Jump to content

Ads playing in the background


Recommended Posts

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

Link to post
Share on other sites

 Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-01-2014 03
Ran by Family (administrator) on SOPHIA on 19-01-2014 13:12:04
Running from C:\Users\Family\Desktop
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Power Software Ltd) C:\Program Files\PowerISO\PWRISOVM.EXE
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\The Weather Channel\Desktop Weather\TWC.Win7.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Microsoft Default Manager] - C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM\...\Run: [PWRISOVM.EXE] - C:\Program Files\PowerISO\PWRISOVM.EXE [337432 2013-01-27] (Power Software Ltd)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKCU\...\Run: [TWC.Win7] - C:\Program Files\The Weather Channel\Desktop Weather\TWC.Win7.exe [47104 2014-01-08] ()
HKCU\...\Policies\Explorer: [HideSCAHealth] 1
MountPoints2: F - F:\Autorun.exe
MountPoints2: G - G:\Setup.exe
MountPoints2: K - K:\Autorun.exe
MountPoints2: L - L:\Autorun.exe
MountPoints2: M - M:\Autorun.exe
MountPoints2: N - N:\Autorun.exe
MountPoints2: {cf3b2de4-5b53-11e1-8793-00188b6a711a} - F:\Autorun.exe
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default\...\Run: [ooVoo] - C\ooVoo.exe /minimized
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [ooVoo] - C\ooVoo.exe /minimized
AppInit_DLLs:  => File Not Found
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE9HP&PC=UP50
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=EIE9HP&PC=UP50
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE9HP&PC=UP50
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
URLSearchHook: HKCU - Default Value = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
URLSearchHook: HKCU - (No Name) - {84FF7BD6-B47F-46F8-9130-01B2696B36CB} -  No File
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {D07A6BFC-904B-4727-A266-E568197106C8} URL = http://us.yhs4.search.yahoo.com/yhs/search?p={searchTerms}&ei=UTF-8&hspart=w3i&hsimp=yhs-synd1&type=W3i_DS,221,0_0,Search,20130938,19669,0,6,7635
SearchScopes: HKCU - {EB71EB9A-CD1E-4FD1-8C27-B0615600C4AB} URL = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
BHO: Yahooo Search Protection - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO: No Name - {84FF7BD6-B47F-46F8-9130-01B2696B36CB} -  No File
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: No Name - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -  No File
Toolbar: HKLM - No Name - {8dcb7100-df86-4384-8842-8fa844297b3f} -  No File
Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} -  No File
Toolbar: HKCU - No Name - {9565115D-C7D6-46D3-BD63-B67B481A4368} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\qqmcgi5i.default
FF DefaultSearchEngine: user_pref("browser.search.defaultenginename", "");
FF SelectedSearchEngine: user_pref("browser.search.selectedEngine", "");
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.17.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @Microsoft.com/NpWinExt,version=5.0 - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll No File
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.5.109 - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.5.109 - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @yahoo.com/BrowserPlus,version=2.9.8 - C:\Users\Family\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\qqmcgi5i.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-12-21]
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012-06-30]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [msntoolbar@msn.com] - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\Firefox
FF HKLM\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\
FF Extension: Search Helper Extension - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ []

========================== Services (Whitelisted) =================


==================== Drivers (Whitelisted) ====================

R1 SCDEmu; C:\Windows\System32\Drivers\SCDEmu.sys [113608 2013-01-27] (Power Software Ltd)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S2 NVR0FLASHDev; \??\C:\Windows\nvflash.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 SNP2STD; system32\DRIVERS\snp2sxp.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-19 13:12 - 2014-01-19 13:14 - 00011118 _____ C:\Users\Family\Desktop\FRST.txt
2014-01-19 13:11 - 2014-01-19 13:11 - 00000000 ____D C:\FRST
2014-01-19 13:07 - 2014-01-19 13:07 - 01221120 _____ (Farbar) C:\Users\Family\Desktop\FRST.exe
2014-01-19 01:46 - 2014-01-19 01:46 - 00000000 _____ C:\Windows\setuperr.log
2014-01-19 01:46 - 2014-01-19 01:46 - 00000000 _____ C:\Windows\setupact.log
2014-01-18 11:33 - 2014-01-18 11:33 - 00000000 ____S C:\Windows\system32\dgrf.kql
2014-01-18 01:54 - 2014-01-19 12:15 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-18 01:37 - 2014-01-18 01:39 - 00000000 ____D C:\Program Files\GUMC438.tmp
2014-01-18 01:37 - 2014-01-18 01:37 - 38533120 _____ C:\Program Files\GUTC439.tmp
2014-01-18 01:22 - 2014-01-18 01:22 - 00028672 _____ C:\Windows\system32\kgrkcf.ctl
2014-01-18 01:12 - 2014-01-19 12:44 - 00000089 _____ C:\Windows\system32\xwjjdvx.kjq
2014-01-18 01:12 - 2014-01-18 01:22 - 00000100 _____ C:\Windows\system32\fxvxag.tuy
2014-01-18 01:12 - 2014-01-18 01:12 - 00000064 _____ C:\Windows\system32\swnmkv.nji
2014-01-18 00:56 - 2014-01-18 00:56 - 00101213 ____S C:\Windows\system32\zala.qah
2014-01-17 18:55 - 2014-01-17 18:55 - 00000514 _____ C:\Users\Public\Desktop\Fraps.lnk
2014-01-11 05:45 - 2014-01-11 05:45 - 00000757 _____ C:\Users\Public\Desktop\Opera.lnk
2014-01-11 05:45 - 2014-01-11 05:45 - 00000000 ____D C:\Users\Family\AppData\Roaming\Opera Software
2014-01-11 05:45 - 2014-01-11 05:45 - 00000000 ____D C:\Users\Family\AppData\Local\Opera Software
2014-01-11 05:44 - 2014-01-11 05:45 - 00000000 ____D C:\Program Files\Opera
2014-01-07 18:29 - 2014-01-07 18:29 - 00001887 _____ C:\Users\Public\Desktop\RollerCoaster Tycoon 2.lnk
2014-01-07 18:25 - 2014-01-07 18:25 - 00000000 ____D C:\Program Files\Infogrames
2014-01-07 16:05 - 2014-01-11 13:19 - 00000000 ____D C:\Users\Family\AppData\Roaming\DAEMON Tools Lite
2014-01-07 03:17 - 2014-01-07 03:17 - 00000000 ____D C:\Users\Family\AppData\Roaming\MPC-HC
2014-01-07 03:06 - 2013-12-01 08:10 - 00218200 _____ C:\Windows\system32\unrar.dll
2014-01-05 16:31 - 2014-01-07 18:11 - 00000000 ____D C:\Program Files\Common Files\InstallShield
2014-01-05 15:06 - 2014-01-05 15:06 - 00000000 ____D C:\Users\Family\AppData\Roaming\Leadertech
2014-01-05 15:00 - 2014-01-05 15:00 - 00000000 ____D C:\Users\Family\Documents\My eBooks
2014-01-05 15:00 - 2014-01-05 15:00 - 00000000 ____D C:\Users\Family\AppData\Roaming\InterTrust
2014-01-05 15:00 - 2014-01-05 15:00 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-05 15:00 - 1998-10-29 15:45 - 00306688 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe
2013-12-28 17:09 - 2013-12-28 17:09 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini
2013-12-28 17:09 - 2012-05-06 11:46 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\Macromedia
2013-12-28 17:09 - 2012-03-10 15:12 - 00000000 ___RD C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-28 17:09 - 2012-03-10 15:12 - 00000000 ___RD C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-28 17:08 - 2013-01-31 04:01 - 03970848 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2013-12-28 17:08 - 2013-01-31 04:01 - 02859296 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc.dll
2013-12-28 17:08 - 2013-01-31 04:00 - 02557728 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2013-12-28 17:08 - 2013-01-31 04:00 - 00634656 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2013-12-28 17:08 - 2013-01-31 04:00 - 00108832 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2013-12-28 17:08 - 2013-01-31 04:00 - 00062752 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2013-12-28 17:05 - 2013-12-28 17:05 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2013-12-28 17:02 - 2013-01-31 06:21 - 19915552 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv32.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 17560352 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 10919200 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2013-12-28 17:02 - 2013-01-31 06:21 - 07754560 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 06162704 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 02577184 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 02446416 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 01869088 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 01010464 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco32.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 00892704 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco32.dll
2013-12-28 17:02 - 2013-01-31 06:21 - 00012724 _____ C:\Windows\system32\nvinfo.pb
2013-12-28 17:00 - 2013-12-28 17:08 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-12-21 11:28 - 2014-01-05 15:00 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-12-21 11:28 - 2013-12-28 21:55 - 00000000 ____D C:\Users\Family\AppData\Roaming\Mozilla
2013-12-21 11:28 - 2013-12-21 11:28 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

