valid links on websites redirecting to malicious websites and ads keep opening randomly

[hrinky]

Lately when I try to click on links on any website I get redirected to some kind of malicious website, even when I'm trying to open an email. I keep getting popup ads playing at random times as well. I've run Malwarebytes, Adaware, Spybot S&D, and Norton and nothing seems to fix it. I ran Hijack This and it told me it could't run, but then it produced a log file anyway. Posted below. Any help would be appreciated

 

Logfile of Trend Micro HijackThis v2.0.5

Scan saved at 12:38:48 PM, on 1/12/2014

Platform: Unknown Windows (WinNT 6.02.1008)

MSIE: Internet Explorer v11.0 (11.00.9600.16384)

 

 

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe

C:\Program Files (x86)\Toshiba\System Setting\TssSrv.exe

C:\Program Files (x86)\Unified Remote\RemoteServer.exe

C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe

C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe

C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Users\hrinky\Downloads\HijackThis (2).exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com/?pc=TNJB

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securedsearch2.lavasoft.com/index.php?pr=vmn&id=adawaretb&v=3_8&idate=2014-01-08&ent=hp&u=898BA5E7503E1740E2294952CD4C5649

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com/?pc=TNJB

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com/?pc=TNJB

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by TOSHIBA

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

R3 - URLSearchHook: Vuze Remote Toolbar - {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\8.5\vuzeToolbarIE.dll

F2 - REG:system.ini: UserInit=userinit.exe,

O2 - BHO: Vuze Remote Toolbar - {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\8.5\vuzeToolbarIE.dll

O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coIEPlg.dll

O2 - BHO: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll

O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\IPS\IPSBHO.DLL

O2 - BHO: HelperApps - {9309F1DB-7211-3137-EFB3-660AB52218E6} - C:\Program Files (x86)\HelperApps\petn.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coIEPlg.dll

O3 - Toolbar: Vuze Remote Toolbar - {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\8.5\vuzeToolbarIE.dll

O3 - Toolbar: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll

O4 - HKLM\..\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [TSVU] "c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe"

O4 - HKLM\..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [searchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"

O4 - HKCU\..\Run: [unified Remote v2] C:\Program Files (x86)\Unified Remote\RemoteServer.exe

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O20 - AppInit_DLLs: c:\windows\syswow64\nvinit.dll

O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe

O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe

O23 - Service: @C:\Windows\system32\CxAudMsg64.exe,-100 (CxAudMsg) - Unknown owner - C:\Windows\system32\CxAudMsg64.exe (file missing)

O23 - Service: DTS APO Service (dts_apo_service) - Unknown owner - C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: GamesAppIntegrationService - TODO: <Company name> - C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe

O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)

O23 - Service: Intel® Capability Licensing Service Interface - Intel® Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe

O23 - Service: Intel® Capability Licensing Service TCP IP Interface - Intel® Corporation - C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe

O23 - Service: Intel® ME Service - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe

O23 - Service: Intel® Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Ad-Aware Service 11 (LavasoftAdAwareService11) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5152.0\AdAwareService.exe

O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe

O23 - Service: Norton Anti-Theft (NAT) - Symantec Corporation - C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Network Service (NvNetworkService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe

O23 - Service: NVIDIA Streamer Service (NvStreamSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe

O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe

O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - Unknown owner - C:\Windows\system32\ThpSrv.exe (file missing)

O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)

O23 - Service: TOSHIBA eco Utility Service - Toshiba Corporation - C:\Program Files\Toshiba\Teco\TecoService.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Zero Configuration Service (ZeroConfigService) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe

 

--

End of file - 14496 bytes

 

[MrCharlie]

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt (DDS won't run on W8)

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[hrinky]

could not run dds (I'm on W8)

 

I uninstalled my P2P software, ran Malwarebytes which found one Pup.Optiona.Conduit.A (It's been finding quite a few of these lately).

I removed that and ran RogueKiller 64bit

log below

 

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version

Started in : Normal mode

User : hrinky [Admin rights]

Mode : Scan -- Date : 01/12/2014 14:09:45

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 2 ¤¤¤

[V2][sUSP PATH] HelperApps Update : C:\Users\hrinky\AppData\Local\HelperApps\petnupdate.exe - CID=JollyWalletTEST NAME=HelperApps AUTOGUID={9309F1DB-7211-3137-EFB3-660AB52218E6} [-][x][x][x] -> FOUND

[V2][sUSP PATH] TidyNetwork Update : C:\Users\hrinky\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUS26 AUTOGUID={9A01FDC7-653A-3602-F0B2-0D0AB52218E6} [x][x][x] -> FOUND

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Browser Addons : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MQ01ABD100H +++++

--- User ---

[MBR] a84dd93b5b19931ceaddbccc47850486

[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_01122014_140945.txt >>

[MrCharlie]

Please make sure you have system restore running and have created a new restore point before continuing.

