ad.directrev and others... I'm desperate.

ona_to_zna · January 6, 2014

Hello.
Before I start, I must apollogise. I'm infinitely stupid with computers, and infinitely stupid in general.

If I have inadvertently started the topic where I shouldn't have, please let me know where I should do so.
Some time ago (I have no idea when, maybe a week, maybe two weeks, a month... ? ) my sister tried to install sth on the computer, had some 'issues', swore a lot, and then gave up. I never checked what it was she was doing, and now she doesn't remember. All I know is that some time later, I opened Google Chrome, and my search engine was not google.com anymore but sth with the letter O? Anyway, that much I know how to fix - so I returned the google.com, as my search engine. I don't remember whether the other problems started right then, since I don't spend a lot of time on the net. But a few days ago, all of a sudden new tabs started opening, redirecting me to other sites,sometimes just staying a blank page - sometimes it doesn't even open the new tab - it just suddenly changes the site I'm on at the moment, and sometimes I heard 'sounds' even though I couldn't seem to find the opened tab producing the sounds - whether it was music, or someone using a web cam or something...

Ofcourse, I tried cleaning it with my antivirus (Mycrosoft Security Essentials), but the computer shut down on its own right before it finished, so I never got to see if it found anything. But, after reading tons of stuff in this and other forums, I gather it won't find anything anyway. So, I downloaded Malwarebytes Anti-Malware for starters (since all the other stuff was too complicated I gave up from it all, because I didn't have the time). It found sth, but I don't remember what. Again, I didn't have the time. I just hoped it would fix things. Buuuut, it didn't. No sudden site appearances occur anymore, but the new tabs keep opening, redirecting to other sites, doing their thing. Now, remember, when I mentioned earlier - I'm infinitely stupid? Well, I tried to find a solution directly related to the 'ad.directrev... bla, bla' link that the new tab usually opens, and found Spy Hunter 4. Guess what? YES I downloaded and installed it - before I read any reviews and experiences. Like I said - stupid - to infinity... and beyond! So, i tried uninstalling it - had lots of fun doing that! But, I also read somewhere that someone has also uninstalled it, but that it turned out to be 'hiding' somewhere... don't know where, don't know how to check. Now I have no idea whether the 'uninstall' was successful or not.

I am honestly sorry to have to burden you with my inexperience and lack of knowledge, understanding, idiocy, etc. but unfortunately - I have nowhere else to turn. If someone could help me, I would be, well, infinitely grateful

MrCharlie · January 6, 2014

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt (DDS won't run on W8)

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

ona_to_zna · January 6, 2014

Thank you very much for replying.
I have downloaded DDS, I only need you to tell me how I am supposed to know whether my Anti-Virus/Anti-Malware have a script blocker, and if they do - how exactly do I disconnect from the Internet and disable my Anti-Virus? Currently I have Mycrosoft Security Essentials and Malwarebytes Anti-Malware installed. Do I have to uninstall in order to disable them? Forgive me, unfortunately I am really computer-challenged. As soon as I know how to do that, I will run DDS and post the logs here.

MrCharlie · January 7, 2014

You should be able just to run it as is, no need to disable anything, MrC

ona_to_zna · January 7, 2014

Ok, here goes...

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 8.0.7600.16800 BrowserJavaVersion: 1.6.0_17

Run by MajaSanja at 14:07:04 on 2014-01-07

Microsoft Windows 7 Ultimate 6.1.7600.0.1250.381.1033.18.2047.810 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\rundll32.exe

C:\Windows\system32\taskhost.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe

C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Program Files (x86)\Stardock\ObjectDockPlus2\Dock64.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDockTray.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit = userinit.exe,

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

StartupFolder: C:\Users\MAJASA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\STARDO~1.LNK - C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{3A4F4EF5-BFDA-4B5D-8771-6C3C358F9F22} : DHCPNameServer = 192.168.0.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

AppInit_DLLs= c:\progra~2\browse~1\sprote~1.dll c:\progra~2\contin~1\sprote~1.dll c:\progra~3\system~1\system~1.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: DigiiCoupoen: {5CFC0232-9759-D5E3-4685-4FA941182851} -

x64-BHO: NNewwSaVer: {CB14D9F6-848D-3B11-9CCD-583C818BE20C} -

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

x64-STS: ObjectDockShlExt Class - {1984D045-52CF-49cd-DB77-08F378FEA4DB} -

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\

FF - prefs.js: browser.search.selectedEngine - WebSearch

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1205146.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll

.

============= SERVICES / DRIVERS ===============

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-7-1 254528]

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-10-24 188928]

R2 a1851772;System Booster;C:\Windows\System32\rundll32.exe [2009-7-14 45568]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-1-5 418376]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-1-5 701512]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-1-5 25928]

R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 72064]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-10-24 40832]

.

=============== Created Last 30 ================

.