==================== One Month Modified Files and Folders =======

2014-01-19 13:15 - 2012-04-07 01:01 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-19 13:14 - 2014-01-19 13:12 - 00011118 _____ C:\Users\Family\Desktop\FRST.txt
2014-01-19 13:11 - 2014-01-19 13:11 - 00000000 ____D C:\FRST
2014-01-19 13:07 - 2014-01-19 13:07 - 01221120 _____ (Farbar) C:\Users\Family\Desktop\FRST.exe
2014-01-19 13:06 - 2013-10-12 22:00 - 00000000 ____D C:\Users\Family\AppData\Roaming\uTorrent
2014-01-19 12:44 - 2014-01-18 01:12 - 00000089 _____ C:\Windows\system32\xwjjdvx.kjq
2014-01-19 12:15 - 2014-01-18 01:54 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-19 12:15 - 2006-11-02 07:45 - 00003648 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-19 12:15 - 2006-11-02 07:45 - 00003648 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-19 12:14 - 2006-11-02 07:58 - 00032646 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-19 12:14 - 2006-11-02 07:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-19 01:46 - 2014-01-19 01:46 - 00000000 _____ C:\Windows\setuperr.log
2014-01-19 01:46 - 2014-01-19 01:46 - 00000000 _____ C:\Windows\setupact.log
2014-01-18 11:33 - 2014-01-18 11:33 - 00000000 ____S C:\Windows\system32\dgrf.kql
2014-01-18 02:03 - 2012-05-06 11:44 - 00000000 ____D C:\Users\Family\AppData\Local\Adobe
2014-01-18 02:02 - 2012-04-07 01:01 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-01-18 02:02 - 2012-02-04 21:25 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-01-18 01:40 - 2012-02-04 21:25 - 00000000 ____D C:\Program Files\Google
2014-01-18 01:39 - 2014-01-18 01:37 - 00000000 ____D C:\Program Files\GUMC438.tmp
2014-01-18 01:37 - 2014-01-18 01:37 - 38533120 _____ C:\Program Files\GUTC439.tmp
2014-01-18 01:22 - 2014-01-18 01:22 - 00028672 _____ C:\Windows\system32\kgrkcf.ctl
2014-01-18 01:22 - 2014-01-18 01:12 - 00000100 _____ C:\Windows\system32\fxvxag.tuy
2014-01-18 01:12 - 2014-01-18 01:12 - 00000064 _____ C:\Windows\system32\swnmkv.nji
2014-01-18 00:56 - 2014-01-18 00:56 - 00101213 ____S C:\Windows\system32\zala.qah
2014-01-17 18:55 - 2014-01-17 18:55 - 00000514 _____ C:\Users\Public\Desktop\Fraps.lnk
2014-01-17 18:55 - 2012-07-14 19:51 - 00000000 ____D C:\Fraps
2014-01-11 13:19 - 2014-01-07 16:05 - 00000000 ____D C:\Users\Family\AppData\Roaming\DAEMON Tools Lite
2014-01-11 05:45 - 2014-01-11 05:45 - 00000757 _____ C:\Users\Public\Desktop\Opera.lnk
2014-01-11 05:45 - 2014-01-11 05:45 - 00000000 ____D C:\Users\Family\AppData\Roaming\Opera Software
2014-01-11 05:45 - 2014-01-11 05:45 - 00000000 ____D C:\Users\Family\AppData\Local\Opera Software
2014-01-11 05:45 - 2014-01-11 05:44 - 00000000 ____D C:\Program Files\Opera
2014-01-07 18:29 - 2014-01-07 18:29 - 00001887 _____ C:\Users\Public\Desktop\RollerCoaster Tycoon 2.lnk
2014-01-07 18:25 - 2014-01-07 18:25 - 00000000 ____D C:\Program Files\Infogrames
2014-01-07 18:11 - 2014-01-05 16:31 - 00000000 ____D C:\Program Files\Common Files\InstallShield
2014-01-07 18:10 - 2012-02-18 22:13 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2014-01-07 17:37 - 2006-11-02 05:33 - 00700096 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-07 16:07 - 2012-02-04 17:57 - 00000000 ____D C:\Users\Family
2014-01-07 03:17 - 2014-01-07 03:17 - 00000000 ____D C:\Users\Family\AppData\Roaming\MPC-HC
2014-01-05 15:06 - 2014-01-05 15:06 - 00000000 ____D C:\Users\Family\AppData\Roaming\Leadertech
2014-01-05 15:00 - 2014-01-05 15:00 - 00000000 ____D C:\Users\Family\Documents\My eBooks
2014-01-05 15:00 - 2014-01-05 15:00 - 00000000 ____D C:\Users\Family\AppData\Roaming\InterTrust
2014-01-05 15:00 - 2014-01-05 15:00 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-05 15:00 - 2013-12-21 11:28 - 00000000 ____D C:\Program Files\Mozilla Firefox
2014-01-05 15:00 - 2012-05-06 11:46 - 00000000 ____D C:\Program Files\Adobe
2014-01-05 15:00 - 2012-03-09 18:18 - 00000000 ____D C:\Windows\system32\Adobe
2013-12-28 21:55 - 2013-12-21 11:28 - 00000000 ____D C:\Users\Family\AppData\Roaming\Mozilla
2013-12-28 17:09 - 2013-12-28 17:09 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini
2013-12-28 17:09 - 2012-07-16 20:00 - 00000000 ____D C:\ProgramData\NVIDIA
2013-12-28 17:08 - 2013-12-28 17:00 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-12-28 17:07 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Help
2013-12-28 17:05 - 2013-12-28 17:05 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2013-12-21 11:28 - 2013-12-21 11:28 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

