mikecul

I haven't seen anything pop up in the last 24 hours since my last post. If those are in fact the issue, would they have been related to what we were seeing last week or do you know if they were due to something new that might have been downloaded since then? I'm trying to understand how I prevent us having to do all of this again.

Results of Adwcleaner: # AdwCleaner v4.101 - Report created 09/11/2014 at 17:20:36# Updated 09/11/2014 by Xplode# Database : 2014-11-07.1 [Live]# Operating System : Windows 7 Professional Service Pack 1 (64 bits)# Username : Mike - OFFICE-PC# Running from : C:\Users\Mike\Desktop\AdwCleaner.exe# Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17344 -\\ Google Chrome v38.0.2125.111 [C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}[C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}[C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.newburycomics.com/rel/v2_home.php?storenr=103&storename=Newbury+Comics&db=newbury&sessionid=&deptnr=405&rc=3.2%5Bsn%3D103%2Fsm%3D1%5D&sn=103&sm=1&SearchMenu=60&SearchText={searchTerms}&anyorall=1&StartSearch.x=-366&StartSearch.y=-196&StartSearch=Start+Search[C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.sas.com/search/searchquery.html?Find=Search&qt={searchTerms}&qs=-url%3A%2Foffices%2F&qc=extsas ************************* AdwCleaner[R0].txt - [1970 octets] - [09/11/2014 17:16:58]AdwCleaner[s0].txt - [1897 octets] - [09/11/2014 17:20:36] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1957 octets] ########## Results of JRT (Nothing found) # AdwCleaner v4.101 - Report created 09/11/2014 at 17:20:36# Updated 09/11/2014 by Xplode# Database : 2014-11-07.1 [Live]# Operating System : Windows 7 Professional Service Pack 1 (64 bits)# Username : Mike - OFFICE-PC# Running from : C:\Users\Mike\Desktop\AdwCleaner.exe# Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17344 -\\ Google Chrome v38.0.2125.111 [C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}[C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}[C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.newburycomics.com/rel/v2_home.php?storenr=103&storename=Newbury+Comics&db=newbury&sessionid=&deptnr=405&rc=3.2%5Bsn%3D103%2Fsm%3D1%5D&sn=103&sm=1&SearchMenu=60&SearchText={searchTerms}&anyorall=1&StartSearch.x=-366&StartSearch.y=-196&StartSearch=Start+Search[C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.sas.com/search/searchquery.html?Find=Search&qt={searchTerms}&qs=-url%3A%2Foffices%2F&qc=extsas ************************* AdwCleaner[R0].txt - [1970 octets] - [09/11/2014 17:16:58]AdwCleaner[s0].txt - [1897 octets] - [09/11/2014 17:20:36] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1957 octets] ########## Results of MalwareBytes - Nothing Found

FYI.. I've also seen calls to redirect.ads-feed.net and nxsrvl.com since we've started the process. As per your last post, I received the following. SystemLook 30.07.11 by jpshortstuff Log created at 15:14 on 09/11/2014 by Mike Administrator - Elevation successful ========== regfind ========== Searching for "AB8902B4-09CA-4bb6-B78D-A8F59079A8D5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] "AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] "AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] "AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] -= EOF =-

Roguekiller found a bunch of things, but Tr.poweliks was not one of them. the first time I ran it, it showed the following it said that it detected (and killed) Tr.Zeus on mbam.exe in the following path: C:\ProgramFiles(x86)\Malwrae Anti-Malware\mbam.exe. I assume that Trojan was latched onto Malware??? After that it went to about 80% progress and froze. I restarted it and got a fairly long list in the log (attached) The MalwareBytes Anti-Rootkit said that it found nothing. And the malicious notices still continue. Mike RKreport_SCN_11092014_122255.log

Nothing was detected using ESET I'm attaching the two txt files Mike Addition.txt FRST.txt

Well, I cleaned up all the programs as per your last post. Since then, my daughter has been on the pc and I'm getting all the same messages. I keep getting malicious sites blocked for fffsee.com and calls to 95.215.1.57. I've done a complete scan on Malwarebytes with no reported threats. My daughter knows better than to install anything new. She does, however visit a Garrys Mod site that she will occasionally download new content from. She also frequents UTube on a regular basis. It's one thing to clean all of these, but what are they and how do I avoid them again? I would have thought the addition of MalwareBytes Premium would have stopped these. Instead, it looks like I'm right back where I started? I assume I'll need to go through a few things to get them off? And again, what are they and how do I avoid them? And will virus protection eventually catch up in terms of early detection and removal?