2014-01-06 23:03:29 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\Spark Plug Games

2014-01-06 23:03:21 -------- d-----w- C:\Users\MajaSanja\AppData\Local\Spark Plug Games

2014-01-06 16:39:36 -------- d-----w- C:\Program Files\Enigma Software Group

2014-01-06 16:37:35 -------- d-----w- C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP

2014-01-06 16:37:32 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard

2014-01-06 16:36:40 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D7A4B9D0-0ADE-4FEA-AFC9-8FE6D4EA6EA4}\offreg.dll

2014-01-06 16:20:49 -------- d-----w- C:\Windows\Fairy Maids

2014-01-06 16:10:54 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\Merscom

2014-01-06 16:10:54 -------- d-----w- C:\ProgramData\Merscom

2014-01-06 16:07:34 -------- d-----w- C:\Windows\Nanny 911

2014-01-06 12:35:55 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D7A4B9D0-0ADE-4FEA-AFC9-8FE6D4EA6EA4}\mpengine.dll

2014-01-05 21:43:20 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\GraveyardShift

2014-01-05 21:29:28 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\Namco

2014-01-05 21:29:28 -------- d-----w- C:\ProgramData\Namco

2014-01-05 16:36:04 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\Sarah's Emergency Hospital

2014-01-05 16:26:49 -------- d-----w- C:\Windows\Emergency Hospital

2014-01-05 14:33:26 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\Malwarebytes

2014-01-05 14:32:54 -------- d-----w- C:\ProgramData\Malwarebytes

2014-01-05 14:32:49 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2014-01-05 14:32:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-01-04 23:48:57 -------- d-----w- C:\ProgramData\InterAction studios

2013-12-31 16:55:23 -------- d-----w- C:\Users\MajaSanja\AppData\Local\Grubby Games

2013-12-31 16:16:38 -------- d-----w- C:\Windows\My Tribe

2013-12-31 15:09:24 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\BlooBuzz

2013-12-30 20:36:31 -------- d-----w- C:\Windows\Habitat Rescue - Lion's Pride

2013-12-30 20:31:02 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\DivoGames

2013-12-30 11:08:04 -------- d-----w- C:\ProgramData\DigiiCoupoen

2013-12-30 11:08:02 -------- d-----w- C:\ProgramData\bnfobpnfclaiflhcpfolndelbheoaofo

2013-12-30 11:07:43 -------- d-----w- C:\ProgramData\NNewwSaVer

2013-12-30 00:17:52 -------- d-----w- C:\Windows\Jack of all Tribes

2013-12-29 19:40:47 -------- d-----w- C:\Windows\Kudos 2

2013-12-29 19:05:45 -------- d-----w- C:\ProgramData\System Booster

2013-12-26 11:06:53 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\ERS Game Studios

2013-12-26 10:45:11 -------- d-----w- C:\Windows\Redemption Cemetery 5 - Bitter Frost CE

2013-12-26 10:40:59 -------- d-----w- C:\ProgramData\SNT

2013-12-26 10:40:58 -------- d-----w- C:\Program Files (x86)\SNT

2013-12-26 10:40:37 -------- d-----w- C:\Program Files (x86)\WebSearch

2013-12-26 10:40:12 -------- d-----w- C:\Program Files (x86)\Optimizer Pro

2013-12-26 10:40:10 -------- d-----w- C:\Users\MajaSanja\AppData\Local\Programs

2013-12-26 10:39:40 -------- d-----w- C:\ProgramData\QuickSet

2013-12-26 10:39:37 -------- d-----w- C:\Program Files (x86)\GS.Enabler

2013-12-26 10:38:52 -------- d-----w- C:\ProgramData\YoutubeAdblocker

2013-12-26 10:38:51 -------- d-----w- C:\Program Files (x86)\YoutubeAdblocker

2013-12-26 10:38:21 -------- d-----w- C:\Users\MajaSanja\AppData\Local\Packages

2013-12-26 10:38:21 -------- d-----w- C:\ProgramData\surf andu keuep

2013-12-26 10:38:20 -------- d-----w- C:\Program Files (x86)\surf andu keuep

2013-12-26 10:37:59 -------- d-----w- C:\ProgramData\4a543c808977a6ea

2013-12-25 12:13:46 -------- d-----w- C:\Windows\Secret of the Magic Crystals

2013-12-21 23:18:31 -------- d-----w- C:\Windows\Hollywood Tycoon

2013-12-09 18:10:29 -------- d-----w- C:\ProgramData\MumboJumbo

2013-12-09 18:10:02 -------- d-----w- C:\ProgramData\Rare Treasures - Dinnerware Trading Company

2013-12-09 18:07:19 -------- d-----w- C:\Windows\Rare Treasures - Dinnerware Trading Company

2013-12-09 16:30:08 -------- d-----w- C:\Users\MajaSanja\AppData\Roaming\Rovio

2013-12-09 16:29:19 -------- d-----w- C:\Windows\Angry Birds Seasons

.

==================== Find3M ====================

.

2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe

2013-11-11 18:08:02 466456 ----a-w- C:\Windows\System32\wrap_oal.dll

2013-11-11 18:08:02 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll

2013-11-11 18:08:02 122904 ----a-w- C:\Windows\System32\OpenAL32.dll

2013-11-11 18:08:02 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll

.

============= FINISH: 14:08:13.62 ===============

Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume3

Install Date: 7/2/2011 5:23:16 AM

System Uptime: 1/7/2014 2:03:15 PM (0 hours ago)

.

Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | G31TM-P21 (MS-7529)

Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU1 | 3000/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 49 GiB total, 24.417 GiB free.

D: is FIXED (NTFS) - 149 GiB total, 139.687 GiB free.

E: is FIXED (NTFS) - 87 GiB total, 72.682 GiB free.

F: is FIXED (NTFS) - 96 GiB total, 44.783 GiB free.

G: is FIXED (NTFS) - 149 GiB total, 91.79 GiB free.