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[V2][sUSP PATH] HelperApps Update : C:\Users\hrinky\AppData\Local\HelperApps\petnupdate.exe - CID=JollyWalletTEST NAME=HelperApps AUTOGUID={9309F1DB-7211-3137-EFB3-660AB52218E6} [-][x][x][x] -> FOUND
[V2][sUSP PATH] TidyNetwork Update : C:\Users\hrinky\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUS26 AUTOGUID={9A01FDC7-653A-3602-F0B2-0D0AB52218E6} [x][x][x] -> FOUND

Now click Delete on the right hand column under Options

-------------

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look similar to this, not "sponsored ad links":

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a FULL Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[hrinky]

Running the MWB full scan now, here is the AdwCleaner Report

 

# AdwCleaner v3.017 - Report created 12/01/2014 at 14:46:21

# Updated 12/01/2014 by Xplode

# Operating System : Windows 8.1  (64 bits)

# Username : hrinky - HRINKY-OSU

# Running from : C:\Users\hrinky\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\ProgramData\blekko toolbars

Folder Deleted : C:\ProgramData\Search Protection

Folder Deleted : C:\Program Files (x86)\TidyNetwork

Folder Deleted : C:\Program Files (x86)\Toolbar Cleaner

Folder Deleted : C:\Program Files (x86)\Common Files\Spigot

Folder Deleted : C:\Users\hrinky\AppData\LocalLow\adawaretb

Folder Deleted : C:\Users\hrinky\AppData\Roaming\optimizer pro

Folder Deleted : C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbcennhacfaagdopikcegfcobcadeocj

Folder Deleted : C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdlfehblmklkikfigmjhbmmpmkmpooj

Folder Deleted : C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\pfndaklgolladniicklehhancnlgocpp

File Deleted : C:\Users\hrinky\Desktop\Optimizer Pro.lnk

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\hbcennhacfaagdopikcegfcobcadeocj

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\icdlfehblmklkikfigmjhbmmpmkmpooj

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pfndaklgolladniicklehhancnlgocpp

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05478A66-EDB6-4A22-A870-A5987F80A7DA}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{05478A66-EDB6-4A22-A870-A5987F80A7DA}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{05478A66-EDB6-4A22-A870-A5987F80A7DA}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}

Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings

Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}

Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}

Key Deleted : HKLM\Software\adawaretb

Key Deleted : HKLM\Software\Toolbar Cleaner

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adawaretb

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner

Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16384

 

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [secondary Start Pages]

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [secondary Start Pages]

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [secondary Start Pages]

 

-\\ Google Chrome v31.0.1650.63

 

[ File : C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [5152 octets] - [12/01/2014 14:40:52]

AdwCleaner[s0].txt - [4860 octets] - [12/01/2014 14:46:21]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4920 octets] ##########

[hrinky]

Here is the MWB log. It only found 1 PUP to remove, but even on my navigation back to this forum site, I clicked on the link and got re-directed to some google.offer-net site that my antivirus blocked as malicious. Every time this happens (it happens whether I'm trying to open an email or a search result), I close the redirected link and then next time I click on it it opens fine.

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2014.01.12.05

 

Windows 8 x64 NTFS

Internet Explorer 11.0.9600.16476

hrinky :: HRINKY-OSU [administrator]

 

Protection: Enabled

 

1/12/2014 2:53:55 PM

mbam-log-2014-01-12 (14-53-55).txt

 

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 383063

Time elapsed: 35 minute(s), 44 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 1

C:\Users\hrinky\AppData\Local\Microsoft\Windows\INetCache\IE\Z15A8UAB\Setup[1].exe (PUP.Optional.Albrecto.A) -> Quarantined and deleted successfully.

 

(end)

[MrCharlie]

What browsers are affected??

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

MrC

[hrinky]

Chrome. It's even happening on secure websites (banking etc..). My google search page keeps giving me a Yahoo results page, which is also driving me nuts.

 

 

Addition.txt

FRST.txt

[MrCharlie]

Do you recognize these two extensions in Chrome:

CHR Extension: (HelperApps ) - C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpkgeokclehepckaodmhdbgonfpddejg\5.0.0.0_0 [2014-01-01]

CHR Extension: (AT_Nintea) - C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0 [2013-12-04]

Let me know.....MrC

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Let me know about the other 2 extensions I asked you about.

MrC

[hrinky]

I do not recognize those extensions.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-01-2014 01

Ran by hrinky at 2014-01-12 17:11:53 Run:1

Running from C:\Users\hrinky\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKCU - {532D783B-0DF1-422F-A45B-369081B6A9B9} URL = 

SearchScopes: HKCU - {9B5873D6-013E-456E-BD97-B44446D040F6} URL = http://search.yahoo.com/search?p={searchTerms}&fr=tightropetb&type=10741

SearchScopes: HKCU - {DC0356F5-D7DB-4EBE-A3EA-39B017E1E49F} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=994519&p={searchTerms}

SearchScopes: HKCU - {ECCF36E4-FFC3-4D31-B7A5-8019EB3BDF8E} URL = http://search.findwide.com/serp?guid={3487A8E4-C54D-452D-ADF6-657B2BDA3B09}&action=default_search&serpv=22&k={searchTerms}

