Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

My computer is infected

This is a discussion on My computer is infected within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, A couple days ago my computer started running very slowly when using Chrome or Firefox. Pages wouldn't load and/or


 
 
Thread Tools Search this Thread
Old 11-16-2015, 07:32 AM   #1
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hello,

A couple days ago my computer started running very slowly when using Chrome or Firefox. Pages wouldn't load and/or would load very slowly. When this happened I ran a scan with my McAfee security and it found a virus called Artemis!9C2E73D3CEEA that it said it removed. Then I ran the scan again and it found and removed 1 file (not sure what it removed). Then I ran a third time and it said it was clear. My computer is still running slow and certain websites aren't loading well (gmail, Kelly Blue Book, etc) . One last thing to mention is that in Chrome the default search engine keeps changing to yahoo when I never changed it (I prefer google). Even when I change it back to google it seems to switch back to yahoo on it's own.

I do not have access to a Windows install disc.

Thanks so much in advance for your help.
Jenny
--------------------------------------------------

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18098 BrowserJavaVersion: 11.65.2
Run by Cliffside at 10:10:25 on 2015-11-16
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4003.1959 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall *Enabled* {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Coupons\CouponPrinterService.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\Online Games Manager\ogmservice.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\pcreg\pcreg.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\GWX\GWX.exe
C:\Users\Cliffside\AppData\Roaming\ShieldSoft\UI\bin\ShieldsoftService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\McAfee\MSC\McAPExe.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
C:\Users\Cliffside\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Playskool\MADE FOR ME Software\HbDetect.exe
C:\Users\Cliffside\AppData\Local\Dropbox\Update\DropboxUpdate.exe
C:\Users\Cliffside\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
C:\Program Files\McAfee Security Scan\3.11.163\SSScheduler.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe
C:\Users\Cliffside\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Brownie\BrStsW64.exe
C:\Windows\System32\WUDFHost.exe
C:\Users\Cliffside\AppData\Roaming\ShieldSoft\UI\bin\shieldsoft.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\Program Files (x86)\Digital Coupon Printer\DigitalCouponPrinter.exe
C:\Users\Cliffside\AppData\Roaming\ShieldSoft\UI\bin\shieldui.exe
C:\Program Files (x86)\PrintMyCouponAnywhere\PrintMyCouponAnywhere.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Cliffside\AppData\Roaming\ShieldSoft\UI\bin\shieldsoft64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\McAfee\CSP\1.6.1180.0\McCSPServiceHost.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\McAfee\SiteAdvisor\McChHost.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
mWinlogon: Userinit = userinit.exe
BHO: BlspcHlpr Class: {15C9938F-CB96-496D-800A-B827F2E34EA1} -
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
BHO: Value Apps plugin: {F63AAEDC-3602-49EF-AA45-262380A98980} -
uRun: [Uploader] C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
uRun: [pcreg] C:\Program Files\pcreg\service.exe
uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe Run
uRun: [Google Update] "C:\Users\Cliffside\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [HbDetect.exe] C:\Program Files (x86)\Playskool\MADE FOR ME Software\HbDetect.exe
uRun: [Dropbox Update] "C:\Users\Cliffside\AppData\Local\Dropbox\Update\DropboxUpdate.exe" /c
uRun: [SansaDispatch] C:\Users\Cliffside\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
uRun: [Fitbit Connect] "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe"
mRun: [FPCCSMiddleware] C:\Program Files (x86)\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
mRun: [DBAgent] "C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" /WinStart
mRun: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Fitbit Connect] "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Digital Coupon Print Driver] "C:\Program Files (x86)\Digital Coupon Printer\DigitalCouponPrinter.exe"
mRun: [Http Listener] C:\Program Files (x86)\PrintMyCouponAnywhere\PrintMyCouponAnywhere.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [{90140000-003D-0000-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-001A-0409-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
StartupFolder: C:\Users\CLIFFS~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Cliffside\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files\McAfee Security Scan\3.11.163\SSScheduler.exe
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001055-0002-0055-ABCDEFFEDCBC} - <orphaned>
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{D49FA43E-FF7E-428A-A7EC-0A30819B003E} : DHCPNameServer = 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.86\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: BlspcHlpr Class: {15C9938F-CB96-496D-800A-B827F2E34EA1} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [pcreg] C:\Program Files\pcreg\service.exe
x64-Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
x64-IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 0.0.0.0 fr.a2dfp.net
Hosts: 0.0.0.0 m.fr.a2dfp.net
Hosts: 0.0.0.0 mfr.a2dfp.net
Hosts: 0.0.0.0 ad.a8.net
Hosts: 0.0.0.0 asy.a8ww.net
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/search?fr=mcafee&type=C111US91021D20130814&p=
FF - plugin: c:\PROGRA~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_65\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\browser\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\CLIFFS~1\AppData\Roaming\CATALI~2\npBcsKtTcHW.dll
FF - plugin: C:\Users\Cliffside\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll
FF - plugin: C:\Users\Cliffside\AppData\Roaming\Hopster\CouponPrinterPlugin\2.0.2.0\npCouponPrinterPlugin.dll