H: is CDROM (CDFS)

I: is CDROM ()

K: is CDROM ()

L: is CDROM ()

M: is CDROM ()

N: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP242: 1/6/2014 5:49:59 PM - Removed SpyHunter

RP243: 1/6/2014 6:02:48 PM - Removed SpyHunter

RP244: 1/6/2014 6:04:53 PM - Removed SpyHunter

.

==== Installed Programs ======================

.

7-Zip 4.57

ACDSee

ACDSee Pro 2.5

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.5

Adobe Shockwave Player 12.0

Compatibility Pack for the 2007 Office system

DAEMON Tools Lite

Fairy Maids

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

Intel® Graphics Media Accelerator Driver

Java 6 Update 17

JDownloader

K-Lite Mega Codec Pack 5.8.3

Lizardtech DjVu Control

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Antimalware

Microsoft Office Professional Edition 2003

Microsoft Security Client

Microsoft Security Essentials

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft Windows Media Video 9 VCM

Microsoft WSE 3.0 Runtime

Microsoft XNA Framework Redistributable 3.1

Microsoft XNA Framework Redistributable 4.0

Mozilla Firefox 26.0 (x86 en-US)

Mozilla Maintenance Service

Nero 8 Micro

NVIDIA Control Panel 275.33

NVIDIA Graphics Driver 275.33

NVIDIA Install Application

NVIDIA Update 1.3.5

NVIDIA Update Components

ObjectDock Plus 2

Office 2003 Add-in Latin and Cyrillic Transliteration

OpenAL

Pale Moon 7.0.1 (x86 en-US)

PhotoScape

PicaView

Realtek High Definition Audio Driver

Redemption Cemetery 5 - Bitter Frost CE

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Skype Toolbars

Skype™ 5.0

Stardock Software

swMSM

System Booster

UltraISO Premium V8.61

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

WaveLab 6

Winamp

Windows Live Sign-in Assistant

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

5/4/2099 3:38:13 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.149.1162.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x64&eng=2.1.8904.0&sig=17.36.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.9402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved

5/4/2099 3:38:13 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.149.1162.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x64&eng=2.1.8904.0&sig=17.36.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.9402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved

5/4/2099 3:38:05 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.149.1162.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.9402.0&avdelta=1.149.1162.0&asdelta=1.149.1162.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.9402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved

5/4/2099 3:38:05 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.149.1162.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.9402.0&avdelta=1.149.1162.0&asdelta=1.149.1162.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.9402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved

5/4/2099 3:37:55 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.149.1162.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9402.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

5/12/2099 9:30:29 PM, Error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 2 time(s).

5/12/2099 8:59:13 PM, Error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).

12/31/2013 1:52:36 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/7/2014 2:04:12 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/7/2014 12:50:22 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/7/2014 1:04:50 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/5/2014 5:11:26 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/5/2014 5:10:34 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000109 (0xa3a039d8940f0b35, 0xb3b7465ee68d467f, 0xfffff80003fef080, 0x0000000000000002). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010514-21046-01.

1/5/2014 4:32:27 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/5/2014 2:26:31 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/5/2014 12:01:44 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/4/2014 4:11:43 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/3/2014 4:37:48 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/3/2014 12:28:13 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/2/2014 11:58:21 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/1/2014 9:08:48 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

1/1/2014 12:53:30 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

.

==== End Of File ===========================

RogueKiller

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : MajaSanja [Admin rights]

Mode : Scan -- Date : 01/07/2014 14:40:00

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH][DLL] rundll32.exe -- c:\ProgramData\System Booster\SystemBoosterSvc.dll [-] -> rundll32.exe KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤

[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND

[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[APPINIT][sUSP PATH] HKLM\[...]\Windows : AppInit_DLLs ( C:\PROGRA~3\SYSTEM~1\SYSTEM~2.DLL [-]) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤

[V1][ROGUE ST] GS.Enabler-S-4560858878.job : c:\programdata\quickset\gs.enabler\GS.Enabler.exe - /schedule /profile "c:\programdata\quickset\gs.enabler\4560858878.ini" [x][-] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD3200AAJB-00TYA0 ATA Device +++++

--- User ---

[MBR] 92a33b5f344b482ecbdb1f123e635867

[bSP] b4d90bc57548b2f423f2ce01699a47a1 : MBR Code unknown

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152734 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 312801280 | Size: 152508 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ExcelStor Technology J9250S ATA Device +++++

--- User ---

[MBR] f660f9fabae6c81b6f9512903374e4c9

[bSP] c75bc8b07a89deeb1fe50a15b9e62833 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 50502 Mo

2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 103635315 | Size: 187861 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[0]_S_01072014_144000.txt >>

I hope I got it right.

MrCharlie · January 7, 2014

Did you install System Booster?
If not please uninstall it from your add/remove programs.

Then..........

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look similar to this, not "sponsored ad links":

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Please uncheck elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a FULL Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

ona_to_zna · January 7, 2014

What is System Booster? I didn't install it, and I had a hard time finding control panel, but I managed to uninstall it.
Am I supposed to clean everything suggested by AdwCleaner? I mean, it won't harm the computer or anything? Because, as far as I can see in the report, I don't wan't to keep any of it.
This is the report log, please tell me if there is anything I need to save.