BHO: HelperApps - {9309F1DB-7211-3137-EFB3-660AB52218E6} - C:\Program Files (x86)\HelperApps\petn64.dll ()

BHO: TidyNetwork - {9A01FDC7-653A-3602-F0B2-0D0AB52218E6} - C:\Program Files (x86)\TidyNetwork\petn64.dll No File

Toolbar: HKLM - FindWide Toolbar - {F88A658F-32ED-4E49-93A7-86B65D6064AA} - C:\Users\hrinky\AppData\Local\TNT2\Profiles\10741\passport64.dll No File

CHR Extension: (MyWordTool) - C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\djgojpphcoccgjoafgdhiomafpcopmfn\1_0 [2014-01-01]

CHR Extension: (FindWide Toolbar) - C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncfcpgabeneekkilikdmkambiniogobj\1.0.0.0_0 [2014-01-01]

CHR Extension: (TidyNetwork ) - C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpmffeloojanbfpjigpdmgdblaocmhl\5.0.0.0_0 [2014-01-01]

CHR HKLM-x32\...\Chrome\Extension: [nkopijddpkmggacdghppacglggodkcod] - C:\Program Files (x86)\albrechto\nkopijddpkmggacdghppacglggodkcod.crx [2013-12-11]

CHR HKLM-x32\...\Chrome\Extension: [oejkcgajlodefenbbjdnaiahmbnnoole] - C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\chrome-newtab-search.crx [2013-10-30]

 

*****************

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.

HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{532D783B-0DF1-422F-A45B-369081B6A9B9} => Key deleted successfully.

HKCR\CLSID\{532D783B-0DF1-422F-A45B-369081B6A9B9} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9B5873D6-013E-456E-BD97-B44446D040F6} => Key deleted successfully.

HKCR\CLSID\{9B5873D6-013E-456E-BD97-B44446D040F6} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC0356F5-D7DB-4EBE-A3EA-39B017E1E49F} => Key deleted successfully.

HKCR\CLSID\{DC0356F5-D7DB-4EBE-A3EA-39B017E1E49F} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ECCF36E4-FFC3-4D31-B7A5-8019EB3BDF8E} => Key deleted successfully.

HKCR\CLSID\{ECCF36E4-FFC3-4D31-B7A5-8019EB3BDF8E} => Key not found.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9309F1DB-7211-3137-EFB3-660AB52218E6} => Key deleted successfully.

HKCR\CLSID\{9309F1DB-7211-3137-EFB3-660AB52218E6} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A01FDC7-653A-3602-F0B2-0D0AB52218E6} => Key deleted successfully.

HKCR\CLSID\{9A01FDC7-653A-3602-F0B2-0D0AB52218E6} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{F88A658F-32ED-4E49-93A7-86B65D6064AA} => Value deleted successfully.

HKCR\CLSID\{F88A658F-32ED-4E49-93A7-86B65D6064AA} => Key deleted successfully.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\djgojpphcoccgjoafgdhiomafpcopmfn => Moved successfully.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncfcpgabeneekkilikdmkambiniogobj => Moved successfully.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpmffeloojanbfpjigpdmgdblaocmhl => Moved successfully.

 

==== End of Fixlog ====

[MrCharlie]

OK, we'll delete them...same as before:

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Reboot and let me know how it is.

MrC

[hrinky]

Well, everything seemed to load correctly that time.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-01-2014 01

Ran by hrinky at 2014-01-12 17:23:00 Run:2

Running from C:\Users\hrinky\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

CHR Extension: (HelperApps ) - C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpkgeokclehepckaodmhdbgonfpddejg\5.0.0.0_0 [2014-01-01]

CHR Extension: (AT_Nintea) - C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0 [2013-12-04]

*****************

 

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpkgeokclehepckaodmhdbgonfpddejg => Moved successfully.

 

"C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf" directory move:

 

Could not move "C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0\Cached Theme.pak" => Scheduled to move on reboot.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0\manifest.json => Moved successfully.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0\i\agxjaHJvbWV0aGVtZXNyDAsSBEZpbGUY2YYDDA => Moved successfully.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0\i\agxjaHJvbWV0aGVtZXNyDAsSBEZpbGUY3IYDDA => Moved successfully.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0\i\agxjaHJvbWV0aGVtZXNyDAsSBEZpbGUYrsIEDA => Moved successfully.

C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0\i\agxjaHJvbWV0aGVtZXNyDAsSBEZpbGUYspYDDA => Moved successfully.

Could not move "C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf" directory. => Scheduled to move on reboot.

 

 

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-12 17:24:29)<=

 

"C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf\2_0\Cached Theme.pak" => File could not move.

"C:\Users\hrinky\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfcpkpkbafcgpdnfhjdnckameaflpfbf" => Directory could not move.

 

==== End of Fixlog ====

[MrCharlie]

Let me know how it is.....MrC

[hrinky]

Thanks so much for your time. I'll see if things run smoothly for the next little while. If I never see Yahoo again it will be too soon. 

[MrCharlie]

OK, let me and if everything is OK......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!