Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Malware/ Ads on steam

This is a discussion on Malware/ Ads on steam within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, I've had younger relatives over about a month ago and I am not sure what they did on my


 
 
Thread Tools Search this Thread
Old 03-12-2016, 09:25 PM   #1
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



Hi, I've had younger relatives over about a month ago and I am not sure what they did on my computer but it seemed like I caught some malware. I used malwarebytes and a whole bunch of crap came up. I removed everything that malwarebytes found and I assumed whatever was giving my computer problems was gone. However, today when I tried to access my steam store, I am unable to click on anything or even navigate through the pages. I tried googling what could be wrong and someone suggested to "opt out of beta." I did exactly that and restarted steam. Now, when I try to open steam store, I am getting ads. So, again I scanned with malwarebytes (about 3 times) and nothing came up. I cannot figure out whats wrong, please help and thank you in advance!










DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18231 BrowserJavaVersion: 11.73.2
Run by Crystal at 0:14:56 on 2016-03-13
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16274.8518 [GMT -5:00]
.
AV: AVG Internet Security *Disabled/Updated* {4D41356F-32AD-7C42-C820-63775EE4F413}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Internet Security *Disabled/Updated* {F620D48B-1497-73CC-F290-58052563BEAE}
FW: AVG Internet Security *Disabled* {757AB44A-78C2-7D1A-E37F-CA42A037B368}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
F:\iTunesHelper.exe
F:\puush.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Corsair\Corsair Utility Engine\CorsairHID.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
C:\Program Files (x86)\AVG\Av\avgui.exe
C:\Program Files\windows defender\MSASCui.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = Google
uSearch Bar = Google
uSearch Page = Google
mWinlogon: Userinit = userinit.exe,
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll
uRun: [Steam] "F:\Steam\steam.exe" -silent
uRun: [puush] F:\puush.exe
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Discord] C:\Users\Crystal\AppData\Local\Discord\app-0.0.286\Discord.exe
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Corsair Utility Engine] "C:\Program Files (x86)\Corsair\Corsair Utility Engine\CorsairHID.exe" --autorun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AvgUi] "C:\Program Files (x86)\AVG\Framework\Common\avguirnx.exe" /lps=fmw
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\Av\avuirunnerx.exe" C:\Program Files (x86)\AVG\Av\avgui.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - F:\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - F:\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
TCP: NameServer = 8.8.8.8,8.8.8.4
TCP: NameServer = 167.206.13.180 167.206.13.181
TCP: Interfaces\{4BFC427E-6ECE-4244-95F4-500ADDBB35DE} : DHCPNameServer = 167.206.13.180 167.206.13.181
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - F:\Office15\OCHelper.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - F:\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - F:\Office15\GROOVEEX.DLL
x64-Run: [RTHDVCPL] "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
x64-Run: [IAStorIcon] "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [iTunesHelper] "F:\iTunesHelper.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - F:\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - F:\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - F:\Office15\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - F:\Office15\MSOSB.DLL
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2016-1-26 272304]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2016-2-3 378288]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2016-3-2 269232]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2015-12-4 42416]
R0 Avguniva;AVG Universal Driver;C:\Windows\System32\drivers\avguniva.sys [2016-1-8 23472]
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2014-4-11 645480]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2014-4-11 28008]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2015-4-18 20464]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2015-11-6 184240]
R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2015-8-29 97208]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2016-1-26 315312]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2015-10-21 284080]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2015-10-8 302000]
R2 Apple Mobile Device Service;Apple Mobile Device Service;C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2015-1-19 77128]
R2 avgsvc;AVG Service;C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [2016-2-18 1045928]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [2016-3-2 561104]
R2 BstHdDrv;BlueStacks Hypervisor;C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [2015-5-7 145528]
R2 GfExperienceService;NVIDIA GeForce Experience Service;C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [2015-4-18 1156216]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2014-4-11 16232]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2013-8-27 747520]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2013-11-1 241416]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [2015-4-18 169432]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2015-4-18 1872504]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2015-7-29 6477432]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2015-8-16 410744]
R3 CorsairVBusDriver;Corsair Bus;C:\Windows\System32\drivers\CorsairVBusDriver.sys [2015-11-23 47840]
R3 CorsairVHidDriver;Corsair virtual device;C:\Windows\System32\drivers\CorsairVHidDriver.sys [2015-11-23 21728]
R3 e1dexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver D;C:\Windows\System32\drivers\e1d62x64.sys [2015-4-18 494864]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2015-4-18 370672]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2015-4-18 791024]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2015-4-18 25816]
R3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2015-4-18 19576]
R3 NvStreamNetworkSvc;NVIDIA Streamer Network Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [2015-4-18 8185464]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2015-8-20 50472]
S2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\Av\avgfws.exe [2016-3-2 1580352]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\Av\avgidsagent.exe [2016-3-2 3934184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2014-11-6 105120]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2014-11-6 124568]
S2 MBAMService;MBAMService;F:\Malwarebytes Anti-Malware\mbamservice.exe [2015-4-18 1135416]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2015-7-9 327296]
S3 AvgAMPS;AvgAMPS;C:\Program Files (x86)\AVG\Av\avgamps.exe [2016-3-2 604144]
S3 BstHdAndroidSvc;BlueStacks Android Service;C:\Program Files (x86)\BlueStacks\HD-Service.exe [2015-5-7 433784]
S3 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [2015-5-7 413304]
S3 BstHdUpdaterSvc;BlueStacks Updater Service;C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [2015-5-7 831096]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2016-3-8 114688]
S3 Intel(R) Capability Licensing Service TCP IP Interface;Intel(R) Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2013-8-27 828376]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2015-4-18 63704]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\System32\GameMon.des -service --> C:\Windows\System32\GameMon.des -service [?]
S3 Origin Client Service;Origin Client Service;F:\Origin\OriginClientService.exe [2015-4-18 1931632]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2014-1-23 178760]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-11-15 19456]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2014-11-15 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-11-15 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-11-15 29696]
S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-4-18 1255736]
.
=============== Created Last 30 ================
.
2016-03-13 0558 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5930CD0D-0F77-4387-9560-E6C706E70AA9}\offreg.10756.dll
2016-03-13 04:16:43 11249080 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5930CD0D-0F77-4387-9560-E6C706E70AA9}\mpengine.dll
2016-03-13 04:08:52 -------- d-----w- C:\Program Files (x86)\AdwCleaner
2016-03-10 19:49:30 797376 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-03-10 19:49:30 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2016-03-09 00:12:44 5572032 ----a-w- C:\Windows\System32\ntoskrnl.exe
2016-03-04 23:50:14 -------- d-----w- C:\ProgramData\d3f5345b
2016-03-02 15:21:12 269232 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2016-02-14 16:43:08 -------- d-----w- C:\Users\Crystal\AppData\Local\Diagnostics
.
==================== Find3M ====================
.
2016-03-13 05:02:10 192216 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2016-02-12 18:52:23 98816 ----a-w- C:\Windows\System32\wudriver.dll
2016-02-12 18:52:23 3169792 ----a-w- C:\Windows\System32\wucltux.dll
2016-02-12 18:52:23 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2016-02-12 18:44:43 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2016-02-12 18:39:55 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2016-02-12 18:18:22 37888 ----a-w- C:\Windows\System32\wuapp.exe
2016-02-12 18:18:05 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2016-02-12 18:05:17 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2016-02-12 18:05:13 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2016-02-11 18:56:26 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2016-02-11 18:56:26 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2016-02-11 18:52:52 1733592 ----a-w- C:\Windows\System32\ntdll.dll
2016-02-11 18:49:42 362496 ----a-w- C:\Windows\System32\wow64win.dll
2016-02-11 18:49:42 243712 ----a-w- C:\Windows\System32\wow64.dll
2016-02-11 18:49:42 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2016-02-11 18:49:24 215040 ----a-w- C:\Windows\System32\winsrv.dll
2016-02-11 18:49:19 210432 ----a-w- C:\Windows\System32\wdigest.dll
2016-02-11 18:49:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2016-02-11 18:49:00 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2016-02-11 18:49:00 135680 ----a-w- C:\Windows\System32\sspicli.dll
2016-02-11 18:48:58 503808 ----a-w- C:\Windows\System32\srcore.dll
2016-02-11 18:48:58 50176 ----a-w- C:\Windows\System32\srclient.dll
2016-02-11 18:48:16 28160 ----a-w- C:\Windows\System32\secur32.dll
2016-02-11 18:48:14 344064 ----a-w- C:\Windows\System32\schannel.dll