AdwCleaner

# AdwCleaner v3.016 - Report created 07/01/2014 at 17:25:39

# Updated 23/12/2013 by Xplode

# Operating System : Windows 7 Ultimate (64 bits)

# Username : MajaSanja - MAJASANJA-PC

# Running from : C:\Users\MajaSanja\Desktop\AdwCleaner.exe

# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Users\MAJASA~1\AppData\Local\Temp\Uninstall.exe

File Found : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\searchplugins\WebSearch.xml

Folder Found : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\Extensions\gajmlkfq@owzmvlvayuu.co.uk

Folder Found : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\Extensions\yeeiozc@mxbool-.com

Folder Found C:\Program Files (x86)\optimizer pro

Folder Found C:\Program Files (x86)\surf andu keuep

Folder Found C:\Program Files (x86)\WebSearch

Folder Found C:\Program Files (x86)\YoutubeAdblocker

Folder Found C:\ProgramData\DigiiCoupoen

Folder Found C:\ProgramData\NCH Software

Folder Found C:\ProgramData\QuickSet

Folder Found C:\ProgramData\SoftSafe

Folder Found C:\ProgramData\StarApp

Folder Found C:\ProgramData\surf andu keuep

Folder Found C:\ProgramData\Trymedia

Folder Found C:\ProgramData\YoutubeAdblocker

Folder Found C:\Users\MajaSanja\AppData\Local\PackageAware

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\browse~1\sprote~1.dll

Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\contin~1\sprote~1.dll

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Found : HKCU\Software\NCH Software

Key Found : HKCU\Software\powerpack

Key Found : [x64] HKCU\Software\NCH Software

Key Found : [x64] HKCU\Software\powerpack

Key Found : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}

Key Found : HKLM\SOFTWARE\Classes\and

Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Found : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Found : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}

Key Found : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}

Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho

Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

Key Found : HKLM\SOFTWARE\Classes\surf

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Key Found : HKLM\Software\Conduit

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\optimizerpro_rasapi32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\optimizerpro_rasmancs

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\optprostart_rasapi32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\optprostart_rasmancs

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_e14dcdfa

Key Found : HKLM\Software\NCH Software

Key Found : HKLM\Software\SP Global

Key Found : HKLM\Software\SProtector

Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}

Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}

Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}

Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7600.16800

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\prefs.js ]

Line Found : user_pref("aol_toolbar.default.homepage.check", false);

Line Found : user_pref("aol_toolbar.default.search.check", false);

Line Found : user_pref("browser.search.defaultenginename", "WebSearch");

Line Found : user_pref("browser.search.defaultenginename,S", "WebSearch");

Line Found : user_pref("browser.search.order.1", "WebSearch");

Line Found : user_pref("browser.search.order.1,S", "WebSearch");

Line Found : user_pref("browser.search.selectedEngine", "WebSearch");

Line Found : user_pref("browser.search.selectedEngine,S", "WebSearch");

Line Found : user_pref("extensions.517835cc52b10.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol=='hxxp:' && window.self==window.top && ty[...]

Line Found : user_pref("extensions.518fb3c04a85c.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window[...]

Line Found : user_pref("extensions.51b50666425de.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window[...]

Line Found : user_pref("extensions.51b506970add7.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-1)\r\n{try{for(i=0;i<5[...]

Line Found : user_pref("extensions.7yuZeNBVJ.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-1)\r\n{try{for(i=0;i<5;i++[...]

Line Found : user_pref("extensions.BabylonToolbar.prtkDS", 0);

Line Found : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);

Line Found : user_pref("extensions.RihYqex7u.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var[...]

Line Found : user_pref("extensions.UpFppKPMxTW.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.t[...]

Line Found : user_pref("extensions.belA9g8.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var d[...]

Line Found : user_pref("extensions.naWgFhyR3xM.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-1)\r\n{try{for(i=0;i<5;i[...]

Line Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");

Line Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");

Line Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");

Line Found : user_pref("sweetim.toolbar.previous.keyword.URL", "");

Line Found : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");

Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");

Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");

Line Found : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\MajaSanja\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found : homepage

*************************

AdwCleaner[R0].txt - [9259 octets] - [07/01/2014 17:25:39]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [9319 octets] ##########

Also, If there is anything I need to save, could you tell me how? When the report opens, it's a document, no possibility to check or uncheck.

MrCharlie · January 7, 2014

System Booster:

http://www.techspot.com/downloads/5406-cloud-system-booster.html

Yes you can clean all of that up.

If you wanted uncheck an item, you would do that in the program.

MrC

ona_to_zna · January 7, 2014

Eh, ok.... the link doesn't mean much to me... They all say the same things, I still don't understand any of it, whether it's good or bad. I read millions of comments on your and other similar forums, and that is the only reason I dared download MalwareBytes Anti-Malware, or aks for your help, for which I am more than grateful. I just wish I could understand what it is that I am doing exactly. But, even if I don't, it doesn't matter - as long as it works.