FF - plugin: C:\Users\Cliffside\AppData\Roaming\Hopster\CouponPrinterPlugin\2.0.2.0\npPrintUtil.dll
FF - plugin: C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: C:\Users\Cliffside\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Cliffside\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Users\Cliffside\AppData\Roaming\RevTrax\RevTraxPrintMyCoupon\1.0.0.0\npRevTraxPrintMyCoupon.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1220162.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2013-2-19 875928]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2013-2-19 344704]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-2-1 52856]
R2 Apple Mobile Device Service;Apple Mobile Device Service;C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2015-10-7 77104]
R2 CouponPrinterService;Coupon Printer Service;C:\Program Files (x86)\Coupons\CouponPrinterService.exe [2014-2-13 1413104]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 Fitbit Connect;Fitbit Connect Service;C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [2015-9-4 5750440]
R2 HomeNetSvc;McAfee Home Network;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-11-8 368048]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 99128]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [2015-11-11 157928]
R2 McAPExe;McAfee AP Service;C:\Program Files\McAfee\MSC\McAPExe.exe [2013-11-8 782608]
R2 mccspsvc;McAfee CSP Service;C:\Program Files\Common Files\McAfee\CSP\1.6.1180.0\McCSPServiceHost.exe [2015-9-1 1694152]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-11-8 368048]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-11-8 368048]
R2 mcpltsvc;McAfee Platform Services;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-11-8 368048]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-11-8 368048]
R2 mfemms;McAfee Service Controller;C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe [2015-6-30 373704]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2013-8-14 254792]
R2 ogmservice;Online Games Manager;C:\Program Files (x86)\Online Games Manager\ogmservice.exe [2014-3-27 581568]
R2 pcregservice;pcregservice Service;C:\Program Files\pcreg\pcreg.exe [2013-12-4 25600]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-8-12 1128952]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R2 Seagate Dashboard Services;Seagate Dashboard Services;C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2013-10-18 16000]
R2 ShieldSoft;ShieldSoft Protection;C:\Users\Cliffside\AppData\Roaming\ShieldSoft\UI\bin\shieldsoftService.exe [2015-11-13 83456]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-8-12 2656280]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2013-8-14 77536]
R3 mfeaack;McAfee Inc. mfeaack;C:\Windows\System32\drivers\mfeaack.sys [2015-2-17 412440]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2013-8-14 347800]
R3 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2013-8-14 232656]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2013-8-14 496888]
R3 mfencbdc;McAfee Inc. mfencbdc;C:\Windows\System32\drivers\mfencbdc.sys [2015-6-28 529080]
R3 mfesapsn;McAfee Process Start Notification Service;C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [2015-11-11 37960]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-8-12 471144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2014-4-11 124088]
S3 GamesAppIntegrationService;GamesAppIntegrationService;C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [2013-11-8 227936]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2015-7-28 207208]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-11-11 114688]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-8-12 158976]
S3 JLTECH0227;Dual Mode Camera;C:\Windows\System32\drivers\jl2005c.sys [2013-12-25 79920]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\3.11.163\McCHSvc.exe [2015-7-31 289256]
S3 mfencrk;McAfee Inc. mfencrk;C:\Windows\System32\drivers\mfencrk.sys [2015-6-28 109728]
S3 Origin Client Service;Origin Client Service;C:\Program Files (x86)\Origin\OriginClientService.exe [2014-9-17 1910128]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2015-6-10 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-1-23 1255736]
.
=============== Created Last 30 ================
.
2015-11-15 14:33:56 -------- d-----w- C:\Users\Cliffside\.oracle_jre_usage
2015-11-13 15:40:27 -------- d-----w- C:\Users\Cliffside\AppData\Roaming\ShieldSoft
2015-11-12 05:34:57 3211264 ----a-w- C:\Windows\System32\win32k.sys
2015-11-11 08:29:59 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2015-11-07 02:36:41 901288 ----a-w- C:\Program Files (x86)\Mozilla Firefox\icuuc55.dll
2015-11-06 00:40:55 -------- d-----w- C:\Program Files (x86)\PrintMyCouponAnywhere
2015-11-06 00:29:28 -------- d-----w- C:\Users\Cliffside\AppData\Local\Hopster
2015-11-06 00:28:52 -------- d-----w- C:\Program Files (x86)\Digital Coupon Printer
2015-11-02 21:54:32 -------- d-----w- C:\Users\Cliffside\AppData\Local\{E1C2C17D-9EE2-4742-B80B-9DC065B3AD99}
2015-10-23 18:24:27 -------- d-----w- C:\Program Files\iPod
2015-10-23 18:24:27 -------- d-----w- C:\Program Files (x86)\iTunes
.
==================== Find3M ====================
.
2015-11-15 14:33:14 97888 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2015-11-10 23:19:09 780488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2015-11-10 23:19:09 142536 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-10-30 23:40:49 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2015-10-30 23:40:38 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2015-10-30 23:25:55 66560 ----a-w- C:\Windows\System32\iesetup.dll
2015-10-30 23:25:15 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2015-10-30 23:25:08 417792 ----a-w- C:\Windows\System32\html.iec
2015-10-30 23:24:50 585728 ----a-w- C:\Windows\System32\vbscript.dll
2015-10-30 23:24:34 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2015-10-30 23:12:09 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2015-10-30 23:12:09 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2015-10-30 23:11:58 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2015-10-30 23:11:46 5990912 ----a-w- C:\Windows\System32\jscript9.dll
