Jump to content

PUP.Optional.Spigot.A in Chrome preferences


Recommended Posts

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

 

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

Ran Malwarebytes and Quarantined results.  Here is the log.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/15/2014
Scan Time: 7:30:32 PM
Logfile: Malwarebytes Log.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.09.16.02
Rootkit Database: v2014.09.15.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Dad
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 562509
Time Elapsed: 47 min, 25 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.Spigot.A, C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ ""http://google.com/", "http://search.yahoo.com/?type=800236&fr=spigot-yhp-ch" ],), Replaced,[3220b5397dfec86e313a9d94c04551af]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by Dad (administrator) on FAMILY on 15-09-2014 20:21:25
Running from C:\Documents and Settings\Dad\Desktop
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.wireshark.org)
X Codec Pack (HKLM\...\X Codec Pack) (Version: 2.6.2 - X Codec Pack team)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Documents and Settings\Dad\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{1F876ED4-9204-4DF4-86FC-B73067A74676}\InprocServer32 -> C:\Documents and Settings\Dad\Application Data\DISH Anywhere\DISH Anywhere Video Player Installer\npNMPCBrowserPlugin.dll (Nagravision)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\GoogleUpdateOn (the data entry has 19 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\GoogleUpdateOn (the data entry has 19 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\psuser.dll No F (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{3f04dadf-6ea4-44d1-a507-03cad176f443}\InprocServer32 -> C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll (Amazon.com, Inc.)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\GoogleUpdateOn (the data entry has 19 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{57FA2D12-D22D-490A-805A-5CB48E84F12A}\InprocServer32 -> C:\Program Files\Beyond Compare 3\BCShellEx.dll (Scooter Software)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\npGoogleUpdate3 (the data entry has 12 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\npGoogleUpdate3 (the data entry has 12 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\GoogleUpdateOn (the data entry has 19 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{E69341A3-E6D2-4175-B60C-C9D3D6FA40F6}\localserver32 -> C:\Documents and Settings\Dad\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.23.9\psuser.dll No F (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Dad\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Dad\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Dad\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-776561741-1844237615-1801674531-1004_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Dad\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
 
==================== Restore Points  =========================
 
02-08-2014 01:34:13 System Checkpoint
12-08-2014 14:29:32 System Checkpoint
18-08-2014 17:05:24 Software Distribution Service 3.0
19-08-2014 17:07:32 System Checkpoint
21-08-2014 01:46:20 System Checkpoint
22-08-2014 02:22:41 System Checkpoint
23-08-2014 03:30:06 System Checkpoint
26-08-2014 02:01:11 System Checkpoint
28-08-2014 02:08:50 System Checkpoint
29-08-2014 06:03:20 System Checkpoint
30-08-2014 06:17:53 System Checkpoint
31-08-2014 07:14:14 System Checkpoint
01-09-2014 07:20:47 System Checkpoint
03-09-2014 05:00:39 System Checkpoint
04-09-2014 07:25:39 System Checkpoint
05-09-2014 19:53:12 System Checkpoint
06-09-2014 23:56:18 System Checkpoint
08-09-2014 00:34:18 System Checkpoint
09-09-2014 04:02:21 System Checkpoint
10-09-2014 04:05:31 System Checkpoint
11-09-2014 05:04:19 System Checkpoint
11-09-2014 10:00:13 Software Distribution Service 3.0
13-09-2014 00:48:10 System Checkpoint
14-09-2014 17:49:05 System Checkpoint
16-09-2014 01:03:38 System Checkpoint
16-09-2014 02:44:10 prior to Malwarebytes forum Malware removal
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2001-08-23 04:00 - 2001-08-23 04:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job => C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job => C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1844237615-1801674531-1004Core.job => C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1844237615-1801674531-1004UA.job => C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-776561741-1844237615-1801674531-1004.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-776561741-1844237615-1801674531-1004.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
 
==================== Loaded Modules (whitelisted) =============
 
2014-04-02 04:11 - 2014-07-17 15:18 - 00301152 _____ () C:\Program Files\AVAST Software\Avast\aswProperty.dll
2014-09-15 15:57 - 2014-09-15 15:57 - 02862592 _____ () C:\Program Files\AVAST Software\Avast\defs\14091501\algo.dll
2014-01-20 14:17 - 2014-01-20 14:17 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-01-20 14:16 - 2014-01-20 14:16 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2008-04-14 05:42 - 2013-01-01 23:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll
2012-12-22 16:02 - 2010-08-10 22:37 - 00217088 _____ () C:\Program Files\ASUS\Printer Utilities\UsbService.exe
2008-04-14 05:41 - 2008-04-14 05:41 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2008-04-14 05:42 - 2008-04-14 05:42 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2013-12-03 21:07 - 2014-07-17 15:18 - 19329904 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2013-12-10 14:06 - 2013-12-10 14:06 - 10683392 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\QtWebKit4.dll
2013-12-10 14:06 - 2013-12-10 14:06 - 07741952 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\QtGui4.dll
2013-12-10 14:06 - 2013-12-10 14:06 - 02248192 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\QtCore4.dll
2013-12-10 14:06 - 2013-12-10 14:06 - 01681408 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\QtNetwork4.dll
2014-05-15 14:20 - 2014-05-15 14:20 - 00117248 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\libaacdec.dll
2014-05-15 14:20 - 2014-05-15 14:20 - 00231936 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\libmpgdec.dll
2014-05-15 14:21 - 2014-05-15 14:21 - 00253440 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\libid3tag.dll
2014-05-15 14:24 - 2014-05-15 14:24 - 00344064 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\libaudioenc.dll
2013-12-10 14:06 - 2013-12-10 14:06 - 00026624 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Programs\Google\MusicManager\imageformats\qgif4.dll
2014-09-15 11:57 - 2014-09-15 11:57 - 00011264 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\nsrA.tmp\System.dll
2014-09-15 11:57 - 2014-09-15 11:57 - 00098816 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32api.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00110080 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\pywintypes27.dll
2014-09-15 11:57 - 2014-09-15 11:57 - 00364544 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\pythoncom27.dll
2014-09-15 11:57 - 2014-09-15 11:57 - 00045568 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\_socket.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 01160704 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\_ssl.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00320512 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32com.shell.shell.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00713216 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\_hashlib.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 01175040 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._core_.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00805888 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._gdi_.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00811008 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._windows_.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 01062400 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._controls_.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00735232 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._misc_.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00128512 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\_elementtree.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00127488 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\pyexpat.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00557056 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\pysqlite2._sqlite.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00007168 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\hashobjs_ext.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00087552 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\_ctypes.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00119808 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32file.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00108544 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32security.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00018432 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32event.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00038912 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32inet.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00070656 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._html2.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00167936 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32gui.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00011264 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32crypt.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00027136 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\_multiprocessing.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00686080 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\unicodedata.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00122368 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._wizard.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00010240 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\select.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00024064 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32pipe.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00025600 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32pdh.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00525640 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\windows._lib_cacheinvalidation.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00035840 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32process.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00017408 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32profile.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00022528 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\win32ts.pyd
2014-09-15 11:57 - 2014-09-15 11:57 - 00078336 _____ () C:\Documents and Settings\Dad\Local Settings\Temp\_MEI26162\wx._animate.pyd
2014-09-10 15:30 - 2014-09-03 20:01 - 08577864 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.120\pdf.dll
2014-09-10 15:30 - 2014-09-03 20:01 - 00331592 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.120\ppGoogleNaClPluginChrome.dll
2014-09-10 15:30 - 2014-09-03 20:01 - 01660232 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.120\ffmpegsumo.dll
2014-09-10 15:30 - 2014-09-03 20:01 - 00310088 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.120\libexif.dll
2014-04-09 08:38 - 2014-02-10 13:44 - 04592128 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2014-04-09 08:38 - 2014-02-10 13:44 - 00112128 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
2014-09-10 15:30 - 2014-09-03 20:01 - 14891848 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.120\PepperFlash\pepflashplayer.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/09/2014 03:29:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 37.0.2062.103, faulting module chrome.dll, version 37.0.2062.103, fault address 0x0000ecb6.
Processing media-specific event for [chrome.exe!ws!]
 
Error: (07/19/2014 05:08:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application e_farncea.exe, version 5.0.1.0, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00010717.
Processing media-specific event for [e_farncea.exe!ws!]
 
Error: (06/06/2014 08:15:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application CDViewer.exe, version 14.1.0.0, faulting module msvcr80.dll, version 8.0.50727.6195, fault address 0x0000bde7.
Processing media-specific event for [CDViewer.exe!ws!]
 
 
System errors:
=============
Error: (09/15/2014 11:57:07 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The LiveUpdate service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (09/15/2014 11:56:07 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MotoHelper Service service failed to start due to the following error: 
%%2
 
Error: (09/15/2014 11:56:07 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Zune Bus Enumerator Driver service failed to start due to the following error: 
%%2
 
Error: (09/15/2014 11:54:45 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Apple Mobile Device service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (09/15/2014 11:54:45 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (09/15/2014 11:53:40 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (09/15/2014 11:53:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (09/15/2014 11:53:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (09/15/2014 11:53:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The ASUS Virtual MFP Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (09/15/2014 11:53:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intuit Update Service v4 service terminated unexpectedly.  It has done this 1 time(s).
 
 
Microsoft Office Sessions:
=========================
Error: (09/09/2014 03:29:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe37.0.2062.103chrome.dll37.0.2062.1030000ecb6
 
Error: (07/19/2014 05:08:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: e_farncea.exe5.0.1.0ntdll.dll5.1.2600.605500010717
 
Error: (06/06/2014 08:15:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: CDViewer.exe14.1.0.0msvcr80.dll8.0.50727.61950000bde7
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® Dual CPU E2180 @ 2.00GHz
Percentage of memory in use: 79%
Total physical RAM: 3318.48 MB
Available physical RAM: 668.43 MB
Total Pagefile: 6271.37 MB
Available Pagefile: 1261.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1929.04 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:59.62 GB) (Free:2.98 GB) NTFS ==>[Drive with boot components (Windows XP)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 59.6 GB) (Disk ID: EB7002A1)
Partition 1: (Active) - (Size=59.6 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
Link to post
Share on other sites

RogueKiller Report

 

RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dad [Admin rights]
Mode : Scan -- Date : 09/15/2014  20:43:16
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 4 ¤¤¤
[PUM.StartMenu] HKEY_USERS\S-1-5-21-776561741-1844237615-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-776561741-1844237615-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.HomePage] HKEY_USERS\S-1-5-21-776561741-1844237615-1801674531-1004\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 3 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\00000073 : \Driver\Imapi @ Unknown (\SystemRoot\system32\DRIVERS\serial.sys)
[Filter(Root.Keylogger)] \Driver\Kbdclass @ \Device\KeyboardClass2 : \Driver\kbdcap @ Unknown (\SystemRoot\System32\Drivers\kbdcap.SYS)
[Filter(Root.Keylogger)] \Driver\Kbdclass @ \Device\KeyboardClass1 : \Driver\kbdcap @ Unknown (\SystemRoot\System32\Drivers\kbdcap.SYS)
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: M4-CT064M4SSD2 +++++
--- User ---
[MBR] dc4bf3169d373b896e3def426a9faf32
[bSP] 5ec538ea9e7ad932fe3f3a1ff97b1781 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 61055 MB
User = LL1 ... OK
User = LL2 ... OK
Link to post
Share on other sites

Make sure you have created a restore point and.....

bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ============================

    Open up Chrome by clicking on the 3 bars in the upper right hand corner.

    Then in Chrome go to Settings > Advanced Sync Settings > Un-check Settings > Click OK

    Then go to Google Dashboard > Click on Stop and Clear left bottom of the page.

    Close out Chrome.

    =========================

    Please download AdwCleaner from HERE or HERE to your desktop.

    • Double click on AdwCleaner.exe to run the tool.

      Vista/Windows 7/8 users right-click and select Run As Administrator

    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
    • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
    • Look over the log especially under Files/Folders for any program you want to save.
    • If there's a program you may want to save, just uncheck it from AdwCleaner.
    • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
    • If you're ready to clean it all up.....click the Clean button.
    • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
    • Copy and paste the contents of that logfile in your next reply.
    • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
    • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
    • To restore an item that has been deleted:
    • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
    Next..................

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.

    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Next.........

    Please run a Threat Scan

    Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

    Same for PUM (Potentially Unwanted Modifications)

    Quarantine All that's found

    ================================

    After about an hour, go back and re-sync Settings:

    Start Chrome

    Click on the 3 bars in the upper right hand corner.

    Then in Chrome go to Settings > Advanced Sync Settings > Check Settings > Click OK

    Re-scan with MB and it should be gone.

    Let me know.....MrC

Link to post
Share on other sites

Made Chrome Settings changes, ran AdwCleaner, ran JRT, and then ran the Malwarebytes scan which found no malicious items.

 

Looks like it may be fixed!! Thank You.  Logs are pasted below.

 

AdwCleaner log

 

# AdwCleaner v3.310 - Report created 16/09/2014 at 10:15:47
# Updated 12/09/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Dad - FAMILY
# Running from : C:\Documents and Settings\Dad\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Mozilla Firefox v30.0 (en-US)
 
[ File : C:\Documents and Settings\Dad\Application 
 
Data\Mozilla\Firefox\Profiles\pbitbxu5.default-1401071838375\prefs.js ]
 
 
[ File : C:\Documents and Settings\Mary\Application Data\Mozilla\Firefox\Profiles\bhil451g.default\prefs.js ]
 
 
[ File : C:\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\xqov4duk.default\prefs.js ]
 
 
-\\ Google Chrome v37.0.2062.120
 
[ File : C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\User 
 
Data\Default\preferences ]
 
 
[ File : C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences 
 
]
 
Deleted [search Provider] : 
 
hxxp://blekko.com/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb&u=201203284F6844A8916D39A250EC0888&q={searchTerms}
Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [startup_urls] : hxxp://search.yahoo.com/?type=800236&fr=spigot-yhp-ch
 
[ File : C:\Documents and Settings\Mary\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences 
 
]
 
 
[ File : C:\Documents and Settings\Nicole\Local Settings\Application Data\Google\Chrome\User 
 
Data\Default\preferences ]
 
 
[ File : C:\Documents and Settings\Rochelle\Local Settings\Application Data\Google\Chrome\User 
 
Data\Default\preferences ]
 
 
[ File : C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User 
 
Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [7396 octets] - [10/04/2014 22:56:50]
AdwCleaner[R1].txt - [1939 octets] - [12/04/2014 22:43:18]
AdwCleaner[R2].txt - [3126 octets] - [15/09/2014 09:52:37]
AdwCleaner[R3].txt - [3186 octets] - [15/09/2014 10:14:07]
AdwCleaner[R4].txt - [2378 octets] - [15/09/2014 11:48:10]
AdwCleaner[R5].txt - [2494 octets] - [15/09/2014 12:22:54]
AdwCleaner[R6].txt - [2539 octets] - [16/09/2014 10:08:54]
AdwCleaner[s0].txt - [7463 octets] - [10/04/2014 23:02:43]
AdwCleaner[s1].txt - [2000 octets] - [12/04/2014 22:51:35]
AdwCleaner[s2].txt - [3567 octets] - [15/09/2014 10:21:52]
AdwCleaner[s3].txt - [2730 octets] - [15/09/2014 11:53:40]
AdwCleaner[s4].txt - [2751 octets] - [16/09/2014 10:15:47]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s4].txt - [2811 octets] ##########
 
 
JRT log
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.5 (09.16.2014:1)
OS: Microsoft Windows XP x86
Ran by Dad on Tue 09/16/2014 at 10:25:01.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ihdkejbciahopmbagpnjmmkkdpfpaaak
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/16/2014 at 10:33:11.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Link to post
Share on other sites

Great......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

Security checkup log

 

Results of screen317's Security Check version 0.99.87  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 avast! Internet Security    
`````````Anti-malware/Other Utilities Check:````````` 
 CCleaner     
 Duplicate Cleaner Free 3.0.1  
 JavaFX 2.1.0    
 Java 7    
 Java 7 Update 51  
 Java version out of Date! 
 Adobe Flash Player 15.0.0.152  
 Adobe Reader XI  
 Mozilla Firefox (30.0) 
 Google Chrome 37.0.2062.103  
 Google Chrome 37.0.2062.120  
 Google Chrome Plugins...  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Exploit mbae-svc.exe   
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Malwarebytes Anti-Exploit mbae.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast afwServ.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 29% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


============================

Please uninstall these if possible:
JavaFX 2.1.0
Java™ 7


Java 7 Update 51 <---please update, should be Update 67
Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

============================

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.