Here's the log

AdwCleaner[s0].txt

# AdwCleaner v3.016 - Report created 07/01/2014 at 18:12:46

# Updated 23/12/2013 by Xplode

# Operating System : Windows 7 Ultimate (64 bits)

# Username : MajaSanja - MAJASANJA-PC

# Running from : C:\Users\MajaSanja\Desktop\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\NCH Software

Folder Deleted : C:\ProgramData\QuickSet

Folder Deleted : C:\ProgramData\SoftSafe

Folder Deleted : C:\ProgramData\StarApp

Folder Deleted : C:\ProgramData\Trymedia

Folder Deleted : C:\ProgramData\YoutubeAdblocker

Folder Deleted : C:\ProgramData\DigiiCoupoen

Folder Deleted : C:\ProgramData\surf andu keuep

Folder Deleted : C:\Program Files (x86)\optimizer pro

Folder Deleted : C:\Program Files (x86)\WebSearch

Folder Deleted : C:\Program Files (x86)\YoutubeAdblocker

Folder Deleted : C:\Program Files (x86)\surf andu keuep

Folder Deleted : C:\Users\MajaSanja\AppData\Local\PackageAware

Folder Deleted : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\Extensions\gajmlkfq@owzmvlvayuu.co.uk

Folder Deleted : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\Extensions\yeeiozc@mxbool-.com

File Deleted : C:\Users\MAJASA~1\AppData\Local\Temp\Uninstall.exe

File Deleted : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\searchplugins\WebSearch.xml

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\and

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

Key Deleted : HKLM\SOFTWARE\Classes\surf

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\optimizerpro_rasapi32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\optimizerpro_rasmancs

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\optprostart_rasapi32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\optprostart_rasmancs

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_e14dcdfa

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}

Key Deleted : HKCU\Software\NCH Software

Key Deleted : HKCU\Software\powerpack

Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\NCH Software

Key Deleted : HKLM\Software\SP Global

Key Deleted : HKLM\Software\SProtector

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1

Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\browse~1\sprote~1.dll

Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\contin~1\sprote~1.dll

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7600.16800

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\MajaSanja\AppData\Roaming\Mozilla\Firefox\Profiles\s494nzi2.default\prefs.js ]

Line Deleted : user_pref("aol_toolbar.default.homepage.check", false);

Line Deleted : user_pref("aol_toolbar.default.search.check", false);

Line Deleted : user_pref("browser.search.defaultenginename", "WebSearch");

Line Deleted : user_pref("browser.search.defaultenginename,S", "WebSearch");

Line Deleted : user_pref("browser.search.order.1", "WebSearch");

Line Deleted : user_pref("browser.search.order.1,S", "WebSearch");

Line Deleted : user_pref("browser.search.selectedEngine", "WebSearch");

Line Deleted : user_pref("browser.search.selectedEngine,S", "WebSearch");

Line Deleted : user_pref("extensions.517835cc52b10.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol=='hxxp:' && window.self==window.top && ty[...]

Line Deleted : user_pref("extensions.518fb3c04a85c.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window[...]

Line Deleted : user_pref("extensions.51b50666425de.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window[...]

Line Deleted : user_pref("extensions.51b506970add7.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-1)\r\n{try{for(i=0;i<5[...]

Line Deleted : user_pref("extensions.7yuZeNBVJ.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-1)\r\n{try{for(i=0;i<5;i++[...]

Line Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);

Line Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);

Line Deleted : user_pref("extensions.RihYqex7u.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var[...]

Line Deleted : user_pref("extensions.UpFppKPMxTW.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.protocol.indexOf('hxxp')>-1 && window.self==window.t[...]

Line Deleted : user_pref("extensions.belA9g8.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var d[...]

Line Deleted : user_pref("extensions.naWgFhyR3xM.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-1)\r\n{try{for(i=0;i<5;i[...]

Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");

Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");

Line Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");

Line Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");

Line Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");

Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");

Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");

Line Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\MajaSanja\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

*************************

AdwCleaner[R0].txt - [9427 octets] - [07/01/2014 17:25:39]

AdwCleaner[s0].txt - [9119 octets] - [07/01/2014 18:12:46]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [9179 octets] ##########

MalwareBytes Anti-Malware

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

Database version: v2014.01.07.04

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

MajaSanja :: MAJASANJA-PC [administrator]

Protection: Enabled

1/7/2014 6:20:10 PM

MBAM-log-2014-01-07 (20-15-05).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)

Scan options disabled: P2P

Objects scanned: 436090

Time elapsed: 1 hour(s), 42 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 2

HKCR\CLSID\{59713207-FE98-70A4-2576-7C5B37C7B1CA} (PUP.Optional.MultiPlug.A) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{59713207-FE98-70A4-2576-7C5B37C7B1CA} (PUP.Optional.MultiPlug.A) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 23

C:\AdwCleaner\Quarantine\C\Program Files (x86)\surf andu keuep\9o9p.dll.vir (PUP.Optional.MultiPlug.A) -> No action taken.

C:\AdwCleaner\Quarantine\C\Program Files (x86)\surf andu keuep\9o9p.x64.dll.vir (PUP.Optional.MultiPlug.A) -> No action taken.

C:\AdwCleaner\Quarantine\C\Program Files (x86)\YoutubeAdblocker\KYoyEkcdF.dll.vir (PUP.Optional.MultiPlug.A) -> No action taken.

C:\AdwCleaner\Quarantine\C\Program Files (x86)\YoutubeAdblocker\KYoyEkcdF.x64.dll.vir (PUP.Optional.MultiPlug.A) -> No action taken.

C:\Program Files (x86)\SNT\cEKyHA9.dll (PUP.Optional.MultiPlug.A) -> No action taken.

C:\Program Files (x86)\SNT\cEKyHA9.x64.dll (PUP.Optional.MultiPlug.A) -> No action taken.

C:\Program Files (x86)\Sony\Sound Forge Pro 10.0\Keygen.exe (PUP.Riskware.Keygen) -> No action taken.

F:\Igre\Instalacije\Stare dobre\FlowerShop - BigCityBreak.rar (Trojan.MultiDropper) -> No action taken.

F:\Igre\Instalacije\Voljene stare\Farm Tribe [uPDATED].exe (Trojan.MultiDropper) -> No action taken.

F:\Igre\Instalacije\Voljene stare\Farm Tribe [uPDATED].rar (Trojan.MultiDropper) -> No action taken.

F:\Igre\Instalacije\Voljene stare\Plant Tycoon.rar (Trojan.MultiDropper) -> No action taken.

F:\Igre\Instalacije\Voljene stare\Supermodel Empire.rar (Trojan.MultiDropper) -> No action taken.

F:\Igre\Instalacije\Voljene stare\Plant Tycoon\Plant Tycoon.exe (Trojan.MultiDropper) -> No action taken.

F:\Igre\Instalacije\Voljene stare\Supermodel Empire\Supermodel Empire.exe (Trojan.MultiDropper) -> No action taken.

F:\PROGRAMI ZA SEDMICU\AUDIO\sonic.foundry.noise.reduction.dx.plug.v2.0a.w.keymaker-damn\damn_NoisePlugin_kg.exe (Trojan.Agent.CK) -> No action taken.

F:\PROGRAMI ZA SEDMICU\AUDIO\sonic.foundry.noise.reduction.dx.plug.v2.0a.w.keymaker-damn\noise.reduction.v2.0a.zip (Trojan.Agent.CK) -> No action taken.

F:\PROGRAMI ZA SEDMICU\BLUE TOOTH\IVT.BlueSoleil.v6.4.249.0.Incl.Keymaker-EMBRACE\keygen.exe (Trojan.Agent) -> No action taken.

F:\PROGRAMI ZA SEDMICU\VMware-workstation-6.5.1-126130\or Keygen TBE\keygen.exe (Riskware.Tool.CK) -> No action taken.

F:\Sanja NE DIRAJ!!!!!!!!!!!!!!!!!!!!\NO TOUCHY\PhotoScape_V3.6.3.exe (PUP.Optional.OpenCandy) -> No action taken.

F:\Sanja NE DIRAJ!!!!!!!!!!!!!!!!!!!!\NO TOUCHY\PhotoScape_V3.6.4.exe (PUP.Optional.OpenCandy) -> No action taken.

F:\Sanja NE DIRAJ!!!!!!!!!!!!!!!!!!!!\NO TOUCHY\YouTubeDownloaderSetup253b.exe (PUP.Optional.DealioTB.A) -> No action taken.

F:\Sanja NE DIRAJ!!!!!!!!!!!!!!!!!!!!\NO TOUCHY\Novi DAEMON\DTLite4452-0287.exe (PUP.Optional.OpenCandy) -> No action taken.

G:\EA GAMES instalacije\Sims Medieval patch 2.0\Brothersoft_downloader_For_The_Sims_Medieval_Patch_2_0_113_Retail_.exe (PUP.Optional.BSDownloader) -> No action taken.

(end)

As far as I can tell, the computer is fine. For now. I honestly hope it is.

ona_to_zna · January 7, 2014

Ok, I don't know if this is important, but MalwareBytes Anti-Malware is showing a text bubble warning me that it has just prevented access to a potentially harmful site or sth. At the time I wasn't trying to enter any specific site, I was just typing into google.com search , and didn't even get to click 'enter'. Is that good or bad? Does it still mean that the browser is trying to open a site on its own?

ona_to_zna · January 7, 2014

Ok, this is exactly what it says (the bubble)
'Successfully blocked access to a potentially malicious website: 128.127.110.142
Type: outgoing
Port: 51086, Process: chrome.exe'

My sister was trying to open some site, and it popped up again :/ then she called me, and I made her stop everything she was doing, placed the cursor on the bubble so that it doesn't fade away - quickly opened the tab with our discussion, put the cursor back on the bubble again, and typed everything it says I'm so proud of myself right now... Didn't know how to find what it was it said previously. This is the highlight of my day - finally managed to do something right on my own So, what is it, what does it mean?

MrCharlie · January 7, 2014

Programs like System Booster aren't recommended to have on your system especially that you didn't even install it!

------------------------------

I noticed in the log from Malwarebytes that it says:
No action taken

Did you actually delete everything it found, if not go back and run it again.
Make sure you run it like this:

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a FULL Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

---------------------------------------

So, what is it, what does it mean?

It may be just Malwarebytes doing it's job.

Lets take a look:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's a little reading on Malwarebytes IP blocking:

The Website/IP Blocking is a good feature of Malwarebytes, but when it does its job....people think they're infected. Sometimes this is true, but we checked the system and I don't see any malware on the system.

My protection logs have similar notifications.

Here's some more information on IP Blocking by Malwarebytes:

IP blocks can indicate a number of things:

They could indicate that MBAM is doing its job of blocking bad content on websites.

They can also occur when running Skype and certain P2P programs, such as torrents. For example, please see this help desk topic about Skype and this one about P2P.

In some cases the blocks are a false positive.

However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the FAQ - Section G (and in the Helpdesk topics HERE and HERE).
They include instructions on how to set MBAM to ignore a particular IP, if you wish to do so.
They also contain instructions on how to determine what process might be trying to make the connections.
You may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this sticky topic before starting a new topic in the False Positives forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with cleaning process Available Assistance For Possibly Infected Computers.

MrC

ona_to_zna · January 7, 2014

I will run MalwareBytes Anti-Malware again, just in case. I saw that there were some items in the quarantine tab, and deleted them all, but again, just in case.
In the meantime, here are the FRST logs

Addition.txt

FRST.txt

MrCharlie · January 7, 2014

You do have a Skype extension in Chrome:
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx

--------------------------

I see you ran some other programs:
2014-01-05 16:52 - 2014-01-05 16:52 - 04745728 _____ (AVAST Software) C:\Users\MajaSanja\Downloads\aswMBR.exe
2014-01-05 16:36 - 2014-01-05 16:37 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\MajaSanja\Downloads\tdsskiller.exe

--------------------------

Can you have a look in these folders and do you recognize them: (if not please delete them)
C:\ProgramData\bnfobpnfclaiflhcpfolndelbheoaofo
C:\ProgramData\4a543c808977a6ea

-----------------------

Download the attached fixlist.txt to the same folder as FRST.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Let me know how it is, MrC

ona_to_zna · January 7, 2014

I started reading up on the IP blocking, although so far I understand very little. But I'm very happy that someone has tried to 'brake it down' for people with less computer and computer lingo 'aptitude'.
I also read somewhere in the forum that a program called Combofix is not recommendable, but that it also made someone's computer a lot faster.
Is it safe to try it with your help, or is there another way for me to restore a little bit of my computer's old speed? It's pretty old. I read that cleaning it (literally) helps - it's been cleaned recently, but it really made no difference.

Anyway, I don't want to bother you anymore than I have to, so, if combofix is not sth that you would recommend, I'm ok with that.
Also, I downloaded Tcpview to see if I can wrap my head around how that works. Followed the instructions, and there was a huge list. Ofcourse, it was like trying to read chinese. For me at least. But, at the top, there were these two

Process PID Protocol Local Adresss Local Port Remote address Remote Port State Sent Packets Sent Bytes Rcvd Packets Rcvd Bytes

chrome.exe 2576 TCP 192.168.0.101 52241 5.22.190.99 443 ESTABLISHED 8 2,928 12 6,029

chrome.exe 2576 TCP 192.168.0.101 52242 173.194.41.79 443 ESTABLISHED 7 1,401 10 4,546

(I think they were the same) Anyway, while I was giving myself a headache trying to figure out what it means and what to do - they turned red and disappeared. Now they're back, so that's what I copied here. Is there any reason for alarm?
Now two more appeared, turned green... then two turned red, and disappeared.

I am honestly sorry to bother you with what must be trivialities to you. But I am really bad at this. This is exactly why I don't mess with the internet or computers in general. They also turn yellow. I don't get what it all means. Unfortunately, it doesn't open the 'help' from the help menu.

Anti-Malware is still working.

ona_to_zna · January 7, 2014

Wow - ok - but there is nothing related to skype on the browser itself :/ I had it installed maybe ten years ago by a friend, practically never used it, so... I thought I uninstalled it :/

Am I supposed to delete it?

About the other two programs, I honestly forgot about those, must have deleted them right after...

I don't recognize anything about the two folders, so I deleted them. Will do the fixlist in a few.

ona_to_zna · January 7, 2014

FifLog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-01-2014

Ran by MajaSanja at 2014-01-08 00:11:06 Run:1

Running from C:\Users\MajaSanja\Desktop\New folder

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

BHO: DigiiCoupoen - {5CFC0232-9759-D5E3-4685-4FA941182851} - C:\ProgramData\DigiiCoupoen\vlGR3mB.x64.dll No File

BHO: NNewwSaVer - {CB14D9F6-848D-3B11-9CCD-583C818BE20C} - C:\ProgramData\NNewwSaVer\SrbBs.x64.dll No File

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File

Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File

Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - No File

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction

C:\Users\MajaSanja\AppData\Local\Temp\ntdll_dump.dll

C:\Users\MajaSanja\AppData\Local\Temp\Quarantine.exe

C:\Users\MajaSanja\AppData\Local\Temp\SHSetup.exe

C:\Users\MajaSanja\AppData\Local\Temp\Tsu9CE13F91.dll

C:\Users\MajaSanja\AppData\Local\Temp\uninst.exe

Task: {87F16C16-63F9-4863-970E-AF37C9DC4892} - System32\Tasks\GS.Enabler-S-4560858878 => c:\programdata\quickset\gs.enabler\GS.Enabler.exe

Task: C:\Windows\Tasks\GS.Enabler-S-4560858878.job => c:\programdata\quickset\gs.enabler\GS.Enabler.exe

c:\programdata\quickset\gs.enabler

AlternateDataStreams: C:\ProgramData\Temp:10F6E97E

AlternateDataStreams: C:\ProgramData\Temp:18BFD8F8

AlternateDataStreams: C:\ProgramData\Temp:1F96ED45

AlternateDataStreams: C:\ProgramData\Temp:C243D9EC

AlternateDataStreams: C:\ProgramData\Temp:F0F9D08A

*****************

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CFC0232-9759-D5E3-4685-4FA941182851} => Key deleted successfully.

HKCR\CLSID\{5CFC0232-9759-D5E3-4685-4FA941182851} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB14D9F6-848D-3B11-9CCD-583C818BE20C} => Key deleted successfully.

HKCR\CLSID\{CB14D9F6-848D-3B11-9CCD-583C818BE20C} => Key deleted successfully.

HKCR\PROTOCOLS\Handler\skype-ie-addon-data => Key deleted successfully.

HKCR\CLSID\{91774881-D725-4E58-B298-07617B9B86A8} => Key not found.

HKCR\Wow6432Node\PROTOCOLS\Handler\gopher => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{79eac9e4-baf9-11ce-8c82-00aa004ba90b} => Key not found.

HKCR\PROTOCOLS\Filter\text/xml => Key deleted successfully.

HKCR\CLSID\{807553E5-5146-11D5-A672-00B0D022E945} => Key not found.

HKLM\SOFTWARE\Policies\Google => Key deleted successfully.

C:\Users\MajaSanja\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.

C:\Users\MajaSanja\AppData\Local\Temp\Quarantine.exe => Moved successfully.

C:\Users\MajaSanja\AppData\Local\Temp\SHSetup.exe => Moved successfully.

C:\Users\MajaSanja\AppData\Local\Temp\Tsu9CE13F91.dll => Moved successfully.

C:\Users\MajaSanja\AppData\Local\Temp\uninst.exe => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{87F16C16-63F9-4863-970E-AF37C9DC4892} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87F16C16-63F9-4863-970E-AF37C9DC4892} => Key deleted successfully.

C:\Windows\System32\Tasks\GS.Enabler-S-4560858878 => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GS.Enabler-S-4560858878 => Key deleted successfully.

C:\Windows\Tasks\GS.Enabler-S-4560858878.job => Moved successfully.

"c:\programdata\quickset\gs.enabler" => File/Directory not found.

C:\ProgramData\Temp => ":10F6E97E" ADS removed successfully.

C:\ProgramData\Temp => ":18BFD8F8" ADS removed successfully.

C:\ProgramData\Temp => ":1F96ED45" ADS removed successfully.

C:\ProgramData\Temp => ":C243D9EC" ADS removed successfully.

C:\ProgramData\Temp => ":F0F9D08A" ADS removed successfully.

==== End of Fixlog ====

MrCharlie · January 7, 2014

If you no longer have Skype, I would disable/delete the extension.

CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx

ComboFix is widely used but it's not designed for the average computer user to run, it should be used only under the supervision of a trained expert.

Some info on that:

http://www.bleepingcomputer.com/forums/topic273628.html

Here's some info on that IP address:

MrC

ona_to_zna · January 7, 2014

Ok, so no go on ComboFix, message understood.
I deleted the entire Skype folder from program files.

As for the IP address... I've got nothing to do with Nederlands, I'm not even from Nederlands - is that good or bad?

ona_to_zna · January 7, 2014

Ok, just now, there were more then ten processes related to Google Chrome in TCPView, all with different IP addresses, even though I am on Google Chrome right now, with only 3 open tabs - one for google.com, one for this discussion, and one for the link you gave me - FAQ - Common Issues... on this site - and, I've been watching the TV, so I didn't open any new tabs or did anything with the computer. That's bad, isn't it?

MrCharlie · January 7, 2014

I'm not going to get involved in TCPView.

Did you delete the Skype extension in Chrome???

If you would like to run ComboFix:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

ona_to_zna · January 7, 2014

Ummm, I suppose you didn't see the previous message - yes, I deleted the Skype folder - but, I don't know whether that applies to the Skype extension as well, or how to do it, if it doesn't.
As for ComboFix, if you would rather that I don't run it, I won't.
And as for TCPView, do you know if there is someplace else I can ask for help, or at least an explanation of what it means? Do you know if I should create another topic here related only to TCPView, if there is someone who can help with that?

ona_to_zna · January 8, 2014

Ok, I checked under the 'extensions' in Google Chrome settings, and there were no extensions related to SKype, although there was something calleg DigiiCoupo (i might be spelling it wrong, I forgot to memorise it before I deleted it). Is that what you meant by Skype extension in Chrome?

Please don't be cross with me, this is the first time in my life I am doing anything with a computer other than playing mahjong or checking my mail, or facebook. Ok, or checking Imdb, Rotten Tomatos, and listening to music on YouTube. Cross my heart. I reeeaaally am scared to death that I am going to kill it (the computer) and then my family is going to kill me. Before I get to kill myself (less painfully).

Thank you so much for helping me, MrC, and I am putting all my effort to make this as easy as possible for both you and myself.

ona_to_zna · January 8, 2014

And as for MalwareBytes Anti-Malware

no threats were found, but here's the log anyway:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

Database version: v2014.01.07.04

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

MajaSanja :: MAJASANJA-PC [administrator]

Protection: Enabled

1/7/2014 11:18:02 PM

mbam-log-2014-01-07 (23-18-02).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)

Scan options disabled: P2P

Objects scanned: 436814

Time elapsed: 1 hour(s), 53 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

MrCharlie · January 8, 2014

You still have Skype in your add/remove programs: Please uninstall if you can:

Skype Toolbars (x32 Version: 5.5.7896 - Skype Technologies S.A.)

Skype™ 5.0 (x32 Version: 5.0.152 - Skype Technologies S.A.)

Then........

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Clean out temp files: (may require a reboot)

Download TFC from here and save it to your desktop.

http://oldtimer.geekstogo.com/TFC.exe

Close any open programs and Internet browsers.

Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.

Please be patient as clearing out temp files may take a while.

Once it completes you may be prompted to restart your computer, please do so.

Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

------------------------------------

For TCPView, ask here:

https://forums.malwarebytes.org/index.php?showforum=6

MrC

ad.directrev and others... I'm desperate.

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information