Some content of TEMP:
====================
C:\Users\Family\AppData\Local\Temp\install_flashplayer12x32au_chra_aaa_aih.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2012-03-11 10:55] - [2009-04-11 01:28] - 0550912 ____A (Microsoft Corporation) E6D524E038555AB0104FC91539D11893

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-19 12:21

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Farbar Recovery Scan Tool (x86) Version: 19-01-2014 03
Ran by Family at 2014-01-19 16:10:04
Running from C:\Users\Family\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll        " ===================

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll
[2012-03-11 10:55] - [2009-04-11 01:28] - 0550400 ____A (Microsoft Corporation) 3B5B4D53FEC14F7476CA29A20CC31AC9

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_6a06ffcd57365beb\rpcss.dll
[2012-02-05 08:46] - [2012-02-05 08:46] - 0551424 ____A (Microsoft Corporation) 4DFCBDEF3CCAA98F99038DED78945253

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_69bb41ac3deac876\rpcss.dll
[2012-02-05 08:46] - [2012-02-05 08:46] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\rpcss.dll
[2012-02-10 15:23] - [2008-01-19 02:36] - 0547328 ____A (Microsoft Corporation) 33FB1F0193EE2051067441492D56113C

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_685b771559e4be8c\rpcss.dll
[2012-02-05 08:46] - [2012-02-05 08:46] - 0550400 ____A (Microsoft Corporation) B1BB45E24717A7F790B4411C4446EF5E

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_67c4315e40d1bb6c\rpcss.dll
[2012-02-05 08:46] - [2012-02-05 08:46] - 0549888 ____A (Microsoft Corporation) 7B981222A257D076885BFFB66F19B7CE

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16386_none_67941a0040f4ed68\rpcss.dll
[2006-11-02 03:50] - [2006-11-02 04:46] - 0545792 ____A (Microsoft Corporation) B46D8EA6DD30BAA49F674DACDC4C491F

C:\Windows\System32\rpcss.dll
[2012-03-11 10:55] - [2009-04-11 01:28] - 0550912 ____A (Microsoft Corporation) E6D524E038555AB0104FC91539D11893

=== End Of Search ===

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs,

 

Kevin

 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-01-2014 03
Ran by Family at 2014-01-19 17:31:14 Run:1
Running from C:\Users\Family\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
MountPoints2: F - F:\Autorun.exe
MountPoints2: G - G:\Setup.exe
MountPoints2: K - K:\Autorun.exe
MountPoints2: L - L:\Autorun.exe
MountPoints2: M - M:\Autorun.exe
MountPoints2: N - N:\Autorun.exe
MountPoints2: {cf3b2de4-5b53-11e1-8793-00188b6a711a} - F:\Autorun.exe
AppInit_DLLs:  => File Not Found
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
cmd: netsh winsock reset
2014-01-19 13:06 - 2013-10-12 22:00 - 00000000 ____D C:\Users\Family\AppData\Roaming\uTorrent
2014-01-19 12:44 - 2014-01-18 01:12 - 00000089 _____ C:\Windows\system32\xwjjdvx.kjq
2014-01-18 11:33 - 2014-01-18 11:33 - 00000000 ____S C:\Windows\system32\dgrf.kql
2014-01-18 01:39 - 2014-01-18 01:37 - 00000000 ____D C:\Program Files\GUMC438.tmp
2014-01-18 01:37 - 2014-01-18 01:37 - 38533120 _____ C:\Program Files\GUTC439.tmp
2014-01-18 01:22 - 2014-01-18 01:22 - 00028672 _____ C:\Windows\system32\kgrkcf.ctl
2014-01-18 01:22 - 2014-01-18 01:12 - 00000100 _____ C:\Windows\system32\fxvxag.tuy
2014-01-18 01:12 - 2014-01-18 01:12 - 00000064 _____ C:\Windows\system32\swnmkv.nji
2014-01-18 00:56 - 2014-01-18 00:56 - 00101213 ____S C:\Windows\system32\zala.qah
C:\Users\Family\AppData\Local\Temp\install_flashplayer12x32au_chra_aaa_aih.exe
Task: {590F0884-7657-4AE0-8E60-A53EA0FE2F31} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {E55846EE-01C4-4322-B3C4-24FAA6F475B6} - System32\Tasks\4791 => Wscript.exe C:\Users\Family\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:D346F792
Replace: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll C:\Windows\System32\rpcss.dll
End
*****************

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\M => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\N => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cf3b2de4-5b53-11e1-8793-00188b6a711a} => Key deleted successfully.
HKCR\CLSID\{cf3b2de4-5b53-11e1-8793-00188b6a711a} => Key not found.
"AppInit_DLLs:  => File Not Found" => Value Data not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
The possible legit Catalog entry 000000000001 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000002 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000003 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000004 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000005 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000006 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000007 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000008 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000009 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000010 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000011 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000012 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000013 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000014 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000015 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000016 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000017 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry 000000000018 will not be deleted with FRST. Instead, "netsh winsock reset" can be used.

=========  netsh winsock reset =========

The following helper DLL cannot be loaded: WSHELPER.DLL.
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: winsock reset.

========= End of CMD: =========

C:\Users\Family\AppData\Roaming\uTorrent => Moved successfully.
C:\Windows\system32\xwjjdvx.kjq => Moved successfully.
Could not move "C:\Windows\system32\dgrf.kql" => Scheduled to move on reboot.
C:\Program Files\GUMC438.tmp => Moved successfully.
C:\Program Files\GUTC439.tmp => Moved successfully.
C:\Windows\system32\kgrkcf.ctl => Moved successfully.
Could not move "C:\Windows\system32\fxvxag.tuy" => Scheduled to move on reboot.
C:\Windows\system32\swnmkv.nji => Moved successfully.
Could not move "C:\Windows\system32\zala.qah" => Scheduled to move on reboot.
C:\Users\Family\AppData\Local\Temp\install_flashplayer12x32au_chra_aaa_aih.exe => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{590F0884-7657-4AE0-8E60-A53EA0FE2F31} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{590F0884-7657-4AE0-8E60-A53EA0FE2F31} => Key deleted successfully.
C:\Windows\System32\Tasks\0 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E55846EE-01C4-4322-B3C4-24FAA6F475B6} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E55846EE-01C4-4322-B3C4-24FAA6F475B6} => Key deleted successfully.
C:\Windows\System32\Tasks\4791 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4791 => Key deleted successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
C:\ProgramData\TEMP => ":D346F792" ADS removed successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-19 17:36:00)<=

C:\Windows\system32\dgrf.kql => Moved successfully.
C:\Windows\system32\fxvxag.tuy => Moved successfully.
C:\Windows\system32\zala.qah => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Apologies, I assume too quickly...

 

Download Malwarebytes from the following link and save it to your desktop.:

 

 

http://www.malwarebytes.org/mbam.php 

 

Double Click mbam-setup.exe to install the application.

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Thanks,

 

Kevin

Link to post
Share on other sites

Can you post the log from Malwarebytes, also give an update on any remaining issues or concerns.....

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that we may have missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report in next reply

 

Thank you,

 

Kevin

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.