Scan completed. Results attached. checkup.txt

I was able to manually delete it and remove all temp files. It hasn't come up again since. It appears to have removed it.

Ran ESET and which showed 16 threats. Log reads as follows: C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSS.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSHelper.dll a variant of Win32/Systweak.N potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe a variant of Win32/Systweak potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSSystemCleaner.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files (x86)\NCH Swift Sound\MixPad\mixpad.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application C:\Program Files (x86)\NCH Swift Sound\MixPad\mpsetup_v2.05.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application C:\Program Files (x86)\NCH Swift Sound\MixPad\uninst.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application C:\Program Files (x86)\NCH Swift Sound\WavePad\uninst.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application C:\Program Files (x86)\NCH Swift Sound\WavePad\wavepad.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application C:\Program Files (x86)\NCH Swift Sound\WavePad\wpsetup[1]_v4.40.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application C:\Qoobox\Quarantine\C\Users\Mike\AppData\Roaming\vvneen.dll.vir a variant of MSIL/Kryptik.AKY trojan C:\Users\Mike\AppData\LocalLow\alqiku.dll a variant of MSIL/Kryptik.AKY trojan C:\Users\Mike\Downloads\WinZip175.exe a variant of Win32/OpenInstall potentially unwanted application C:\Windows\Installer\b23f19d.msi a variant of Win32/Systweak.L potentially unwanted application

I keep getting an add-on failed to run error when launching. Symantec was disabled. I left Malware active.

It appears as though the same site continues to hit against it on a regular basis: 88.214.193.211

Found YTD Video Downloader 3.9.6 in the Programs and Features, clicked unistall, said that it could not find it and that it may have already been uninstalled, asked if I wanted to remove from the list so I did. Ran FRST along with the fixlist.txt and got the following log: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-10-2014 01 Ran by Mike at 2014-10-30 22:34:30 Run:2 Running from C:\Users\Mike\Downloads Loaded Profile: Mike (Available profiles: Mike) Boot Mode: Normal ============================================== Content of fixlist: ***************** CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter} C:\ProgramData\Windows Genuine Advantage C:\Users\Mike\AppData\Local\Temp\Quarantine.exe AlternateDataStreams: C:\Users\Mike\Documents\Scanned Documents:Roxio EMC Stream ***************** Chrome DefaultSuggestURL deleted successfully. C:\ProgramData\Windows Genuine Advantage => Moved successfully. C:\Users\Mike\AppData\Local\Temp\Quarantine.exe => Moved successfully. "C:\Users\Mike\Documents\Scanned Documents" => ":Roxio EMC Stream" ADS not found. ==== End of Fixlog ==== Ran TDSSKiller and it found no threats and nothing suspicious. I'm attaching the two log files. TDSSKiller.3.0.0.41_30.10.2014_22.35.33_log.txt TDSSKiller.3.0.0.41_30.10.2014_22.38.56_log.txt

I've rerun FRST and have attached the two log files as requested. Thanks! Mike Addition.txt FRST.txt

I've run the security check as instructed and will paste it below. However, I continue to get a malicious website being blocked for the following site: It's outbound on various ports to 88.214.193.211 It occurs with explorer open and with it closed. Results of screen317's Security Check version 0.99.89 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Symantec Endpoint Protection WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Java 7 Update 51 Java version out of Date! Adobe Flash Player 15.0.0.152 Adobe Reader XI Google Chrome 38.0.2125.104 Google Chrome 38.0.2125.111 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbam.exe Malwarebytes Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log``````````````````````

All three things have been completed. I'm attaching the two logs for the first two steps and the third step (malware threat scan) came back wih nothing detected. Thanks, Mike AdwCleanerS0.txt JRT.txt