2015-10-30 22:58:29 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2015-10-30 22:53:49 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2015-10-30 22:47:08 504832 ----a-w- C:\Windows\SysWow64\vbscript.dll
2015-10-30 22:46:27 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2015-10-30 22:45:51 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2015-10-30 22:45:42 341504 ----a-w- C:\Windows\SysWow64\html.iec
2015-10-30 22:44:57 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2015-10-30 22:36:25 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2015-10-30 22:36:06 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2015-10-30 22:29:57 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2015-10-30 22:29:52 2126336 ----a-w- C:\Windows\System32\inetcpl.cpl
2015-10-30 22:23:51 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2015-10-30 22:17:06 2487808 ----a-w- C:\Windows\System32\wininet.dll
2015-10-30 22:16:43 4527616 ----a-w- C:\Windows\SysWow64\jscript9.dll
2015-10-30 22:09:23 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2015-10-30 22:09:15 2052608 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2015-10-30 21:51:28 2011136 ----a-w- C:\Windows\SysWow64\wininet.dll
2015-10-29 17:50:44 6656 ----a-w- C:\Windows\System32\shimeng.dll
2015-10-29 17:50:30 342016 ----a-w- C:\Windows\System32\apphelp.dll
2015-10-29 17:50:29 72192 ----a-w- C:\Windows\System32\aelupsvc.dll
2015-10-29 17:50:29 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2015-10-29 17:50:29 309248 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2015-10-29 17:50:29 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2015-10-29 17:50:29 103424 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2015-10-29 17:50:21 5120 ----a-w- C:\Windows\SysWow64\shimeng.dll
2015-10-29 17:50:14 23552 ----a-w- C:\Windows\System32\sdbinst.exe
2015-10-29 17:49:58 295936 ----a-w- C:\Windows\SysWow64\apphelp.dll
2015-10-29 17:49:57 562176 ----a-w- C:\Windows\apppatch\AcLayers.dll
2015-10-29 17:49:57 470528 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2015-10-29 17:49:57 2178560 ----a-w- C:\Windows\apppatch\AcGenral.dll
2015-10-29 17:49:57 211968 ----a-w- C:\Windows\apppatch\AcXtrnal.dll
2015-10-29 17:49:35 20992 ----a-w- C:\Windows\SysWow64\sdbinst.exe
2015-10-29 17:39:57 2560 ----a-w- C:\Windows\apppatch\AcRes.dll
2015-10-20 18:42:14 98816 ----a-w- C:\Windows\System32\wudriver.dll
2015-10-20 18:42:14 3168768 ----a-w- C:\Windows\System32\wucltux.dll
2015-10-20 18:42:14 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2015-10-20 18:41:36 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2015-10-20 18:41:25 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2015-10-20 18:41:22 37888 ----a-w- C:\Windows\System32\wuapp.exe
2015-10-20 17:46:02 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2015-10-20 17:46:02 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2015-10-20 17:45:08 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2015-10-20 01:12:12 5570496 ----a-w- C:\Windows\System32\ntoskrnl.exe
2015-10-20 01:12:10 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2015-10-20 01:12:10 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2015-10-20 01:09:05 1730496 ----a-w- C:\Windows\System32\ntdll.dll
2015-10-20 01:06:18 362496 ----a-w- C:\Windows\System32\wow64win.dll
2015-10-20 01:06:18 243712 ----a-w- C:\Windows\System32\wow64.dll
2015-10-20 01:06:18 215040 ----a-w- C:\Windows\System32\winsrv.dll
2015-10-20 01:06:18 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2015-10-20 01:04:53 31232 ----a-w- C:\Windows\System32\lsass.exe
2015-10-20 01:04:40 338432 ----a-w- C:\Windows\System32\conhost.exe
2015-10-20 01:04:35 64000 ----a-w- C:\Windows\System32\auditpol.exe
2015-10-20 01:00:20 60416 ----a-w- C:\Windows\System32\msobjs.dll
2015-10-20 00:59:20 146432 ----a-w- C:\Windows\System32\msaudite.dll
2015-10-20 00:52:02 3991488 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2015-10-20 00:52:02 3935680 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2015-10-20 00:48:46 1311768 ----a-w- C:\Windows\SysWow64\ntdll.dll
2015-10-20 00:44:35 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2015-10-20 00:44:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2015-10-20 00:44:18 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2015-10-20 00:44:18 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2015-10-20 00:44:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2015-10-20 00:39:32 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2015-10-20 00:39:11 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2015-10-19 23:41:20 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2015-10-19 23:40:43 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2015-10-19 23:40:39 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2015-10-19 23:29:36 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2015-10-19 23:29:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2015-10-19 23:27:10 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2015-10-19 23:27:10 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2015-10-19 23:27:10 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2015-10-19 23:27:10 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2015-10-13 16:41:05 497664 ----a-w- C:\Windows\System32\drivers\afd.sys
2015-10-13 16:40:33 118272 ----a-w- C:\Windows\System32\drivers\tdx.sys
2015-10-13 06:29:08 875720 ----a-w- C:\Windows\SysWow64\msvcr120_clr0400.dll
2015-10-13 06:22:02 869568 ----a-w- C:\Windows\System32\msvcr120_clr0400.dll
2015-10-13 04:57:21 950720 ----a-w- C:\Windows\System32\drivers\ndis.sys
2015-10-01 18:06:49 692672 ----a-w- C:\Windows\System32\winload.efi
2015-10-01 18:04:11 616360 ----a-w- C:\Windows\System32\winresume.efi
2015-10-01 18:00:59 63488 ----a-w- C:\Windows\System32\setbcdlocale.dll
2015-10-01 18:00:51 24576 ----a-w- C:\Windows\System32\jnwmon.dll
2015-10-01 18:00:50 275456 ----a-w- C:\Windows\System32\InkEd.dll
2015-10-01 18:00:43 59392 ----a-w- C:\Windows\System32\appidapi.dll
2015-10-01 18:00:43 32768 ----a-w- C:\Windows\System32\appidsvc.dll
.
============= FINISH: 10:11:29.92 ===============
Attached Files
File Type: txt attach.txt (519.0 KB, 20 views)
scoricha is offline  
Sponsored Links
Advertisement
 