2016-02-11 18:48:12 1214464 ----a-w- C:\Windows\System32\rpcrt4.dll
2016-02-11 18:47:33 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2016-02-11 18:45:59 312320 ----a-w- C:\Windows\System32\ncrypt.dll
2016-02-11 18:45:56 315392 ----a-w- C:\Windows\System32\msv1_0.dll
2016-02-11 18:45:51 60416 ----a-w- C:\Windows\System32\msobjs.dll
2016-02-11 18:45:35 146432 ----a-w- C:\Windows\System32\msaudite.dll
2016-02-11 18:44:45 3994560 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2016-02-11 18:44:45 3938240 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2016-02-11 18:44:42 1461248 ----a-w- C:\Windows\System32\lsasrv.dll
2016-02-11 18:44:34 730112 ----a-w- C:\Windows\System32\kerberos.dll
2016-02-11 18:44:34 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2016-02-11 18:42:25 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2016-02-11 18:42:24 43520 ----a-w- C:\Windows\System32\cryptbase.dll
2016-02-11 18:42:24 22016 ----a-w- C:\Windows\System32\credssp.dll
2016-02-11 18:38:24 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2016-02-11 18:38:24 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2016-02-11 18:38:24 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2016-02-11 18:38:23 275456 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2016-02-11 18:38:07 171520 ----a-w- C:\Windows\SysWow64\wdigest.dll
2016-02-11 18:38:00 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2016-02-11 18:37:53 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2016-02-11 18:37:11 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2016-02-11 18:37:09 251392 ----a-w- C:\Windows\SysWow64\schannel.dll
2016-02-11 18:35:14 223232 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2016-02-11 18:35:09 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2016-02-11 18:35:06 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2016-02-11 18:34:26 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2016-02-11 18:33:30 553472 ----a-w- C:\Windows\SysWow64\kerberos.dll
2016-02-11 18:31:25 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2016-02-11 17:48:11 64000 ----a-w- C:\Windows\System32\auditpol.exe
2016-02-11 17:43:48 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2016-02-11 17:41:42 338432 ----a-w- C:\Windows\System32\conhost.exe
2016-02-11 17:40:09 296960 ----a-w- C:\Windows\System32\rstrui.exe
2016-02-11 17:34:45 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2016-02-11 17:34:01 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2016-02-11 17:33:54 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2016-02-11 17:32:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2016-02-11 17:32:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2016-02-11 17:32:45 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2016-02-11 17:32:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
2016-02-11 17:32:25 30720 ----a-w- C:\Windows\System32\lsass.exe
2016-02-11 17:32:18 112640 ----a-w- C:\Windows\System32\smss.exe
2016-02-11 17:31:01 36352 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2016-02-11 17:30:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2016-02-11 17:30:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2016-02-11 17:30:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2016-02-11 17:30:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2016-02-09 22:15:33 97888 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2016-02-09 09:57:08 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2016-02-09 09:56:09 5120 ----a-w- C:\Windows\System32\msdxm.ocx
2016-02-09 09:56:09 5120 ----a-w- C:\Windows\System32\dxmasf.dll
2016-02-09 09:55:34 30720 ----a-w- C:\Windows\System32\seclogon.dll
2016-02-09 09:54:38 9728 ----a-w- C:\Windows\System32\spwmp.dll
2016-02-09 09:51:32 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2016-02-09 09:13:14 4096 ----a-w- C:\Windows\SysWow64\msdxm.ocx
2016-02-09 09:13:14 4096 ----a-w- C:\Windows\SysWow64\dxmasf.dll
2016-02-09 09:13:10 8192 ----a-w- C:\Windows\SysWow64\spwmp.dll
2016-02-08 20:51:13 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2016-02-08 20:39:06 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2016-02-08 20:39:06 496640 ----a-w- C:\Windows\SysWow64\vbscript.dll
2016-02-08 20:38:29 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2016-02-08 20:38:20 341504 ----a-w- C:\Windows\SysWow64\html.iec
2016-02-08 20:37:31 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2016-02-08 20:28:52 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2016-02-08 20:28:32 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2016-02-08 20:16:21 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2016-02-08 20:10:37 4611072 ----a-w- C:\Windows\SysWow64\jscript9.dll
2016-02-08 20:01:48 2050560 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2016-02-08 20:01:43 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2016-02-08 19:43:04 2121216 ----a-w- C:\Windows\SysWow64\wininet.dll
2016-02-08 18:41:57 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2016-02-08 18:41:47 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2016-02-08 18:27:37 66560 ----a-w- C:\Windows\System32\iesetup.dll
2016-02-08 18:26:56 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2016-02-08 18:26:49 417792 ----a-w- C:\Windows\System32\html.iec
.
============= FINISH: 0:15:01.40 ===============
Attached Files
File Type: txt attach.txt (5.7 KB, 46 views)
Mszcrystal is offline  
Sponsored Links
Advertisement
 
Old 03-15-2016, 07:17 PM   #2
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



BUMP, please!
(Sorry, I thought I remember seeing the initial post at 03-12-16 at 9:15)
Mszcrystal is offline  
Old 03-17-2016, 12:09 AM   #3
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



BUMP, please!
(its been 72 hours now)
Mszcrystal is offline  
Sponsored Links
Advertisement
 
Old 03-17-2016, 01:07 AM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Mszcrystal,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Back up important files before we start.

Now, let's get started, shall we?

Please do the following.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 03-17-2016, 11:10 AM   #5
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



Hi, thank you for your time! I have attached the requested files.
Attached Files
File Type: txt FRST.txt (60.0 KB, 43 views)
File Type: txt Addition.txt (32.9 KB, 41 views)
Mszcrystal is offline  
Old 03-18-2016, 01:26 AM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Mszcrystal,

You're Welcome! Thanks for the logs. Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
Task: {0144DE3A-8141-4356-9BEE-7CDE8C21647B} - \{0C7D0547-0B0C-7978-0C11-0C040D08110C} -> No File <==== ATTENTION
Task: {F9BAF32D-6E12-43F6-8912-58ABCC4F9B1C} - System32\Tasks\ASPKRRLDHNBJACGV => C:\ProgramData\Service6566\Service6566.exe <==== ATTENTION
Task: C:\Windows\Tasks\ASPKRRLDHNBJACGV.job => C:\ProgramData\Service6566\Service6566.exe <==== ATTENTION
FirewallRules: [{7304BBDD-FEAF-4FEE-A038-10935E2682EC}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩瑳瑡略敳睜湩瑳瑡略敳攮數
FirewallRules: [{0AD99E3B-AC6A-434D-BE26-CE8FEDEF42FF}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩瑳瑡略敳睜湩瑳瑡略敳⹟硥e
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR StartupUrls: Default -> "hxxp://websearch.searchinweb.info/?pid=2356&r=2014/01/30&hid=12658040544727602961&lg=EN&cc=US&unqvl=47"
CHR HKLM-x32\...\Chrome\Extension: [aaffhmecfaelkngcbnfdkcckmillnoki] - hxxps://clients2.google.com/service/update2/crx
2015-04-18 22:54 - 2015-04-18 22:54 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-03-11 21:14 - 2016-03-11 21:14 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2016-03-11 21:14 - 2016-03-11 21:14 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2016-02-09 23:50 - 2016-02-09 23:50 - 0000016 _____ () C:\ProgramData\mntemp
2016-02-10 22:11 - 2016-02-10 22:11 - 0005033 _____ () C:\ProgramData\mzemgkrx.fuc
2016-02-09 23:50 - 2016-02-09 23:50 - 0004881 _____ () C:\ProgramData\rxsmznjf.zcp
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 03-18-2016, 02:00 AM   #7
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Crystal (2016-03-18 04:57:03) Run:1
Running from C:\Users\Crystal\Desktop
Loaded Profiles: Crystal (Available Profiles: Crystal)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
Task: {0144DE3A-8141-4356-9BEE-7CDE8C21647B} - \{0C7D0547-0B0C-7978-0C11-0C040D08110C} -> No File <==== ATTENTION
Task: {F9BAF32D-6E12-43F6-8912-58ABCC4F9B1C} - System32\Tasks\ASPKRRLDHNBJACGV => C:\ProgramData\Service6566\Service6566.exe <==== ATTENTION
Task: C:\Windows\Tasks\ASPKRRLDHNBJACGV.job => C:\ProgramData\Service6566\Service6566.exe <==== ATTENTION
FirewallRules: [{7304BBDD-FEAF-4FEE-A038-10935E2682EC}] => (Allow) ?????????????????????????
FirewallRules: [{0AD99E3B-AC6A-434D-BE26-CE8FEDEF42FF}] => (Allow) ?????????????????????????e
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR StartupUrls: Default -> "hxxp://websearch.searchinweb.info/?pid=2356&r=2014/01/30&hid=12658040544727602961&lg=EN&cc=US&unqvl=47"
CHR HKLM-x32\...\Chrome\Extension: [aaffhmecfaelkngcbnfdkcckmillnoki] - hxxps://clients2.google.com/service/update2/crx
2015-04-18 22:54 - 2015-04-18 22:54 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-03-11 21:14 - 2016-03-11 21:14 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2016-03-11 21:14 - 2016-03-11 21:14 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2016-02-09 23:50 - 2016-02-09 23:50 - 0000016 _____ () C:\ProgramData\mntemp
2016-02-10 22:11 - 2016-02-10 22:11 - 0005033 _____ () C:\ProgramData\mzemgkrx.fuc
2016-02-09 23:50 - 2016-02-09 23:50 - 0004881 _____ () C:\ProgramData\rxsmznjf.zcp
EmptyTemp:
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0144DE3A-8141-4356-9BEE-7CDE8C21647B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0144DE3A-8141-4356-9BEE-7CDE8C21647B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0C7D0547-0B0C-7978-0C11-0C040D08110C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F9BAF32D-6E12-43F6-8912-58ABCC4F9B1C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F9BAF32D-6E12-43F6-8912-58ABCC4F9B1C}" => key removed successfully
C:\Windows\System32\Tasks\ASPKRRLDHNBJACGV => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASPKRRLDHNBJACGV" => key removed successfully
C:\Windows\Tasks\ASPKRRLDHNBJACGV.job => moved successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7304BBDD-FEAF-4FEE-A038-10935E2682EC} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0AD99E3B-AC6A-434D-BE26-CE8FEDEF42FF} => value removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
Chrome StartupUrls => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\aaffhmecfaelkngcbnfdkcckmillnoki" => key removed successfully
C:\ProgramData\DP45977C.lfl => moved successfully
C:\Users\Default\AppData\Roaming\TuneUp Software => moved successfully
"C:\Users\Default User\AppData\Roaming\TuneUp Software" => not found.
C:\ProgramData\mntemp => moved successfully
C:\ProgramData\mzemgkrx.fuc => moved successfully
C:\ProgramData\rxsmznjf.zcp => moved successfully
EmptyTemp: => 5.2 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 04:57:24 ====
Mszcrystal is offline  
Old 03-18-2016, 02:14 AM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello,

I think it was a problem with Unicode. Please do the folllowing.

Download attached fixlist.txt file and save it to the Desktop.

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.

Double-click FRST64.exe to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Attached Files
File Type: txt fixlist.txt (442 Bytes, 46 views)
__________________
tekir06 is offline  
Old 03-18-2016, 10:06 AM   #9
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Crystal (2016-03-18 13:02:24) Run:2
Running from C:\Users\Crystal\Desktop
Loaded Profiles: Crystal (Available Profiles: Crystal)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
FirewallRules: [{7304BBDD-FEAF-4FEE-A038-10935E2682EC}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩瑳瑡略敳睜湩瑳瑡略敳攮數
FirewallRules: [{0AD99E3B-AC6A-434D-BE26-CE8FEDEF42FF}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩瑳瑡略敳睜湩瑳瑡略敳⹟硥e
EmptyTemp:
*****************

Restore point was successfully created.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7304BBDD-FEAF-4FEE-A038-10935E2682EC} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0AD99E3B-AC6A-434D-BE26-CE8FEDEF42FF} => value not found.
EmptyTemp: => 123.1 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 13:02:32 ====
Mszcrystal is offline  
Old 03-19-2016, 01:39 PM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Mszcrystal,

Thanks for the log. Please do the following steps.

STEP 1

Please Launch AdwCleaner

Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
__________________
tekir06 is offline  
Old 03-19-2016, 02:38 PM   #11
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



# AdwCleaner v5.102 - Logfile created 19/03/2016 at 17:28:54
# Updated 13/03/2016 by Xplode
# Database : 2016-03-19.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Crystal - CRYSTAL-PC
# Running from : F:\Chrome Downloads\adwcleaner_5.102.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\DailyPcClean Support
[-] Folder Deleted : C:\ProgramData\25cf03a9-16f3-0
[-] Folder Deleted : C:\ProgramData\25cf03a9-4715-0
[-] Folder Deleted : C:\ProgramData\25cf03a9-5903-1
[-] Folder Deleted : C:\ProgramData\25cf03a9-7825-1
[-] Folder Deleted : C:\ProgramData\d3f5345b
[-] Folder Deleted : C:\ProgramData\Service6566
[-] Folder Deleted : C:\Users\Crystal\AppData\Local\YSearchUtil
[-] Folder Deleted : C:\Users\Crystal\AppData\Roaming\Store
[-] Folder Deleted : C:\Users\Crystal\AppData\Roaming\WTools
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : {63A8943E-F28D-E952-A903-CF25228A3050}

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\DAILYPCCLEAN
[-] Key Deleted : HKCU\Software\Microsoft\Tinstalls
[-] Key Deleted : HKCU\Software\powerpack
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKCU\Software\WTools
[-] Key Deleted : HKCU\Software\AVG Web TuneUp
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! SearchSet

***** [ Web browsers ] *****

[-] [C:\Users\Crystal\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://websearch.searchinweb.info/?pid=2356&r=2014/01/30&hid=12658040544727602961&lg=EN&cc=US&unqvl=47

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [1993 bytes] - [19/03/2016 17:28:54]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [2928 bytes] - [13/03/2016 00:09:01]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S2].txt - [2572 bytes] - [19/03/2016 17:26:30]

########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [2272 bytes] ##########

















































~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Ultimate x64
Ran by Crystal (Administrator) on Sat 03/19/2016 at 17:32:35.77
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 9

Failed to delete: C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D744GO75 (Temporary Internet Files Folder)
Successfully deleted: C:\ProgramData\e815bfd79dbf4de0a6714355cfea5cdb (Folder)
Successfully deleted: C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCNS7FAW (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUUFHU2G (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Crystal\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RMOPMF3P (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D744GO75 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCNS7FAW (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUUFHU2G (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RMOPMF3P (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 03/19/2016 at 17:33:31.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mszcrystal is offline  
Old 03-19-2016, 02:59 PM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Mszcrystal,

Thanks for the logs. Please do the below steps. Then tell me How is the machine behaving now? What problems do you still have?

STEP 1

Launch Malwarebytes Anti-Malware

On the Settings tab > Detection and Protection subtab, Detection Options section, tick the box Scan for rootkits.
Click on the Scan tab, then click on Start Scan.
A check for database updates will be performed.
After the update check completes, a scan will begin.
With some infections, you may see this message box.
'Could not load DDA driver'
Click Yes to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click 'Remove Selected'.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.

STEP 2

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.
__________________
tekir06 is offline  
Old 03-19-2016, 06:09 PM   #13
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



My steam still has pop ads when I try to navigate to anywhere besides my library. I have posted the requested information below:



C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\ProgramData\d3f5345b\fe144243.dll.vir a variant of Win32/Adware.Adposhel.B application
C:\Users\Crystal\Desktop\Microsoft Office ProPlus 2013 SP1 VL x64 en-US\Activator\KMSpico Portable 10.0.4\AutoPico.exe a variant of MSIL/HackTool.IdleKMS.C potentially unsafe application
F:\Chrome Downloads\FreeYouTubeDownload.exe a variant of Win32/OpenCandy.A potentially unsafe application
F:\Chrome Downloads\FreeYouTubeToMP3Converter.exe a variant of Win32/OpenCandy.A potentially unsafe application
F:\Chrome Downloads\Microsoft_Office_ProPlus_2013_SP1_VL_x64_en-US-2015-04-19.zip a variant of MSIL/HackTool.IdleKMS.C potentially unsafe application
F:\Chrome Downloads\movavi-video-editor-11-keygen\movavi-video-editor-11-keygen.exe a variant of MSIL/Yelloader.A potentially unwanted application
Attached Files
File Type: txt 031916.txt (1.2 KB, 38 views)
Mszcrystal is offline  
Old 03-21-2016, 02:47 AM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Mszcrystal,

Thanks for logs and information. Please do the following.

Please copy all text in the code box below and paste it into Notepad:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Users\Crystal\Desktop\Microsoft Office ProPlus 2013 SP1 VL x64 en-US\Activator\KMSpico Portable 10.0.4\AutoPico.exe"
"F:\Chrome Downloads\Microsoft_Office_ProPlus_2013_SP1_VL_x64_en-US-2015-04-19.zip"
"F:\Chrome Downloads\movavi-video-editor-11-keygen\movavi-video-editor-11-keygen.exe"


) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
save the Notepad file to your desktop and name it delfiles.bat
save type as "All Files"
on your desktop, double-click on delfiles.bat to run it, (a black CMD window will flash, then disappear - this is normal).

Please tell me what it says in your next reply.
__________________
tekir06 is offline  
Old 03-21-2016, 09:42 AM   #15
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



It said "Deleted successfully!" and that was it.
Mszcrystal is offline  
Old 03-23-2016, 12:20 AM   #16
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Mszcrystal,

Your reports are clear.

Now, can you simply uninstall Steam (without installing your games), and reinstall it?
__________________
tekir06 is offline  
Old 03-23-2016, 03:55 PM   #17
Registered Member
 
Mszcrystal's Avatar
 
Join Date: Jan 2010
Location: United States
Posts: 19
OS: Windows 10



THANK YOU for all your help! My steam is back to normal now! Thank you thank you thank you
Mszcrystal is offline  
Old 03-24-2016, 12:49 AM   #18
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Mszcrystal,

You're Welcome. Can you tell me how it was normal? After Uninstall and reinstall ?

Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows 7

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 04-02-2016, 03:58 PM   #19
TSF-Emeritus
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Since this issue appears resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

Surf Safely and Think Prevention!
__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cybercriminals turn to video ads to plant malware
Cybercriminals turn to video ads to plant malware | Network World
JMH3143 Computer Security News 0 11-14-2015 04:02 PM
my steam refuses to update
Hello, making my first post on this forum about how my steam is misbehaving. It started when i purchased the HD for this computer with Windows 7 already installed. to my displeasure, it appeared to have been salvaged from a previously used computer and only wiped of all personal data. being one...
Mickudymock PC Gaming Support 1 02-14-2014 02:23 PM
~*~Mixed Bag of Problems~*~
Hi, everyone! I have had a lot of problems with my computer lately and I'm hoping someone would be able to help me out. The most pressing issue right now is that my e-mail is sending out Spam links when I'm not even on my computer. The first time it happened, I changed my password, but tonight the...
TabbyCat725 Virus/Trojan/Spyware Help 156 07-09-2012 07:50 PM
[SOLVED] WinXP SP3; IPC error, Shutdown Issues and Taskbar Color issues
Reposting from this link as advised: https://www.techsupportforum.com/forums/f10/external-drive-cam-detection-task-bar-going-grey-627991.html Hi Experts, I wanted to be update to get best performance and removed some services from running along with changes to MSconfig and ended up in...
protocoder Resolved HJT Threads 22 02-18-2012 04:04 AM
Malware diverts Google to Ads
A Google search will provide various websites but when I click on one, I am diverted to adware. A common one is GimmeAnswers (get-answers-fast.com). I suspect Frostwire although it could be coincidence. I had not used Frostwire for over a year but did a search a couple of months ago. I got a...
SanJuan Resolved HJT Threads 11 12-15-2011 08:32 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:51 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts