Jump to content

Rootkit infecting computer, tried full reformating and reinstalling but didn't work


Recommended Posts

What I believed to be a rootkit starts to play these incredibly annoying advertisements and I'm trying to get it to stop.  I've tried multitudes of solutions but none of them have worked.  This is on a Windows 8 laptop.  As a last ditch effort, I tried the "Remove everything and reinstall windows" option which I believe is the same as reformatting and reinstalling and I redownloaded Roguekiller, but the rootkit still appears to be present.  Here is a log:

 

¤¤¤ Bad processes : 2 ¤¤¤
[suspicious.Path] RTFTrack.exe -- C:\Windows\RTFTrack.exe[7] -> KILLED [TermProc]
[Proc.Hidden]  -- [x] -> KILLED [TermThr]
 
¤¤¤ Registry Entries : 7 ¤¤¤
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | RtsFT : RTFTrack.exe  -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0149631407624697mcinstcleanup -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0149631407624697mcinstcleanup -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
 
¤¤¤ Scheduled tasks : 2 ¤¤¤
[suspicious.Path] \\OFFICE2013ACT -- C:\ProgramData\Microsoft\Windows\OFFICEICON.vbs -> FOUND
[suspicious.Path] \Lenovo\Lenovo-27332 -- C:\ProgramData\Lenovo-27332.vbs -> FOUND
 
¤¤¤ Files : 1 ¤¤¤
[suspicious.Path][File] $McRebootA5E6DEAA56$.lnk -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\$McRebootA5E6DEAA56$.lnk [LNK@] C:\Windows\System32\cmd.exe /c del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk" -> FOUND
 
¤¤¤ HOSTS File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 28 (Driver: LOADED) ¤¤¤
[EAT:Addr] (explorer.exe) MPR.dll - BatMeterIconAnimationReset : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46874554
[EAT:Addr] (explorer.exe) MPR.dll - BatMeterIconThemeReset : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb468746ec
[EAT:Addr] (explorer.exe) MPR.dll - BatMeterOnDeviceChange : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46874134
[EAT:Addr] (explorer.exe) MPR.dll - CleanupBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46871884
[EAT:Addr] (explorer.exe) MPR.dll - CreateBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46872b98
[EAT:Addr] (explorer.exe) MPR.dll - GetBatMeterIconAnimationState : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb468741f0
[EAT:Addr] (explorer.exe) MPR.dll - GetBatMeterIconAnimationTimeDelay : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46874370
[EAT:Addr] (explorer.exe) MPR.dll - GetBatMeterIconAnimationUpdate : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46874494
[EAT:Addr] (explorer.exe) MPR.dll - GetBatteryCapacityInfo : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46873f18
[EAT:Addr] (explorer.exe) MPR.dll - GetBatteryDetails : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46875ad0
[EAT:Addr] (explorer.exe) MPR.dll - GetBatteryImmersiveIcon : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46872060
[EAT:Addr] (explorer.exe) MPR.dll - GetBatteryInfo : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46875100
[EAT:Addr] (explorer.exe) MPR.dll - GetBatteryStatusText : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46875190
[EAT:Addr] (explorer.exe) MPR.dll - GetBatteryWorkingState : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb468719c0
[EAT:Addr] (explorer.exe) MPR.dll - IsBatteryBad : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46873f0c
[EAT:Addr] (explorer.exe) MPR.dll - IsBatteryHealthWarningEnabled : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46873f00
[EAT:Addr] (explorer.exe) MPR.dll - IsBatteryLevelCritical : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46873ec4
[EAT:Addr] (explorer.exe) MPR.dll - IsBatteryLevelLow : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46873ed8
[EAT:Addr] (explorer.exe) MPR.dll - IsBatteryLevelReserve : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46873eec
[EAT:Addr] (explorer.exe) MPR.dll - PowerCapabilities : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46871560
[EAT:Addr] (explorer.exe) MPR.dll - QueryBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46872c44
[EAT:Addr] (explorer.exe) MPR.dll - SetBatteryHealthWarningState : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46873f00
[EAT:Addr] (explorer.exe) MPR.dll - SetBatteryLevel : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb468727a0
[EAT:Addr] (explorer.exe) MPR.dll - SetBatteryWorkingState : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46871048
[EAT:Addr] (explorer.exe) MPR.dll - SubscribeBatteryUpdateNotification : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46871fb8
[EAT:Addr] (explorer.exe) MPR.dll - UnsubscribeBatteryUpdateNotification : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46871980
[EAT:Addr] (explorer.exe) MPR.dll - UpdateBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb468750c4
[EAT:Addr] (explorer.exe) MPR.dll - UpdateBatteryDataAsync : C:\WINDOWS\system32\BatMeter.dll @ 0x7fb46871b60
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZMPA016HMCD-000L1 +++++
--- User ---
[MBR] fe1bcd9b34b790158cb8a42db3310381
[bSP] 73e584a91305dc8c0e091f1e790748c7 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] e9bef62dcaa2cdf902c0dab8cbe19092
[bSP] 2897ebef98d795e5bfe5c89287a1f8f2 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK
 
Thanks in advanced for any help you might give me.
Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin..

Link to post
Share on other sites

Thanks for your assistance Kevin.  In addition, every couple days since I've reformatted + re installed, the computer installs an update, but then says that the computer has trouble installing it and tries to revert the changes, which goes on for a long time and nothing seems to happen, which results in me refreshing my computer just to use it again, which is why I pretty much only have the bloatware that came along with this computer installed.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-08-2014 01

Ran by Andrew (administrator) on IDEA-PC on 11-08-2014 20:58:19

Running from C:\Users\Andrew\Downloads

Platform: Windows 8 (X64) OS Language: English (United States)

Internet Explorer Version 10

Boot Mode: Normal

 

The only official download link for FRST:



Download link from any site other than Bleeping Computer is unpermitted or outdated.


 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe

(Diskeeper Corporation) C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe

(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe

(McAfee, Inc.) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe

(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe

(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE

(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe

(Microsoft Corporation) C:\Windows\System32\wlanext.exe

(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe

(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe

(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

(Synaptics) C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(Realtek semiconductor) C:\Windows\RTFTrack.exe

(Lenovo) C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe

(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe

(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe

(CyberLink Corp.) C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe

(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13260944 2012-11-19] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1253520 2012-11-18] (Realtek Semiconductor)

HKLM\...\Run: [synLenovoGestureMgr] => C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe [665400 2012-11-29] (Synaptics)

HKLM\...\Run: [bTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp

HKLM\...\Run: [RtsFT] => C:\WINDOWS\RTFTrack.exe [6345872 2012-12-06] (Realtek semiconductor)

HKLM\...\Run: [OnekeyStudio] => C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe [4196432 2012-08-10] (Lenovo)

HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17080376 2013-04-24] (Lenovo (Beijing) Limited)

HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [191544 2013-04-24] (Lenovo(beijing) Limited)

HKLM-x32\...\Run: [iAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [285240 2012-09-01] (Intel Corporation)

HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2012-07-27] (CyberLink)

HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167024 2012-07-27] (CyberLink Corp.)

HKLM-x32\...\Run: [updateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [217088 2012-04-18] (CyberLink Corp.)

HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)

HKLM-x32\...\Run: [intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-12] (Intel Corporation)

HKU\S-1-5-21-2662812467-1105655120-517009536-1002\...\Run: [GoogleChromeAutoLaunch_AF2E2510EC2DA94726BF08BC757DFE33] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [860488 2014-07-15] (Google Inc.)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk

ShortcutTarget: $McRebootA5E6DEAA56$.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)

ShellIconOverlayIdentifiers: SugarSyncBackedUp -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)

ShellIconOverlayIdentifiers: SugarSyncPending -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)

ShellIconOverlayIdentifiers: SugarSyncRoot -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)

ShellIconOverlayIdentifiers: SugarSyncShared -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo13.msn.com

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo13.msn.com

HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://home.lenovo.com

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com

SearchScopes: HKLM - DefaultScope {30BD226D-7461-4B05-A5A4-C3CBAFDE3E90} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS

SearchScopes: HKLM - {30BD226D-7461-4B05-A5A4-C3CBAFDE3E90} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS

SearchScopes: HKLM-x32 - DefaultScope {30BD226D-7461-4B05-A5A4-C3CBAFDE3E90} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS

SearchScopes: HKLM-x32 - {30BD226D-7461-4B05-A5A4-C3CBAFDE3E90} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS

SearchScopes: HKCU - DefaultScope {30BD226D-7461-4B05-A5A4-C3CBAFDE3E90} URL = 

SearchScopes: HKCU - {30BD226D-7461-4B05-A5A4-C3CBAFDE3E90} URL = 

DPF: HKLM-x32 {4FF78044-96B4-4312-A5B7-FDA3CB328095} 

Tcpip\Parameters: [DhcpNameServer] 24.178.162.3 8.8.8.8

 

FireFox:

========

FF Plugin-x32: @exent.com/npExentControl,version=7.1.0.1 -> C:\Program Files (x86)\FreeRide Games\npExentControl.dll (Exent Technologies Ltd.)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)

FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)

FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK

FF Extension: No Name - C:\Program Files\McAfee\MSK [2013-04-24]

 

Chrome: 

=======

CHR HomePage: hxxp://i.imgur.com/WcuobhD.png

CHR StartupUrls: "hxxp://start.mysearchdial.com/?f=1&a=dsites&cd=2XzuyEtN2Y1L1QzuyCtDyC0CyCyCzy0F0A0FzztB0B0D0AyDtN0D0Tzu0SyBtDtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=693575566&ir=", "hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRbPBDDI6Pk-fpITtt_7-dx2uywuT-4gdlP7btPtzk_jJ3qV_I2j6h73yod3AACp811pJUv6vuoObIQy3q9-LTCvun927fNzBdBemwiGEFtr_5ivRJsiAWF6luArrw26yT1Jm_3LV2xJZzCjFD79keKFEnVQJTkBG24yqkkXmHjp_6Q,,", "hxxp://www.google.com"

CHR Extension: (Google Docs) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-11]

CHR Extension: (Docs Offline Background Page) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-11]

CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-11]

CHR Extension: (YouTube) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-11]

CHR Extension: (Adblock Plus) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-08-11]

CHR Extension: (Google Search) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-11]

CHR Extension: (Hedgehog in the fog) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\haocganpkafanhkfldbbmhcpaelmkejg [2014-08-11]

CHR Extension: (Google Wallet) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-11]

CHR Extension: (Gmail) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-11]

 

==================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

S2 0176001407806123mcinstcleanup; C:\WINDOWS\TEMP\017600~1.EXE [828032 2012-06-14] (McAfee, Inc.)

R2 ExpressCache; C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [79664 2012-03-30] (Diskeeper Corporation)

R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)

R4 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [272176 2012-09-24] ()

R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2012-12-13] (Nitro PDF Software)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-25] (Microsoft Corporation)

R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [1153840 2012-09-24] (Intel® Corporation)

S4 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [X]

S4 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [X]

S2 mfevtp; "C:\windows\system32\mfevtps.exe" [X]

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-25] (Microsoft Corporation)

R3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [132480 2012-10-01] (Motorola Solutions, Inc.)

R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1337216 2012-10-01] (Motorola Solutions, Inc.)

R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [23344 2012-03-30] (Diskeeper Corporation)

R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [95024 2012-03-30] (Diskeeper Corporation)

U3 mfeavfk01; No ImagePath

R3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [4306472 2012-09-27] (Intel Corporation)

R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8235792 2012-12-06] (Realtek Semiconductor Corp.)

R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31032 2012-11-29] (Synaptics Incorporated)

S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)

R2 X5XSEx_Pr148; C:\Program Files (x86)\FreeRide Games\X5XSEx_Pr148.Sys [56136 2012-08-02] (Exent Technologies Ltd.)

S0 cfwids; system32\drivers\cfwids.sys [X]

S0 mfeapfk; system32\drivers\mfeapfk.sys [X]

R0 mfeavfk; system32\drivers\mfeavfk.sys [X]

S0 mfeelamk; system32\drivers\mfeelamk.sys [X]

S0 mfefirek; system32\drivers\mfefirek.sys [X]

R0 mfehidk; system32\drivers\mfehidk.sys [X]

S0 mferkdet; system32\drivers\mferkdet.sys [X]

R0 mfewfpk; system32\drivers\mfewfpk.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-08-11 20:58 - 2014-08-11 20:58 - 00016045 _____ () C:\Users\Andrew\Downloads\FRST.txt

2014-08-11 20:57 - 2014-08-11 20:58 - 00000000 ____D () C:\FRST

2014-08-11 20:57 - 2014-08-11 20:57 - 02099712 _____ (Farbar) C:\Users\Andrew\Downloads\FRST64.exe

2014-08-11 19:10 - 2014-08-11 19:10 - 00262144 _____ () C:\WINDOWS\system32\config\userdiff

2014-08-11 19:10 - 2014-08-11 19:10 - 00002266 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2014-08-11 19:10 - 2014-08-11 19:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome

2014-08-11 19:10 - 2014-08-11 18:40 - 00000000 ____D () C:\Windows.old

2014-08-11 18:48 - 2014-08-11 18:33 - 00000000 ___HD () C:\$SysReset

2014-08-11 18:24 - 2014-08-11 20:29 - 00000914 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

2014-08-11 18:24 - 2014-08-11 19:10 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Google

2014-08-11 18:24 - 2014-08-11 19:10 - 00000000 ____D () C:\Program Files (x86)\Google

2014-08-11 18:24 - 2014-08-11 18:29 - 00000910 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

2014-08-11 18:24 - 2014-08-11 18:24 - 00003886 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA

2014-08-11 18:24 - 2014-08-11 18:24 - 00003650 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore

2014-08-11 18:23 - 2014-08-11 18:59 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Deployment

2014-08-11 18:23 - 2014-08-11 18:23 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Macromedia

2014-08-11 18:23 - 2014-08-11 18:23 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Apps\2.0

2014-08-11 18:20 - 2014-08-11 18:20 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Intel Corporation

2014-08-11 18:19 - 2014-08-11 18:19 - 00000000 ____D () C:\WINDOWS\System32\Tasks\WPD

2014-08-11 18:17 - 2014-08-11 18:17 - 00001441 _____ () C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

2014-08-11 18:17 - 2014-08-11 18:17 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Adobe

2014-08-11 18:17 - 2014-08-11 18:17 - 00000000 ____D () C:\ProgramData\eBay

2014-08-11 18:15 - 2014-08-11 18:15 - 00000020 ___SH () C:\Users\Andrew\ntuser.ini

2014-08-11 18:15 - 2014-08-11 18:15 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Intel

2014-08-11 18:15 - 2014-08-11 18:15 - 00000000 ____D () C:\Users\Andrew\AppData\Local\VirtualStore

2014-08-11 18:12 - 2014-08-11 18:20 - 00001133 _____ () C:\Users\Andrew\Desktop\Cyberlink Power2Go.lnk

2014-08-11 18:12 - 2014-08-11 18:18 - 00000000 ____D () C:\Users\Andrew

2014-08-11 18:12 - 2014-08-11 18:13 - 00026673 _____ () C:\WINDOWS\diagwrn.xml

2014-08-11 18:12 - 2014-08-11 18:13 - 00026673 _____ () C:\WINDOWS\diagerr.xml

2014-08-11 18:12 - 2013-04-24 14:21 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo

2014-08-11 18:12 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools

2014-08-11 18:12 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2014-08-11 18:12 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility

2014-08-11 18:12 - 2012-07-26 01:13 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2014-08-11 18:12 - 2010-12-18 22:31 - 00000189 _____ () C:\Users\Andrew\Desktop\Lenovo Telephony Start Now.url

2014-08-09 19:56 - 2014-08-09 19:56 - 00302011 _____ () C:\Users\Andrew\Downloads\WindowsUpdateDiagnostic.diagcab

2014-08-09 16:00 - 2014-08-09 16:00 - 01141680 _____ () C:\Users\Andrew\Downloads\SteamSetup (1).exe

2014-08-08 20:15 - 2014-08-08 20:15 - 30000520 _____ (NVIDIA Corporation) C:\Users\Andrew\Downloads\GeForce_Experience_v2.1.0.0.exe

2014-08-08 20:14 - 2014-08-08 20:32 - 00000000 ____D () C:\Users\Andrew\Documents\Battlefield 4

2014-08-08 20:14 - 2014-08-08 20:14 - 02247960 _____ () C:\Users\Andrew\Downloads\battlelog-web-plugins_2.4.0_141.exe

2014-08-08 17:01 - 2014-08-08 17:01 - 17090912 _____ (Electronic Arts, Inc.) C:\Users\Andrew\Downloads\OriginThinSetup.exe

2014-08-07 16:51 - 2014-08-07 16:51 - 01141680 _____ () C:\Users\Andrew\Downloads\SteamSetup.exe

2014-08-07 16:43 - 2014-08-07 16:43 - 00000000 __SHD () C:\found.000

2014-08-07 16:41 - 2014-08-07 16:41 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Andrew\Desktop\tdsskiller.exe

2014-08-07 16:29 - 2014-08-07 16:29 - 05392984 _____ () C:\Users\Andrew\Desktop\RogueKillerX64.exe

2014-08-07 05:46 - 2014-08-07 05:46 - 00000000 __SHD () C:\Recovery

2014-08-07 05:46 - 2014-08-07 05:46 - 00000000 _____ () C:\Recovery.txt

2014-08-07 04:53 - 2014-08-07 04:53 - 00000139 _____ () C:\Users\Public\Desktop\eBay.url

2014-08-07 04:52 - 2014-08-11 18:17 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Packages

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-08-11 20:58 - 2014-08-11 20:58 - 00016045 _____ () C:\Users\Andrew\Downloads\FRST.txt

2014-08-11 20:58 - 2014-08-11 20:57 - 00000000 ____D () C:\FRST

2014-08-11 20:57 - 2014-08-11 20:57 - 02099712 _____ (Farbar) C:\Users\Andrew\Downloads\FRST64.exe

2014-08-11 20:29 - 2014-08-11 18:24 - 00000914 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

2014-08-11 20:00 - 2012-07-26 01:12 - 00000000 ____D () C:\WINDOWS\system32\sru

2014-08-11 19:10 - 2014-08-11 19:10 - 00262144 _____ () C:\WINDOWS\system32\config\userdiff

2014-08-11 19:10 - 2014-08-11 19:10 - 00002266 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2014-08-11 19:10 - 2014-08-11 19:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome

2014-08-11 19:10 - 2014-08-11 18:24 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Google

2014-08-11 19:10 - 2014-08-11 18:24 - 00000000 ____D () C:\Program Files (x86)\Google

2014-08-11 19:10 - 2012-07-26 01:13 - 00262144 _____ () C:\WINDOWS\system32\config\BCD-Template

2014-08-11 19:09 - 2012-07-26 01:12 - 00000000 ___HD () C:\WINDOWS\ELAMBKUP

2014-08-11 18:59 - 2014-08-11 18:23 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Deployment

2014-08-11 18:50 - 2013-04-24 13:32 - 00166623 _____ () C:\WINDOWS\WindowsUpdate.log

2014-08-11 18:40 - 2014-08-11 19:10 - 00000000 ____D () C:\Windows.old

2014-08-11 18:35 - 2012-07-26 00:59 - 00000000 ____D () C:\WINDOWS\CbsTemp

2014-08-11 18:33 - 2014-08-11 18:48 - 00000000 ___HD () C:\$SysReset

2014-08-11 18:29 - 2014-08-11 18:24 - 00000910 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

2014-08-11 18:24 - 2014-08-11 18:24 - 00003886 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA

2014-08-11 18:24 - 2014-08-11 18:24 - 00003650 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore

2014-08-11 18:23 - 2014-08-11 18:23 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Macromedia

2014-08-11 18:23 - 2014-08-11 18:23 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Apps\2.0

2014-08-11 18:23 - 2012-07-25 22:26 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM

2014-08-11 18:20 - 2014-08-11 18:20 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Intel Corporation

2014-08-11 18:20 - 2014-08-11 18:12 - 00001133 _____ () C:\Users\Andrew\Desktop\Cyberlink Power2Go.lnk

2014-08-11 18:20 - 2012-07-26 01:12 - 00000000 ____D () C:\WINDOWS\AUInstallAgent

2014-08-11 18:19 - 2014-08-11 18:19 - 00000000 ____D () C:\WINDOWS\System32\Tasks\WPD

2014-08-11 18:19 - 2012-07-26 00:28 - 00850046 _____ () C:\WINDOWS\system32\PerfStringBackup.INI

2014-08-11 18:18 - 2014-08-11 18:12 - 00000000 ____D () C:\Users\Andrew

2014-08-11 18:18 - 2013-04-24 14:26 - 00000000 ____D () C:\WINDOWS\System32\Tasks\Lenovo

2014-08-11 18:17 - 2014-08-11 18:17 - 00001441 _____ () C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

2014-08-11 18:17 - 2014-08-11 18:17 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Adobe

2014-08-11 18:17 - 2014-08-11 18:17 - 00000000 ____D () C:\ProgramData\eBay

2014-08-11 18:17 - 2014-08-07 04:52 - 00000000 ____D () C:\Users\Andrew\AppData\Local\Packages

2014-08-11 18:17 - 2013-04-24 15:40 - 00107105 _____ () C:\WINDOWS\modules.log

2014-08-11 18:16 - 2013-04-24 14:25 - 00000000 ____D () C:\ProgramData\McAfee

2014-08-11 18:15 - 2014-08-11 18:15 - 00000020 ___SH () C:\Users\Andrew\ntuser.ini

2014-08-11 18:15 - 2014-08-11 18:15 - 00000000 ____D () C:\Users\Andrew\AppData\Roaming\Intel

2014-08-11 18:15 - 2014-08-11 18:15 - 00000000 ____D () C:\Users\Andrew\AppData\Local\VirtualStore

2014-08-11 18:15 - 2012-07-26 01:12 - 00000000 ___RD () C:\WINDOWS\ImmersiveControlPanel

2014-08-11 18:15 - 2012-07-26 01:12 - 00000000 ____D () C:\WINDOWS\WinStore

2014-08-11 18:13 - 2014-08-11 18:12 - 00026673 _____ () C:\WINDOWS\diagwrn.xml

2014-08-11 18:13 - 2014-08-11 18:12 - 00026673 _____ () C:\WINDOWS\diagerr.xml

2014-08-11 18:13 - 2012-10-09 17:08 - 00000000 ____D () C:\WINDOWS\Panther

2014-08-11 18:13 - 2012-07-26 01:12 - 00000000 __RHD () C:\Users\Public\Libraries

2014-08-11 18:13 - 2012-07-26 01:12 - 00000000 ____D () C:\WINDOWS\system32\Recovery

2014-08-11 18:13 - 2012-07-26 01:12 - 00000000 ____D () C:\WINDOWS\rescache

2014-08-11 18:13 - 2012-07-26 00:21 - 00028379 _____ () C:\WINDOWS\setupact.log

2014-08-11 18:13 - 2012-07-25 22:37 - 00000000 ___HD () C:\Users\Default

2014-08-11 18:12 - 2012-10-09 16:09 - 00000000 ____D () C:\Users\Administrator

2014-08-11 18:11 - 2013-04-24 13:48 - 00000000 ____D () C:\ProgramData\NVIDIA

2014-08-11 18:11 - 2012-07-26 00:22 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT

2014-08-11 17:24 - 2012-07-25 22:26 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI

2014-08-09 19:56 - 2014-08-09 19:56 - 00302011 _____ () C:\Users\Andrew\Downloads\WindowsUpdateDiagnostic.diagcab

2014-08-09 16:00 - 2014-08-09 16:00 - 01141680 _____ () C:\Users\Andrew\Downloads\SteamSetup (1).exe

2014-08-08 20:32 - 2014-08-08 20:14 - 00000000 ____D () C:\Users\Andrew\Documents\Battlefield 4

2014-08-08 20:15 - 2014-08-08 20:15 - 30000520 _____ (NVIDIA Corporation) C:\Users\Andrew\Downloads\GeForce_Experience_v2.1.0.0.exe

2014-08-08 20:14 - 2014-08-08 20:14 - 02247960 _____ () C:\Users\Andrew\Downloads\battlelog-web-plugins_2.4.0_141.exe

2014-08-08 17:01 - 2014-08-08 17:01 - 17090912 _____ (Electronic Arts, Inc.) C:\Users\Andrew\Downloads\OriginThinSetup.exe

2014-08-07 16:51 - 2014-08-07 16:51 - 01141680 _____ () C:\Users\Andrew\Downloads\SteamSetup.exe

2014-08-07 16:43 - 2014-08-07 16:43 - 00000000 __SHD () C:\found.000

2014-08-07 16:41 - 2014-08-07 16:41 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Andrew\Desktop\tdsskiller.exe

2014-08-07 16:29 - 2014-08-07 16:29 - 05392984 _____ () C:\Users\Andrew\Desktop\RogueKillerX64.exe

2014-08-07 05:46 - 2014-08-07 05:46 - 00000000 __SHD () C:\Recovery

2014-08-07 05:46 - 2014-08-07 05:46 - 00000000 _____ () C:\Recovery.txt

2014-08-07 04:53 - 2014-08-07 04:53 - 00000139 _____ () C:\Users\Public\Desktop\eBay.url

 

Files to move or delete:

====================

C:\ProgramData\Lenovo-27332.vbs

 

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2012-10-09 16:08

 

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Do not see any evidence of any major infection, can see browser hijacker running in Chrome...

 

Continue and run the following:

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

Download Malwarebytes Anti-Malware to your desktop.


Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.
On the Dashboard, click the 'Update Now >>' link
Select Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
click the 'Scan Now >>' button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 

Let me see those logs in your next reply, also let me know if issues still remain....

 

Kevin...

Link to post
Share on other sites

# AdwCleaner v3.304 - Report created 12/08/2014 at 11:36:01

# Updated 08/08/2014 by Xplode

# Operating System : Windows 8  (64 bits)

# Username : Andrew - IDEA-PC

# Running from : C:\Users\Andrew\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v10.0.9200.16453

 

 

-\\ Google Chrome v36.0.1985.125

 

[ File : C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

Deleted [startup_urls] : hxxp://start.mysearchdial.com/?f=1&a=dsites&cd=2XzuyEtN2Y1L1QzuyCtDyC0CyCyCzy0F0A0FzztB0B0D0AyDtN0D0Tzu0SyBtDtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=693575566&ir=

Deleted [startup_urls] : hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRbPBDDI6Pk-fpITtt_7-dx2uywuT-4gdlP7btPtzk_jJ3qV_I2j6h73yod3AACp811pJUv6vuoObIQy3q9-LTCvun927fNzBdBemwiGEFtr_5ivRJsiAWF6luArrw26yT1Jm_3LV2xJZzCjFD79keKFEnVQJTkBG24yqkkXmHjp_6Q,,

 

*************************

 

AdwCleaner[R0].txt - [1217 octets] - [12/08/2014 11:35:05]

AdwCleaner[s0].txt - [1142 octets] - [12/08/2014 11:36:01]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1202 octets] ##########

# AdwCleaner v3.304 - Report created 12/08/2014 at 12:38:43

# Updated 08/08/2014 by Xplode

# Operating System : Windows 8  (64 bits)

# Username : Andrew - IDEA-PC

# Running from : C:\Users\Andrew\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v10.0.9200.16453

 

 

-\\ Google Chrome v36.0.1985.125

 

[ File : C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

Deleted [startup_urls] : hxxp://start.mysearchdial.com/?f=1&a=dsites&cd=2XzuyEtN2Y1L1QzuyCtDyC0CyCyCzy0F0A0FzztB0B0D0AyDtN0D0Tzu0SyBtDtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=693575566&ir=

Deleted [startup_urls] : hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRbPBDDI6Pk-fpITtt_7-dx2uywuT-4gdlP7btPtzk_jJ3qV_I2j6h73yod3AACp811pJUv6vuoObIQy3q9-LTCvun927fNzBdBemwiGEFtr_5ivRJsiAWF6luArrw26yT1Jm_3LV2xJZzCjFD79keKFEnVQJTkBG24yqkkXmHjp_6Q,,

 

*************************

 

AdwCleaner[R0].txt - [2494 octets] - [12/08/2014 11:35:05]

AdwCleaner[s0].txt - [2424 octets] - [12/08/2014 11:36:01]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2484 octets] ##########

 

 

 

Seems like the JRT file came up empty:

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.1.4 (04.06.2014:1)

OS: Windows 8 x64

Ran by Andrew on Tue 08/12/2014 at 12:42:09.46

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 08/12/2014 at 12:44:42.91

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Honestly, I still do believe that my computer has a rootkit. Roguekiller still comes up with the same host of files under the Antirootkit tab.  In addition to this, ever since I reformatted and re installed the OS, the windows Updater has completely not worked:  Every couple days it would try to install computers when I shutdown or restart my computer, but then it would give the message "Failed configuring Windows update, reverting changes". I tried running the Windows Updater Troubleshooting tool, and it always claims to have found and fixed a problem but then it happens again, which I suspect to believe that a rootkit is interfering with the updating.  It's all very frustrating because in order to use my computer I have to either do a System Restore or refresh my computer which involves me losing all installed programs.  

Link to post
Share on other sites

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 8/12/2014

Scan Time: 1:33:55 PM

Logfile: bat.txt

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.08.12.09

Rootkit Database: v2014.08.04.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 8

CPU: x64

File System: NTFS

User: Andrew

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 354070

Time Elapsed: 5 min, 3 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 1

PUP.Optional.MySearchDial.A, C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ ""http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPBDDI6Pk-fpITtt_7-dx2uywuT-4gdlP7btPtzk_jJ3qV_I2j6h73yod3AACp811pJUv6vuoObIQy3q9-LTCvun927fNzBdBemwiGEFtr_5ivRJsiAWF6luArrw26yT1Jm_3LV2xJZzCjFD79keKFEnVQJTkBG24yqkkXmHjp_6Q,,", "http://www.google.com" ],), Replaced,[9cfc80427efd06300a4815e95ca86799]

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.