Old 11-16-2015, 11:36 PM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Please do the following steps

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Do NOT click the green 'Download' button(if visible).
Click the blue 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 11-17-2015, 12:28 PM   #3
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hello Tolga,

Thanks for your quick response and assistance! I only see a Green 'Download now @bleepingcomputer' button. Is this ok?

Thanks
scoricha is offline  
Sponsored Links
Advertisement
 
Old 11-17-2015, 01:28 PM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,

Yes. Click green Download now @bleepingcomputer button.
__________________
tekir06 is offline  
Old 11-18-2015, 10:10 AM   #5
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hi Tolga,

Here is the log results from AdwCleaner:

# AdwCleaner v5.021 - Logfile created 18/11/2015 at 1357
# Updated 14/11/2015 by Xplode
# Database : 2015-11-17.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Cliffside - CLIFFSIDE-HP
# Running from : C:\Users\Cliffside\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib

***** [ Services ] *****

[-] Service Deleted : CouponPrinterService
[-] Service Deleted : pcregservice
[-] Service Deleted : ShieldSoft

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\pcreg
[-] Folder Deleted : C:\Program Files (x86)\Bench
[-] Folder Deleted : C:\Program Files (x86)\ValueApps
[-] Folder Deleted : C:\Program Files (x86)\Coupons
[-] Folder Deleted : C:\Program Files (x86)\PrintMyCouponAnywhere
[-] Folder Deleted : C:\Program Files (x86)\Digital Coupon Printer
[-] Folder Deleted : C:\ProgramData\Trymedia
[-] Folder Deleted : C:\ProgramData\ValueApps
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
[-] Folder Deleted : C:\Users\CLIFFS~1\AppData\Local\Temp\AskSearch
[-] Folder Deleted : C:\Users\Cliffside\AppData\Roaming\catalina – print savings
[-] Folder Deleted : C:\Users\Cliffside\AppData\Roaming\ShieldSoft
[-] Folder Deleted : C:\Users\Cliffside\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\catalina – print savings
[#] Folder Deleted : C:\Windows\SysNative\Tasks\pcreg
[-] Folder Deleted : C:\Windows\SysWOW64\SearchProtect

***** [ Files ] *****

[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.vaccint.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.superfish.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxps_www.superfish.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_fastcontent.conduit.com_0.localstorage
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_fastcontent.conduit.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pricegong.conduitapps.com_0.localstorage
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pricegong.conduitapps.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.viewpoints.com_0.localstorage
[-] File Deleted : C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.viewpoints.com_0.localstorage-journal
[-] File Deleted : C:\Users\Cliffside\AppData\LocalLow\SkwConfig.bin
[-] File Deleted : C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\searchplugins\conduit-search.xml
[-] File Deleted : C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\searchplugins\SweetIM Search.xml

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : bench-sys
[-] Task Deleted : bench-Updater removing
[-] Task Deleted : pcreg
[-] Task Deleted : bench-sys
[-] Task Deleted : bench-Updater removing
[-] Task Deleted : bench-sys
[-] Task Deleted : bench-Updater removing

***** [ Registry ] *****

[-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [pcreg]
[-] Key Deleted : HKCU\Software\Google\Chrome\Extensions\lcnnhcneegeeojhgpfijnlnocjdmlaon
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lcnnhcneegeeojhgpfijnlnocjdmlaon
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F63AAEDC-3602-49EF-AA45-262380A98980}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F63AAEDC-3602-49EF-AA45-262380A98980}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F63AAEDC-3602-49EF-AA45-262380A98980}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F63AAEDC-3602-49EF-AA45-262380A98980}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F63AAEDC-3602-49EF-AA45-262380A98980}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F63AAEDC-3602-49EF-AA45-262380A98980}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F63AAEDC-3602-49EF-AA45-262380A98980}
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\IM
[-] Key Deleted : HKCU\Software\ImInstaller
[-] Key Deleted : HKCU\Software\Softonic
[-] Key Deleted : HKCU\Software\SweetIM
[-] Key Deleted : HKLM\SOFTWARE\Bench
[-] Key Deleted : HKLM\SOFTWARE\SweetIM
[-] Key Deleted : HKLM\SOFTWARE\Trymedia Systems
[-] Key Deleted : HKLM\SOFTWARE\ShieldApps
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}
[-] Key Deleted : HKU\.DEFAULT\Software\AskToolbar
[-] Key Deleted : HKU\.DEFAULT\Software\IM
[-] Key Deleted : HKU\.DEFAULT\Software\ImInstaller
[-] Key Deleted : HKU\.DEFAULT\Software\SweetIM
[-] Key Deleted : HKU\.DEFAULT\Software\WNLT
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
[-] Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [1]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com

***** [ Web browsers ] *****

[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage./9B-0?3G>D", "3B6E6D716E7270457A437372782078777C7C25232020502A52565528562B285D2C2D2E31");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage./9B-0?3GFA7EF", "2B2E2C3D");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage./9B5BA==9CJAG", "6E3D696E3E703F6E7A757146494A784B7B4E7C5051");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage./[email protected];7B=?OFB>>RHIQS", "393F352F3E");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.PG_ENABLE", "74727565");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.SF_JUST_INSTALLED", "46414C5345");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.SF_STATUS", "454E41424C4544");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.SF_USER_ID", "6369645F3230333230313431393536323031393538393231");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage._key_cl_active", "30356566626663652D346636382D343566372D386333362D326465313361656561323033");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.cbfirsttime", "546875204D617220323020323031342031383A30393A323420474D542D3034303020284561737465726E205374616E646172642054696D6529");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_appStateReportTime", "31333935333533333631303136");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_appState_Clarity_Active", "6F6E");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_appsConfig", "7B2241707073436F6E66696775726174696F6E223A5B7B226964223A22436C61726974795F416374697665222C2275726C223A22687474703A2F2F73746F726167652E636F6E647569742E[...]
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_appsDefaultEnabled", "6E756C6C");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_calledSetupService", "31");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_currentVersion", "312E31322E302E35");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_first_time", "31");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_lastLoginTime", "31333935333533333631313838");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_localization", "7B226469616C6F674F4B223A7B2254657874223A224F4B227D2C22646D626F7831223A7B2254657874223A224465616C5C725C6E6F662074686520646179227D2C22646D626F7832223A[...]
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_mamEnabled", "74727565");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_settings1.12.0.5", "7B22537461747573223A22737563636565646564222C2244617461223A7B2263757272656E7444617465223A223230313430333231222C22696E74657276616C223A3234302C2273[...]
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_showWelcomeGadget", "66616C7365");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_stamp", "313034335F30");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_userId", "39363734613634342D386164352D343431322D396662312D336331656539626338343230");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.mam_gk_user_approval_interacted", "");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.rematchGround.upstairs", "7B22687474703A2F2F66617374636F6E74656E742E636F6E647569742E636F6D2F646F776E6C6F61645F6F66666572732E68746D6C3F637469643D4354333331333735307E3130343[...]
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.rematchagent-is-test-user", "66616C7365");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.rematchagent-matkot-user-id", "22313339353335333336383933303038323334353622");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.rematchagent-periodic-reports", "7B2270696E675F30223A5B313339353335333336343339372C31343430303030305D7D");
[-] [C:\Users\Cliffside\AppData\Roaming\Mozilla\Firefox\Profiles\sx6qie0q.default\prefs.js] [Preference] Deleted : user_pref("valueApps.storage.url_history0001", "687474703A2F2F7777772E6D61706D7972756E2E636F6D2F3A3A3A636C69636B68616E646C65723A3A3A313339353335393933303831332C2C2C687474703A2F2F7777772E6D61706D797275[...]
[-] [C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : booedmolknjekdopkepjjeckmjkdpfgl
[-] [C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : ehhkfhegcenpfoanmgfpfhnmdmflkbgk
[-] [C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : flpcjncodpafbgdpnkljologafpionhb
[-] [C:\Users\Cliffside\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : lcnnhcneegeeojhgpfijnlnocjdmlaon

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [14277 bytes] ##########
scoricha is offline  
Old 11-18-2015, 10:17 AM   #6
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hello again!

Here are the two logs from the Farbar Recovery Scan Tool, attached.

Thank you!
Attached Files
File Type: txt FRST.txt (74.2 KB, 70 views)
File Type: txt Addition.txt (54.2 KB, 38 views)
scoricha is offline  
Old 11-19-2015, 04:16 AM   #7
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,

Thanks for the logs. Please do the following.

We need to uninstall some programs.

Press the Windows Key + R on your keyboard at the same time. Type appwiz.cpl and click OK.
Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of program to uninstall:

Coupon Printer for Windows
CouponPrinterPlugin
PrintMyCouponAnywhere
RevTraxPrintMyCoupon


========================================================

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorepoint:
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe
HKLM-x32\...\Run: [Http Listener] => C:\Program Files (x86)\PrintMyCouponAnywhere\PrintMyCouponAnywhere.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-266882270-2799798740-3680536799-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-266882270-2799798740-3680536799-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\CLIFFS~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL [No File]
FF Plugin HKU\S-1-5-21-266882270-2799798740-3680536799-1000: hopster.com/CouponPrinterPlugin -> C:\Users\Cliffside\AppData\Roaming\Hopster\CouponPrinterPlugin\2.0.2.0\npCouponPrinterPlugin.dll [2013-02-21] (Hopster)
FF Plugin HKU\S-1-5-21-266882270-2799798740-3680536799-1000: revtrax.com/RevTraxPrintMyCoupon -> C:\Users\Cliffside\AppData\Roaming\RevTrax\RevTraxPrintMyCoupon\1.0.0.0\npRevTraxPrintMyCoupon.dll [2014-10-15] (RevTrax)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-02-26] (Coupons, Inc.)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-12-12] <==== ATTENTION
2013-09-26 19:14 - 2015-08-14 18:33 - 0048128 _____ () C:\Users\Cliffside\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-02-23 09:22 - 2015-02-23 09:25 - 0000000 _____ () C:\Users\Cliffside\AppData\Local\{36A59D6C-D7E2-4985-801E-2A61801ED64D}
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
AlternateDataStreams: C:\ProgramData\Temp:6C74C778
AlternateDataStreams: C:\ProgramData\Temp:84FA02E7
AlternateDataStreams: C:\ProgramData\Temp:B1FBBD09
AlternateDataStreams: C:\ProgramData\Temp:B741B2C2
FirewallRules: [{C332F2EA-8863-42D7-80ED-AF28A76490DF}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{1B25DF6C-18AA-4B78-9551-D8AC4DE1AA08}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{B1141418-1BA6-4BB2-B9BC-00F191BE64B4}] => (Allow) c:\program files\pcreg\service.exe
FirewallRules: [{4C2BA67D-298A-4EBE-BB7C-3E85656917E3}] => (Allow) c:\program files\pcreg\service.exe
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 11-19-2015, 04:34 PM   #8
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hello Tolga,

My computer seems to be running much better already so that is good news. Here is the Fixlog.txt:

Fix result of Farbar Recovery Scan Tool (x64) Version:19-11-2015
Ran by Cliffside (2015-11-19 19:15:08) Run:1
Running from C:\Users\Cliffside\Desktop
Loaded Profiles: Cliffside (Available Profiles: Cliffside)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorepoint:
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe
HKLM-x32\...\Run: [Http Listener] => C:\Program Files (x86)\PrintMyCouponAnywhere\PrintMyCouponAnywhere.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-266882270-2799798740-3680536799-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-266882270-2799798740-3680536799-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\CLIFFS~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL [No File]
FF Plugin HKU\S-1-5-21-266882270-2799798740-3680536799-1000: hopster.com/CouponPrinterPlugin -> C:\Users\Cliffside\AppData\Roaming\Hopster\CouponPrinterPlugin\2.0.2.0\npCouponPrinterPlugin.dll [2013-02-21] (Hopster)
FF Plugin HKU\S-1-5-21-266882270-2799798740-3680536799-1000: revtrax.com/RevTraxPrintMyCoupon -> C:\Users\Cliffside\AppData\Roaming\RevTrax\RevTraxPrintMyCoupon\1.0.0.0\npRevTraxPrintMyCoupon.dll [2014-10-15] (RevTrax)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-02-26] (Coupons, Inc.)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-12-12] <==== ATTENTION
2013-09-26 19:14 - 2015-08-14 18:33 - 0048128 _____ () C:\Users\Cliffside\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-02-23 09:22 - 2015-02-23 09:25 - 0000000 _____ () C:\Users\Cliffside\AppData\Local\{36A59D6C-D7E2-4985-801E-2A61801ED64D}
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
AlternateDataStreams: C:\ProgramData\Temp:6C74C778
AlternateDataStreams: C:\ProgramData\Temp:84FA02E7
AlternateDataStreams: C:\ProgramData\Temp:B1FBBD09
AlternateDataStreams: C:\ProgramData\Temp:B741B2C2
FirewallRules: [{C332F2EA-8863-42D7-80ED-AF28A76490DF}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{1B25DF6C-18AA-4B78-9551-D8AC4DE1AA08}] => (Allow) c:\program files\pcreg\pcreg.exe
FirewallRules: [{B1141418-1BA6-4BB2-B9BC-00F191BE64B4}] => (Allow) c:\program files\pcreg\service.exe
FirewallRules: [{4C2BA67D-298A-4EBE-BB7C-3E85656917E3}] => (Allow) c:\program files\pcreg\service.exe
EmptyTemp:
*****************

Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Http Listener => value not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKU\S-1-5-21-266882270-2799798740-3680536799-1000\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => key removed successfully
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKU\S-1-5-21-266882270-2799798740-3680536799-1000\Software\MozillaPlugins\CouponNetwork.com/CMDUniversalCouponPrintActivator" => key removed successfully
C:\Users\CLIFFS~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL => not found.
HKU\S-1-5-21-266882270-2799798740-3680536799-1000\Software\MozillaPlugins\hopster.com/CouponPrinterPlugin => key not found.
C:\Users\Cliffside\AppData\Roaming\Hopster\CouponPrinterPlugin\2.0.2.0\npCouponPrinterPlugin.dll => not found.
HKU\S-1-5-21-266882270-2799798740-3680536799-1000\Software\MozillaPlugins\revtrax.com/RevTraxPrintMyCoupon => key not found.
C:\Users\Cliffside\AppData\Roaming\RevTrax\RevTraxPrintMyCoupon\1.0.0.0\npRevTraxPrintMyCoupon.dll => not found.
C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => moved successfully
C:\Program Files (x86)\mozilla firefox\firefox.cfg => moved successfully
C:\Users\Cliffside\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\Cliffside\AppData\Local\{36A59D6C-D7E2-4985-801E-2A61801ED64D} => moved successfully
C:\ProgramData\Temp => ":2CB9631F" ADS removed successfully.
C:\ProgramData\Temp => ":5C321E34" ADS removed successfully.
C:\ProgramData\Temp => ":6C74C778" ADS removed successfully.
C:\ProgramData\Temp => ":84FA02E7" ADS removed successfully.
C:\ProgramData\Temp => ":B1FBBD09" ADS removed successfully.
C:\ProgramData\Temp => ":B741B2C2" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C332F2EA-8863-42D7-80ED-AF28A76490DF} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1B25DF6C-18AA-4B78-9551-D8AC4DE1AA08} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B1141418-1BA6-4BB2-B9BC-00F191BE64B4} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4C2BA67D-298A-4EBE-BB7C-3E85656917E3} => value removed successfully
EmptyTemp: => 5.8 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 19:25:04 ====
scoricha is offline  
Old 11-19-2015, 11:30 PM   #9
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,

Glad to hear that Thanks for the log. Please do the following.

Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:

  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

Click Finish.
At the end of the installation, a database update will be performed.
Click on Scan Now.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.
__________________
tekir06 is offline  
Old 11-20-2015, 08:10 AM   #10
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Good Morning Tolga,

Please see attached Malwarebytes log.

Thank you!
Jenny
Attached Files
File Type: txt MBAM Log.txt (3.9 KB, 58 views)
scoricha is offline  
Old 11-21-2015, 10:29 AM   #11
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,

Thanks for the log. Is your problem still continues? Please let me know.
__________________
tekir06 is offline  
Old 11-21-2015, 08:10 PM   #12
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hi Tolga,

My computer seems to be running so much better now! I have not had any issues so far. Is it safe to use for shopping online? Also, I noticed my coupon printers were removed - are these unsafe? I do print coupons from home, and was hoping to continue.

I want to thank you SO much for all your help and time. I appreciate your help!

Jenny
scoricha is offline  
Old 11-22-2015, 11:16 PM   #13
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,
Quote:
Is it safe to use for shopping online?
Yes. But prefer trusted sites.


Quote:
I do print coupons from home, and was hoping to continue.
Coupon Printer for Windows>>> please read
CouponPrinterPlugin >>>>>>> please read

============================================

Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows 7

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 11-25-2015, 06:18 AM   #14
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hello Tolga,

OK, I have completed the tasks you mentioned and will also work on prevention so this won't happen again. Is it OK to delete the shortcuts created on my desktop of the disinfection tools?

Thank you SO much for all your help getting my computer clean! I appreciate all your time and hard work. :-)

Jenny
scoricha is offline  
Old 11-25-2015, 08:03 AM   #15
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hi Tolga,

Just after posting my reply above, my McAfee found & quarantined this virus: Artemis!2D959127F9C1. I have only been on trusted sites, so not sure how I would have gotten another virus?

Jenny
scoricha is offline  
Old 11-25-2015, 11:42 PM   #16
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,

Weird, It did not seem to issue your reports. Ok. Please can you add the screenshot when the warning given by McAfee? Let's see which file/folder it gives a warning.
__________________
tekir06 is offline  
Old 11-28-2015, 01:27 PM   #17
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hello Tolga,

Computer seems to running fine. Please see attached screen shot.

Thank you,
Jenny
Attached Thumbnails
Click image for larger version

Name:	Screenshot 2015-11-28 16.26.01.jpg
Views:	221
Size:	108.9 KB
ID:	263658  
scoricha is offline  
Old 11-28-2015, 01:31 PM   #18
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Here is a little more detail on virus quarantined from 11/27 and also a new one detected today.
Attached Thumbnails
Click image for larger version

Name:	Screenshot 2015-11-28 16.29.09.jpg
Views:	132
Size:	126.8 KB
ID:	263666   Click image for larger version

Name:	Screenshot 2015-11-28 16.29.13.jpg
Views:	123
Size:	130.1 KB
ID:	263674  
scoricha is offline  
Old 11-28-2015, 04:23 PM   #19
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jenny,

Thanks for the screenshots. Ok. Please re-run FRST tool. And attach FRST.exe and Addition.txt.
__________________
tekir06 is offline  
Old 11-30-2015, 08:04 PM   #20
Registered Member
 
Join Date: Nov 2008
Posts: 67
OS: Windows 7 Home Premium



Hi Tolga,

Sorry for my late response! Please see attached files.

Thanks,
Jenny
Attached Files
File Type: txt FRST.txt (69.7 KB, 37 views)
File Type: txt Addition.txt (51.5 KB, 25 views)
scoricha is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
BSOD help Windows 7 64 bit
Over the last months I have had different BSOD's. I have little time have not been really been able to post information, but today I have some time finally (plus getting tired of it). Could you help me out identifying what the driver, hardware, problem is? Thanks so much in advance! ...
HardTrance9 BSOD, App Crashes And Hangs 24 02-18-2014 06:01 PM
[SOLVED] help!!!! guy gone crazy with bluscreans!!!:@:@
i have an intel dh55hc motherboard in my pc i built my pc during summertime and at that time i got the patriot ram ... the whole stock had problems .. (they work with onestick bt the pc wont boot with 2 sticks) so i had a stick of 2gigs of that ram .. then i upgraded it with a kingston ram ..and...
avok95 Motherboards, Bios & CPU 21 11-17-2013 06:14 AM
How to Factory Restore your Computer
How to Factory Restore your Computer This tutorial will guide you on how to do a system restore on your Windows computer. Below make sure you read and follow only the tutorial that matches your computer. If an error occurs during the restore process, stop the process and post in the appropriate...
Masterchiefxx17 Windows XP Support 0 03-24-2012 08:11 PM
How to Factory Restore your Computer
How to Factory Restore your Computer This tutorial will guide you on how to do a system restore on your Windows computer. Below make sure you read and follow only the tutorial that matches your computer. If an error occurs during the restore process, stop the process and post in the appropriate...
Masterchiefxx17 Windows 7 , Windows Vista Support 0 03-24-2012 08:11 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:44 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts