How can I remove Awesomehp

[DeeplyDisturbed]

Hi, it appears to be a browser hijack. How can I remove it please?

[MrCharlie]

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt (DDS won't run on W8)

(please don't put logs in code or quotes and use the default font)

(Please don't forget to run the RogueKiller scan below)

General Forum P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[DeeplyDisturbed]

Report attached

RKreport0_S_02152014_102227.txt

[MrCharlie]

I need to see the 2 logs from DDS.

MrC

[DeeplyDisturbed]

Attached

attach.txt

dds.txt

[MrCharlie]

Looks like you already ran AdwCleaner, did you run JRT as well?

If not.......

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Last.......

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[DeeplyDisturbed]

Hi, many thanks. No I heven't run JRT, will do so now.

[DeeplyDisturbed]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Windows 7 Ultimate x86
Ran by Malcolm on 15/02/2014 at 16:14:50.91
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\optprostart_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\optprostart_rasmancs



~~~ Files



~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"
Failed to delete: [Folder] "C:\ProgramData\application data\boost_interprocess"
Successfully deleted: [Folder] "C:\Users\Malcolm\AppData\Roaming\getrighttogo"
Successfully deleted: [Folder] "C:\Users\Malcolm\appdata\local\software"



~~~ FireFox

Successfully deleted the following from C:\Users\Malcolm\AppData\Roaming\mozilla\firefox\profiles\4kimnyfw.default\prefs.js

user_pref("extensions.iminent.admin", false);
user_pref("extensions.iminent.aflt", "orgnl");
user_pref("extensions.iminent.appId", "{0E4B2CAB-B859-4C57-B96E-63DDEC692BC4}");
user_pref("extensions.iminent.autoRvrt", "false");
user_pref("extensions.iminent.dfltLng", "");
user_pref("extensions.iminent.excTlbr", false);
user_pref("extensions.iminent.ffxUnstlRst", false);
user_pref("extensions.iminent.id", "548a8c2c000000000000001dd9e928af");
user_pref("extensions.iminent.instlDay", "16036");
user_pref("extensions.iminent.instlRef", "");
user_pref("extensions.iminent.newTab", false);
user_pref("extensions.iminent.prdct", "iminent");
user_pref("extensions.iminent.prtnrId", "iminent");
user_pref("extensions.iminent.rvrt", "false");
user_pref("extensions.iminent.smplGrp", "none");
user_pref("extensions.iminent.tlbrId", "YBCPCSTIPO");

user_pref("extensions.iminent.vrsn", "1.8.26.8");
user_pref("extensions.iminent.vrsnTs", "1.8.26.816:24:48");
user_pref("extensions.iminent.vrsni", "1.8.26.8");
user_pref("iminent.LayoutId", "1");
user_pref("iminent.enabledAds", "false");
user_pref("iminent.version", "7.48.1.1");
user_pref("iminent.versioning", "{\"CurrentVersion\":\"7.48.1.1\",\"InstallEventCTime\":1385565904873,\"InstallEvent\":\"True\"}");
Emptied folder: C:\Users\Malcolm\AppData\Roaming\mozilla\firefox\profiles\4kimnyfw.default\minidumps [194 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15/02/2014 at 16:26:43.13
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

[DeeplyDisturbed]

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.13.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16518
Malcolm :: MALCOLM-PC [administrator]

15/02/2014 16:37:02
mbam-log-2014-02-15 (16-37-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211429
Time elapsed: 14 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)
 

[MrCharlie]

Please download and run Shortcut-Cleaner:

http://www.bleepingcomputer.com/download/shortcut-cleaner/dl/172/

Then.....

 

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

MrC

[DeeplyDisturbed]

Attached, (Awesomehp is still hijacking my browser).

Addition.txt

FRST.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......Chrome you have to manually reset:

 

First make sure you have the latest version of Chrome:

Open up Chrome > Click on the 3 bars in the upper right hand corner

Click on About Google Chrome

If there's an update available it will automatically update

Next:

Go to Tools > Clear Browser Data

Put a check next to all of these:

• Clear browsing history
• Clear download history
• Delete cookies and other site and plug-in data
• Empty the cache

Click "Clear Browsing Data"

-------------------------------

Next:

Click the Chrome menu on the browser toolbar.

Select Settings.

In the "Search" section, click Manage search engines.

Check if (Default) is displayed next to your preferred search engine. If not, mouse over it and click Make default.

Mouse over any other suspicious search engine entries that are not familiar and click X to remove them.

-------------------------------------

Click the Chrome menu .

Select Settings.

In the "On startup" section, select Open a specific page or set of pages.

Click Set pages. (in blue to the right)

Remove any unfamiliar pages.

-----------------------

Click the Chrome menu .

Select Settings.

In the "Appearance" section, if the "Show Home button" checkbox is selected, see if the page listed below is the home page you’d like to use.

If the page isn't the home page you'd like to use, click Change and select your preferred page.

-------------------------

Let me know...MrC

[DeeplyDisturbed]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-02-2014 01
Ran by Malcolm at 2014-02-16 13:04:39 Run:1
Running from C:\Users\Malcolm\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [fst_fr_83] - [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.awesomehp.com/web/?type=ds&ts=1392192095&from=tugs&uid=TOSHIBAXMK1646GSX_Y79ET3XSTXXY79ET3XST&q={searchTerms}
SearchScopes: HKLM - DefaultScope value is missing.

FF SelectedSearchEngine: awesomehp
FF Extension: No Name - C:\Users\Malcolm\AppData\Roaming\Mozilla\Firefox\Profiles\4kimnyfw.default\Extensions\1392192135_xpi [2014-02-12]
FF Extension: Extension_Protected - C:\Users\Malcolm\AppData\Roaming\Mozilla\Firefox\Profiles\4kimnyfw.default\Extensions\jid0-O6MIff3eO5dIGf5Tcv8RsJDKxrs@jetpack.xpi [2014-02-12]
CHR HKLM\...\Chrome\Extension: [dbpebffoameokfhnaaedmefjncfboino] - C:\Program Files\SecretSauce\dbpebffoameokfhnaaedmefjncfboino.crx [2013-12-23]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\fst_fr_83 => Value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
Firefox newtab deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
C:\Users\Malcolm\AppData\Roaming\Mozilla\Firefox\Profiles\4kimnyfw.default\Extensions\1392192135_xpi => Moved successfully.
C:\Users\Malcolm\AppData\Roaming\Mozilla\Firefox\Profiles\4kimnyfw.default\Extensions\jid0-O6MIff3eO5dIGf5Tcv8RsJDKxrs@jetpack.xpi => Moved successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\dbpebffoameokfhnaaedmefjncfboino => Key deleted successfully.
"C:\Program Files\SecretSauce\dbpebffoameokfhnaaedmefjncfboino.crx" => File/Directory not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.


The system needs a manual reboot.

==== End of Fixlog ====

[MrCharlie]

How is it???  MrC

[DeeplyDisturbed]

Hi, after doing all of that to the letter in Chrome Awesomehp still returned as the home page.

 

Let me please say at this stage thank you for all you are doing, it is greatly appreciated. It's a toughie to remove huh!

[MrCharlie]

Please run this scan:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[DeeplyDisturbed]

I still need help. I need to action the prior post but I was called away to work. I should get the above done this evening. I'll respond with results.

[DeeplyDisturbed]

ComboFix 14-02-16.01 - Malcolm 18/02/2014  16:21:26.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.44.1033.18.1918.799 [GMT 1:00]
Running from: c:\users\Malcolm\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: avast! Internet Security *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
SP: avast! Internet Security *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Spybot - Search and Destroy *Disabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\repair.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-18 to 2014-02-18  )))))))))))))))))))))))))))))))
.
.
2014-02-18 15:49 . 2014-02-18 15:49    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-02-13 08:01 . 2014-02-18 15:01    --------    d-----w-    c:\programdata\boost_interprocess
2014-02-12 19:59 . 2014-02-13 07:58    --------    d-----w-    C:\AdwCleaner
2014-02-12 18:43 . 2013-12-21 08:56    454656    ----a-w-    c:\windows\system32\vbscript.dll
2014-02-12 18:38 . 2014-02-13 20:26    --------    d-----w-    c:\program files\Bench
2014-02-12 18:37 . 2014-02-12 18:37    --------    d-----w-    c:\program files\predm
2014-02-12 18:35 . 2013-12-06 02:02    1237504    ----a-w-    c:\windows\system32\msxml3.dll
2014-02-12 18:35 . 2013-12-06 02:02    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-02-12 18:32 . 2013-12-24 23:09    1987584    ----a-w-    c:\windows\system32\d3d10warp.dll
2014-02-12 18:32 . 2013-11-26 08:16    3419136    ----a-w-    c:\windows\system32\d2d1.dll
2014-02-12 18:30 . 2013-12-04 01:54    594944    ----a-w-    c:\windows\system32\RMActivate_isv.exe
2014-02-12 18:30 . 2013-12-04 01:54    510976    ----a-w-    c:\windows\system32\RMActivate_ssp.exe
2014-02-12 18:30 . 2013-12-04 01:54    572416    ----a-w-    c:\windows\system32\RMActivate.exe
2014-02-12 18:30 . 2013-12-04 01:54    508928    ----a-w-    c:\windows\system32\RMActivate_ssp_isv.exe
2014-02-12 18:30 . 2013-12-04 02:03    423936    ----a-w-    c:\windows\system32\secproc_isv.dll
2014-02-12 18:30 . 2013-12-04 02:03    428032    ----a-w-    c:\windows\system32\secproc.dll
2014-02-12 18:30 . 2013-12-04 02:02    390144    ----a-w-    c:\windows\system32\msdrm.dll
2014-02-12 18:30 . 2013-12-04 02:03    87040    ----a-w-    c:\windows\system32\secproc_ssp.dll
2014-02-12 18:30 . 2013-12-04 02:03    87040    ----a-w-    c:\windows\system32\secproc_ssp_isv.dll
2014-02-12 08:02 . 2014-02-12 08:02    --------    d-----w-    c:\program files\NewPlayer
2014-02-05 19:26 . 2014-02-06 07:23    --------    d-----w-    c:\program files\Mozilla Thunderbird
2014-02-04 06:33 . 2014-02-04 06:33    --------    d-----w-    c:\users\Default\AppData\Local\Trusteer
2014-01-27 17:08 . 2014-01-27 17:08    --------    d-----w-    c:\users\Malcolm\AppData\Local\Trusteer
2014-01-27 17:08 . 2014-01-27 17:08    --------    d-----w-    c:\program files\Trusteer
2014-01-27 17:05 . 2014-01-27 17:05    --------    d-----w-    c:\programdata\Trusteer
2014-01-22 19:37 . 2014-01-22 19:37    107256    ----a-w-    c:\windows\system32\drivers\RapportKELL.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-18 15:09 . 2013-09-04 08:02    265072    ----a-w-    c:\windows\system32\drivers\aswndisflt.sys
2014-02-06 07:17 . 2013-09-04 08:42    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-06 07:17 . 2013-09-04 08:42    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-25 14:19 . 2013-12-22 16:37    64168    ----a-w-    c:\windows\system32\drivers\aswstm.sys
2014-01-25 14:19 . 2013-09-04 08:05    410784    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2014-01-25 14:19 . 2013-09-04 08:04    775952    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-01-25 14:19 . 2013-09-04 08:04    67824    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-01-25 14:19 . 2013-09-04 08:04    270240    ----a-w-    c:\windows\system32\aswBoot.exe
2014-01-25 14:19 . 2013-09-04 08:02    43152    ----a-w-    c:\windows\avastSS.scr
2014-01-25 14:18 . 2013-09-04 08:02    265072    ----a-w-    c:\windows\system32\drivers\aswndisflt.sys.1392736152249
2014-01-03 10:08 . 2013-11-04 13:54    57344    ----a-r-    c:\users\Malcolm\AppData\Roaming\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2014-01-03 10:05 . 2013-09-04 10:37    106496    ----a-w-    c:\windows\system32\ATL71.DLL
2013-12-22 18:42 . 2013-12-22 18:42    49940480    ----a-w-    c:\program files\GUT959D.tmp
2013-12-22 16:37 . 2013-09-04 08:04    180248    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-12-21 14:23 . 2007-04-27 08:43    120200    ----a-w-    c:\windows\system32\DLLDEV32i.dll
2013-12-18 05:13 . 2013-09-03 16:23    231584    ------w-    c:\windows\system32\MpSigStub.exe
2013-12-05 10:10 . 2013-12-05 10:10    360448    ------w-    c:\windows\Setup1.exe
2013-12-05 10:10 . 2013-12-05 10:10    73216    ----a-w-    c:\windows\ST6UNST.EXE
2013-11-27 01:14 . 2014-01-17 07:30    258560    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-11-27 01:13 . 2014-01-17 07:30    284672    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-11-27 01:13 . 2014-01-17 07:30    76288    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-11-27 01:13 . 2014-01-17 07:30    43520    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-11-27 01:13 . 2014-01-17 07:30    20480    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-11-27 01:13 . 2014-01-17 07:30    24064    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-11-27 01:13 . 2014-01-17 07:30    6016    ----a-w-    c:\windows\system32\drivers\usbd.sys
2013-11-26 11:11 . 2014-01-17 07:31    240576    ----a-w-    c:\windows\system32\drivers\netio.sys
2013-11-26 10:10 . 2014-01-17 07:31    2349056    ----a-w-    c:\windows\system32\win32k.sys
2013-11-23 18:26 . 2013-12-12 11:30    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-11-21 13:44 . 2013-11-21 13:44    35288    ----a-w-    c:\windows\system32\drivers\tap0901.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-25 14:19    259464    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-01-08 18705664]
"Plex Media Server"="c:\program files\Plex\Plex Media Server\Plex Media Server.exe" [2013-12-23 4277896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-03-28 642656]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2012-02-20 344064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2013-02-25 2416368]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-25 3767096]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2011-10-30 571392]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-01 152392]
"FAHConsole"="c:\program files\File Association Helper\FAHConsole.exe" [2013-09-26 239288]
.
c:\users\Malcolm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Malcolm\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-1-3 30714328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-10-09 3275136]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-01-25 64168]
R3 btwampfl;btwampfl;c:\windows\system32\DRIVERS\btwampfl.sys [2013-08-09 144600]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-02-06 108032]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-25 1343400]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2014-01-22 107256]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2013-10-22 26136]
S1 aswNdisFlt;Avast! Firewall Driver;c:\windows\system32\DRIVERS\aswNdisFlt.sys [2014-02-18 265072]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-01-25 775952]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-01-25 410784]
S1 RapportCerberus_59849;RapportCerberus_59849;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_59849.sys [2014-01-27 340432]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2014-01-22 155704]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2014-01-22 228888]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-03-28 291840]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-01-25 67824]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2014-01-25 113704]
S2 BcmBtRSupport;Bluetooth Driver Management Service;c:\windows\system32\BtwRSupportService.exe [2013-10-28 1680088]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2014-01-22 1444120]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2012-02-15 5120]
S3 bcbtums;Bluetooth USB LD Filter;c:\windows\system32\drivers\bcbtums.sys [2013-10-28 175320]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-04 06:50    1211720    ----a-w-    c:\program files\Google\Chrome\Application\32.0.1700.107\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-04 07:17]
.
2014-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-12-22 18:36]
.
2014-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-12-22 18:36]
.
.
------- Supplementary Scan -------
.


uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2CCAE600-BC25-4024-A16B-2DBC303C6653}: NameServer = 54.247.108.9,46.165.219.110
TCP: Interfaces\{2CCAE600-BC25-4024-A16B-2DBC303C6653}\E4545564F564537303: NameServer = 23.21.182.24,50.22.147.234
FF - ProfilePath - c:\users\Malcolm\AppData\Roaming\Mozilla\Firefox\Profiles\4kimnyfw.default\

.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Classes\CLSID]
@DACL=(02 0000)
.
[HKEY_USERS\.Default\Software\Classes\CLSID\{8B0FA615-584F-40DC-85C7-78901AC6B80A}]
@DACL=(02 0000)
@="XarViewer Class"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="CLSID_RecordInfo"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="PSDispatch"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="PSEnumVariant"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="PSTypeInfo"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="PSTypeLib"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="PSOAInterface"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="PSTypeComp"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}]
@DACL=(02 0000)
@="Component Categories Manager"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}]
@DACL=(02 0000)
@="Dropbox Autoplay COM Server"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}]
@DACL=(02 0000)
@="CLSID_StdFont"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}]
@DACL=(02 0000)
@="CLSID_StdPict"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{111BCF6E-8BB4-11D2-ADBA-00A0C9A76405}]
@DACL=(02 0000)
@="Coolbar Band"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{111BCF70-8BB4-11D2-ADBA-00A0C9A76405}]
@DACL=(02 0000)
@="Coolbar Bands"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{111BCF7A-8BB4-11D2-ADBA-00A0C9A76405}]
@DACL=(02 0000)
@="ComCtl3.BandProperties"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}]
@DACL=(02 0000)
@="Microsoft Date and Time Picker Control 6.0 (SP6)"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}]
@DACL=(02 0000)
@="Microsoft MonthView Control 6.0 (SP6)"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{38911D8E-E448-11D0-84A3-00DD01104159}]
@DACL=(02 0000)
@="ComCtl3.CoolBarPage"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{38911D90-E448-11D0-84A3-00DD01104159}]
@DACL=(02 0000)
@="ComCtl3.BandsPage"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}]
@DACL=(02 0000)
@="Microsoft Coolbar Control, version 6.0"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}]
@DACL=(02 0000)
@="Obsolete Font"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{5522DAF8-06D6-11D2-8D70-00A0C98B28E2}]
@DACL=(02 0000)
@="Coolbar Band"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{5522DAFA-06D6-11D2-8D70-00A0C98B28E2}]
@DACL=(02 0000)
@="Coolbar Bands"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{5522DB04-06D6-11D2-8D70-00A0C98B28E2}]
@DACL=(02 0000)
@="ComCtl3.BandProperties"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}]
@DACL=(02 0000)
@="Microsoft UpDown Control 6.0 (SP6)"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]
@DACL=(02 0000)
@="Microsoft Animation Control 6.0 (SP6)"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}]
@DACL=(02 0000)
@="PSFactoryBuffer"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
@DACL=(02 0000)
@="DropboxExt"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
@DACL=(02 0000)
@="DropboxExt"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
@DACL=(02 0000)
@="DropboxExt"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
@DACL=(02 0000)
@="DropboxExt"
.
[HKEY_USERS\S-1-5-21-2345512989-863147342-970537167-1000_Classes\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}]
@DACL=(02 0000)
@="Microsoft Flat Scrollbar Control 6.0 (SP6)"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-02-18  16:54:56
ComboFix-quarantined-files.txt  2014-02-18 15:54
.
Pre-Run: 114,703,323,136 bytes free
Post-Run: 114,240,286,720 bytes free
.
- - End Of File - - E2578497D790E8DA6C206C979DEA6363
A36C5E4F47E84449FF07ED3517B43A31
 

[DeeplyDisturbed]

This still hasn't removed awesomehp.

[MrCharlie]

What browsers are affected? MrC

[DeeplyDisturbed]

I always use Firefox which in infected of course. I have Chrome and that is also infected. I have IE (not sure which version) that won't open at all.

[MrCharlie]

First check the browsers shortcuts:

Right-click your browser’s shortcut. Choose Properties. Go to Shortcut tab and navigate to Target line. There should be only your browser’s directory in the Targetline: (Delete anything else)

Internet Explorer – C:Program Files Internet Explorer iexplore.exe

Mozilla Firefox –C:Program FilesMozilla Firefoxfirefox.exe

Google Chrome – C:Program FilesGoogleChromeApplicationchrome.exe

Then run another scan with FRST, make sure the Addition box is checked.

Post or attach the 2 logs.

If I don't see anything in the logs we'll just reset tall the browsers.

MrC

[DeeplyDisturbed]

Hey, things appear to be back to normal. Logs attached...

FRST.txt

Addition.txt

[MrCharlie]

Hey, things appear to be back to normal. Logs attached...

What did you do??

Looking over the logs now..MrC