q3B.tmp\pm-standalone-setup.exe Win32/UniBlue.C potentially unwanted application
C:\Users\Steve\AppData\Local\Temp\is-NE1NS.tmp\package_ceppink_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-NE1NS.tmp\package_optimizerpro_installer_multilang.exe multiple threats
C:\Users\Steve\AppData\Local\Temp\is-VR7KR.tmp\dm.exe Win32/Adware.EoRezo.AS application
C:\Users\Steve\AppData\Roaming\Eppink\Eppink.exe a variant of Win32/Adware.ConvertAd.KZ.gen application
C:\Users\Steve\AppData\Roaming\Eppink\Uninstall.exe Win32/Adware.ConvertAd.EB application
C:\Users\Steve\Downloads\Avery Wizard 4.01 - US 20111209.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Windows\Imgtask.exe a variant of Win32/AutoRun.AEU worm
C:\Windows\Temp\667.tmp.exe a variant of Win32/Adware.ConvertAd.QA application
C:\Windows\Temp\9E22.tmp.exe a variant of Win32/Adware.ConvertAd.QJ application
C:\Windows\Temp\r1lc04ix.exe multiple threats
C:\Windows\Temp\xyl72d.exe multiple threats
Operating memory a variant of Win32/AutoRun.AEU worm
Thank you for your continued diligence.
EPMailman is offline  
Old 05-26-2015, 07:16 AM   #17
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Please do the instructions below. Then tell me How is the machine behaving now?

Download attached fixlist.txt file and save it to the Desktop.

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.

Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Attached Files
File Type: txt Fixlist.txt (4.2 KB, 28 views)
__________________
tekir06 is offline  
Old 05-26-2015, 07:54 AM   #18
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



Greetings Tolga'
I ran FRST and the fixlog is attached.
Attached Files
File Type: txt Fixlog.txt (9.8 KB, 28 views)
EPMailman is offline  
Old 05-26-2015, 02:21 PM   #19
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

At the end of each process, please tell me how the behavior of the machine. Do you still get the message box? How is the machine behaving now? Do you still see the "DesktopSearch" on your desktop ?
__________________
tekir06 is offline  
Old 05-26-2015, 02:57 PM   #20
Registered Member
 
Join Date: Feb 2013
Posts: 31
OS: Windows 7 Home Prem



Machine is working normally. I do not get the message box anymore. Desktop search still appears highlighted in yellow as a new program in the drop down list. Firefox is not on my dropdown program list but is still found in the program files(x86) file. Malwarebyte found additional threats in its daily scan. That log is attached. When I started chrome a box said google now would be running in the background. It did not give me the option to agree.
Attached Files
File Type: txt Lenovoscan5.txt (44.9 KB, 85 views)
EPMailman is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
My laptop giving me a hard time
Hello people :smile: This is my first post on this forum. I would like to share my problem with you all and would be glad if you people can solve it. I own a Dell Inspiron 6400 laptop, I know its pretty old, but still it was working without any problem since a few years. But since last year, it...
parth.jain Laptop Support 5 02-04-2014 06:39 AM
[SOLVED] Laptop charging issues
Hello everyone, I have a problem with my laptops charger/battery or maybe software and I wanted some advice/solutions. Firstly, this is my first time not only on this forum but on any computer/tech help forum so sorry if I do anything wrong. I will give you my basic problem, followed by extra...
PooPooCake Laptop Support 2 01-02-2013 08:31 AM
Windows 7 Recovery Problem
Hello, I first got this about a month ago as "Win 7 2011 Security Alert" which wouldn't let me open internet explorer, disabled malwarebytes and caused general chaos. I managed to get malware bytes open by running an antivirus scan (Panda) and then malware bytes could update and detect/remove...
RichieFth Virus/Trojan/Spyware Help 21 04-28-2011 01:08 PM
"Internet Protection" malware problem. Help
Hello I have a problem with my laptop which is running on Windows 7. I do not have access to the windows disc/boot disc. Two days ago a small window popped up with the title of "Internet Protection" and in the small window of it, it looked like this program was running a scan and finding...
poorscousertomy Resolved HJT Threads 11 04-17-2011 10:21 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:25 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts