Jump to content

Lasaoran, Snap.Do, and perhaps a lot more plaguing my system...


Recommended Posts

I've read the topic on Piracy, but this problem wasn't my doing. Someone used my computer without my knowledge or consent and downloaded uTorrent. And with uTorrent came a payload of malware. I've tried to uninstall uTorrent and the allegedly "simple to remove and barely a threat" malware that comes with it, but at least one malware, Lasaoran, is still very present every time I start up Google Chrome. 

 

There could be any number of other malwares sleeping on my computer, I ran MalwareBytes to see what it could do, but Lasaoran yet prevaileth. So what I really need to do is learn what still is on my computer and get rid of it, starting with uTorrent. I don't know if it's gone for sure. Lasaoran isn't. So I can't be sure if anything's really gone. 

 

Farbar logs are below. 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-11-2014

Ran by AFastJar (administrator) on AFASTJAR-PC on 07-11-2014 01:19:56
Running from C:\Users\AFastJar\Downloads
Loaded Profile: AFastJar (Available profiles: AFastJar)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\...\Run: [skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\...\Run: [uTorrent] => "C:\Users\AFastJar\Downloads\uTorrent.exe"  /MINIMIZED
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} 
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 64.233.222.2 64.233.222.7
 
FireFox:
========
FF ProfilePath: C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default
FF DefaultSearchEngine: Web Search
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF user.js: detected! => C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default\user.js
FF Extension: Adblock Plus - C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-21]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-10-29]
 
Chrome: 
=======
CHR HomePage: Default -> https://www.google.com/
CHR StartupUrls: Default -> "hxxp://Lasaoren.com/?f=7&a=lrn_cmi_14_45_ie&cd=2XzuyEtN2Y1L1QzutC0C0CtC0D0EyD0BtA0FzytC0D0BzytCtN0D0Tzu0StCtDyEtCtN1L2XzutAtFyCtFtCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBzz0D0C0F0Azy0AtG0C0C0BzztG0BtAyC0AtGtCyE0B0FtGyEtD0AyCtDyByB0FtA0EyEtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0DyE0Czzzy0DtDtGtBzytB0EtGyEzyyEtCtGzytCzz0FtGyBtA0E0CzzyCzztBtAtCyEtA2Q&cr=768584262&ir="
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-17]
CHR Extension: (Google Drive) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-17]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-17]
CHR Extension: (YouTube) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-17]
CHR Extension: (Adblock Plus) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-08-21]
CHR Extension: (Google Search) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-17]
CHR Extension: (Skype Click to Call) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-08-20]
CHR Extension: (Google Wallet) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-17]
CHR Extension: (Gmail) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-17]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 cpuz135; \??\C:\Users\AFastJar\AppData\Local\Temp\cpuz135\cpuz135_x32.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-07 01:19 - 2014-11-07 01:20 - 00010757 _____ () C:\Users\AFastJar\Downloads\FRST.txt
2014-11-07 01:19 - 2014-11-07 01:19 - 00000000 ____D () C:\FRST
2014-11-07 01:17 - 2014-11-07 01:17 - 01106432 _____ (Farbar) C:\Users\AFastJar\Downloads\FRST.exe
2014-11-06 20:12 - 2014-11-06 20:13 - 00001132 _____ () C:\Users\AFastJar\Desktop\Live PC Help.lnk
2014-11-06 19:34 - 2014-11-06 20:11 - 00000000 ____D () C:\Program Files\Super Optimizer
2014-11-06 19:34 - 2014-11-06 19:34 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\AdvancedSystemProtector
2014-11-06 19:33 - 2014-11-06 20:13 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\Systweak
2014-11-06 19:33 - 2014-11-06 20:12 - 00000000 ____D () C:\Program Files\Optimizer Pro
2014-11-06 19:33 - 2014-08-05 19:14 - 00018280 _____ () C:\Windows\system32\roboot.exe
2014-11-06 19:29 - 2014-11-06 19:29 - 00000064 _____ () C:\Windows\GPlrLanc.dat
2014-11-06 19:28 - 2014-11-06 19:28 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\itesing
2014-11-06 19:27 - 2014-11-07 00:11 - 00000000 ____D () C:\ProgramData\SmartOnes
2014-11-06 19:27 - 2014-11-06 19:44 - 00000000 ____D () C:\ProgramData\182826bc28fd09bc
2014-11-06 19:27 - 2014-11-06 19:44 - 00000000 ____D () C:\Program Files\SmartOnes
2014-11-06 18:45 - 2014-11-06 18:46 - 00000000 ____D () C:\Users\AFastJar\AppData\Local\Adobe
2014-11-06 12:54 - 2014-11-06 19:42 - 00000000 ____D () C:\Program Files\MagicISO
2014-11-06 12:54 - 2014-11-06 12:54 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicISO
2014-11-06 12:37 - 2014-11-06 12:37 - 00000000 ____D () C:\Program Files\predm
2014-11-06 12:27 - 2014-11-06 12:27 - 00613042 _____ (CMI Limited) C:\Users\AFastJar\AppData\Local\nsk24B0.tmp
2014-11-06 12:09 - 2014-11-06 12:09 - 00613042 _____ (CMI Limited) C:\Users\AFastJar\AppData\Local\nsi1ED6.tmp
2014-11-06 12:09 - 2014-11-06 12:09 - 00000000 __SHD () C:\Users\AFastJar\AppData\Roaming\AnyProtectEx
2014-11-06 11:56 - 2014-11-06 19:42 - 00000000 ____D () C:\Program Files\Windows 8.1 Product Key Finder Ultimate v14.05.1
2014-11-06 11:51 - 2014-11-06 12:37 - 00000005 _____ () C:\end
2014-11-06 11:46 - 2014-11-06 19:51 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\uTorrent
2014-11-03 12:15 - 2014-11-03 12:17 - 00000000 ____D () C:\Users\AFastJar\Desktop\Win 7
2014-11-03 12:10 - 2014-11-06 19:41 - 00000000 ____D () C:\Users\AFastJar\Desktop\temp
2014-11-02 20:07 - 2014-11-04 23:04 - 00001131 _____ () C:\Users\AFastJar\Desktop\Missing Custom Moves.txt
2014-10-25 21:50 - 2014-10-25 21:50 - 00005572 _____ () C:\Users\AFastJar\Desktop\Peanuts - Charlie Brown - High Quality - Shortcut.lnk
2014-10-20 20:18 - 2014-10-20 20:18 - 00000250 _____ () C:\Users\AFastJar\Downloads\playlist (1).asx
2014-10-18 13:46 - 2014-10-18 13:46 - 00000989 _____ () C:\Users\AFastJar\Desktop\Recent - Shortcut.lnk
2014-10-15 22:41 - 2014-10-16 05:24 - 00010669 _____ () C:\Users\AFastJar\Desktop\Petpage Notes.txt
2014-10-13 21:56 - 2014-10-14 21:16 - 00004232 _____ () C:\Users\AFastJar\Desktop\NoBody Blocked.html
2014-10-13 20:29 - 2014-10-13 20:29 - 00000250 _____ () C:\Users\AFastJar\Downloads\playlist.asx
2014-10-13 20:28 - 2014-10-13 20:29 - 00000144 _____ () C:\Users\AFastJar\Downloads\playlist.qtl
2014-10-09 22:30 - 2014-10-09 22:30 - 00001821 _____ () C:\Users\AFastJar\Desktop\SILVER - Shortcut.lnk
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-07 01:16 - 2010-11-20 16:01 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-07 01:15 - 2014-08-18 01:25 - 01938375 _____ () C:\Windows\WindowsUpdate.log
2014-11-07 01:13 - 2009-07-13 23:34 - 00020272 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-07 01:13 - 2009-07-13 23:34 - 00020272 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-07 00:12 - 2014-08-19 19:43 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\Skype
2014-11-07 00:11 - 2014-08-17 23:18 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-07 00:11 - 2010-11-20 16:48 - 00059218 _____ () C:\Windows\PFRO.log
2014-11-07 00:11 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-07 00:11 - 2009-07-13 23:39 - 00030106 _____ () C:\Windows\setupact.log
2014-11-07 00:11 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\schemas
2014-11-06 23:29 - 2014-08-17 23:18 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-06 23:21 - 2014-08-17 23:19 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-06 19:42 - 2014-09-25 18:36 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-11-06 19:42 - 2014-09-24 21:34 - 00000000 ____D () C:\Program Files\Mozilla Firefox.bak
2014-11-06 19:42 - 2014-09-24 21:34 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-11-06 19:42 - 2014-08-19 19:43 - 00000000 ___RD () C:\Program Files\Skype
2014-11-06 19:42 - 2014-08-17 23:25 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-06 19:42 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\AppCompat
2014-11-06 19:41 - 2014-08-19 19:43 - 00000000 ____D () C:\ProgramData\Skype
2014-11-06 19:41 - 2011-04-11 21:24 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-11-06 19:41 - 2009-07-13 21:37 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-11-06 19:41 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\registration
2014-11-06 18:56 - 2014-08-21 20:46 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-06 18:55 - 2014-08-21 20:46 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-06 18:55 - 2014-08-21 20:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-06 18:55 - 2014-08-21 20:45 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-06 18:46 - 2014-08-17 23:19 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-11-06 18:46 - 2014-08-17 23:19 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-11-06 18:44 - 2014-08-17 23:04 - 00000000 ____D () C:\Users\AFastJar
2014-11-06 18:44 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-11-04 21:59 - 2014-08-16 23:14 - 00228134 _____ () C:\Users\AFastJar\Documents\temp.txt
2014-10-29 21:18 - 2013-06-01 20:56 - 00000000 ____D () C:\Users\AFastJar\Documents\temporary
2014-10-29 03:56 - 2014-08-16 18:31 - 00002846 _____ () C:\Users\AFastJar\Documents\Plotters Guestbook.txt
2014-10-27 21:33 - 2014-08-17 23:19 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-23 23:00 - 2014-07-22 21:36 - 00016386 _____ () C:\Users\AFastJar\Documents\MMO List.txt
2014-10-20 03:15 - 2014-09-21 13:17 - 00032472 _____ () C:\Users\AFastJar\Desktop\Defender Camp.html
2014-10-20 02:29 - 2014-08-31 22:29 - 00003778 _____ () C:\Users\AFastJar\Desktop\Temporary.txt
2014-10-12 22:54 - 2014-10-05 11:22 - 00004871 _____ () C:\Users\AFastJar\Desktop\NoBody.html
 
Some content of TEMP:
====================
C:\Users\AFastJar\AppData\Local\Temp\crdli.dll
C:\Users\AFastJar\AppData\Local\Temp\speccycpuid.dll
C:\Users\AFastJar\AppData\Local\Temp\SRLDetectionLibrary5158151834672728350.dll
C:\Users\AFastJar\AppData\Local\Temp\Windows%208.1%20Product%20Key%20Finder%20Ultimate%20v14.05.1.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-05 15:13
 
==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04-11-2014

Ran by AFastJar at 2014-11-07 01:20:53
Running from C:\Users\AFastJar\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.189 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
I.d.l.e  C.r.a.w.l.e.r (HKLM\...\I.d.l.e  C.r.a.w.l.e.r) (Version: 100.0.0.447 - MILE 27 LTD)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
qBittorrent 3.1.9.2 (HKLM\...\qbittorrent) (Version: 3.1.9.2 - The qBittorrent project)
Skype Click to Call (HKLM\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 6.20 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System Requirements Lab CYRI (HKLM\...\{19B0831B-0C18-4103-86E4-90FCD04CD3B9}) (Version: 6.0.12.5 - Husdawg, LLC)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
31-10-2014 11:00:51 Scheduled Checkpoint
07-11-2014 00:36:31 Restore Operation
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {04CD32A0-83A0-4525-B509-CE2C2D1A8865} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-08-17] (Google Inc.)
Task: {14C8081E-C13F-48A9-B2FF-761D1EEC11BA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-08-17] (Google Inc.)
Task: {45A7EC35-501F-4527-9FAF-50EB250CC8BC} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-06] (Adobe Systems Incorporated)
Task: {6C757C2E-B482-4BFB-A814-D1609A11E183} - System32\Tasks\{1F77234B-8E86-4AAA-9065-4B6FAB4D5E0E} => Iexplore.exe http://ui.skype.com/ui/0/6.18.0.106/en/abandoninstall?source=lightinstaller&page=tsPlugin
Task: {E4225DA9-5910-464E-A460-E049FDBB7B9F} - \Microsoft\Windows\Maintenance\IC Update Procedure No Task File <==== ATTENTION
Task: {EC97A68B-EFEF-41E0-81AF-6773BE666BFD} - \IC Runner Procedure No Task File <==== ATTENTION
Task: {FA3A16A5-408E-4D28-9826-AD7BD2EACB53} - \ASP No Task File <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2014-10-27 21:32 - 2014-10-21 23:04 - 08910664 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\pdf.dll
2014-10-27 21:32 - 2014-10-21 23:04 - 01681224 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\ffmpegsumo.dll
2014-08-18 00:12 - 2014-02-10 12:44 - 04592128 _____ () C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2014-08-18 00:12 - 2014-02-10 12:44 - 00112128 _____ () C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-3882845266-2567279142-2214949279-500 - Administrator - Disabled)
AFastJar (S-1-5-21-3882845266-2567279142-2214949279-1001 - Administrator - Enabled) => C:\Users\AFastJar
Guest (S-1-5-21-3882845266-2567279142-2214949279-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3882845266-2567279142-2214949279-1002 - Limited - Enabled)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/07/2014 00:12:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/06/2014 11:18:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 31.0.1650.63, time stamp: 0x53ccf06b
Faulting module name: chrome.dll, version: 31.0.1650.63, time stamp: 0x53ccea0a
Exception code: 0x80000003
Fault offset: 0x00021880
Faulting process id: 0x11f4
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
 
Error: (11/06/2014 07:48:20 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: AFastJar-PC)
Description: Application or service 'linmsl' could not be shut down.
 
Error: (11/06/2014 07:40:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program SuperOptimizer.exe version 3.2.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 163c
 
Start Time: 01cffa23422e73e9
 
Termination Time: 59
 
Application Path: C:\Program Files\Super Optimizer\SuperOptimizer.exe
 
Report Id:
 
Error: (11/06/2014 07:39:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17239, time stamp: 0x53d22946
Faulting module name: CommonSharebho.dll, version: 1.0.0.3, time stamp: 0x544206e5
Exception code: 0xc0000005
Fault offset: 0x00003421
Faulting process id: 0x16d0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3
 
Error: (11/06/2014 07:29:34 PM) (Source: Application on Demand - GPlayer) (EventID: 0) (User: )
Description: ALoggerFileCyclic:  Failed to delete an old log file Last error code: 32
 
Type:    
    ERROR
Location:
    ::(0) : error 0: 
Computer:
    Id: 0, Name:Null
 
Error: (11/06/2014 06:45:55 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/06/2014 04:12:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/06/2014 00:42:44 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: AFastJar-PC)
Description: Application or service 'linmsl' could not be shut down.
 
Error: (11/06/2014 00:34:57 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (11/06/2014 08:13:21 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Update CommonShare service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
 
Error: (11/06/2014 08:09:06 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer LILITHMARION-HP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{420CBDEE-3015-4A08-A828-35.
The master browser is stopping or an election is being forced.
 
Error: (11/06/2014 07:59:01 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.0.5.
The computer with the IP address 192.168.0.3 did not allow the name to be claimed by
this computer.
 
Error: (11/06/2014 07:57:01 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer LILITHMARION-HP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{420CBDEE-3015-4A08-A828-35.
The master browser is stopping or an election is being forced.
 
Error: (11/06/2014 07:45:03 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer LILITHMARION-HP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{420CBDEE-3015-4A08-A828-35.
The master browser is stopping or an election is being forced.
 
Error: (11/06/2014 07:30:11 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer LILITHMARION-HP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{420CBDEE-3015-4A08-A828-35.
The master browser is stopping or an election is being forced.
 
Error: (11/06/2014 07:26:34 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The PastaQuotes service failed to start due to the following error: 
%%1053
 
Error: (11/06/2014 07:26:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the PastaQuotes service to connect.
 
Error: (11/06/2014 06:59:22 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer LILITHMARION-HP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{420CBDEE-3015-4A08-A828-35.
The master browser is stopping or an election is being forced.
 
Error: (11/06/2014 06:47:20 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer LILITHMARION-HP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{420CBDEE-3015-4A08-A828-35.
The master browser is stopping or an election is being forced.
 
 
Microsoft Office Sessions:
=========================
Error: (11/07/2014 00:12:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/06/2014 11:18:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe31.0.1650.6353ccf06bchrome.dll31.0.1650.6353ccea0a800000030002188011f401cffa40dd199915C:\Users\AFastJar\AppData\Local\IDLECR~1.R\CHROME~1\chrome.exeC:\Users\AFastJar\AppData\Local\IDLECR~1.R\CHROME~1\chrome.dll0f5c5648-6635-11e4-967e-1cc1de5b3f91
 
Error: (11/06/2014 07:48:20 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: AFastJar-PC)
Description: 1C:\Program Files\LPT\linmsl.exelinmsl0511756600
 
Error: (11/06/2014 07:40:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: SuperOptimizer.exe3.2.0.0163c01cffa23422e73e959C:\Program Files\Super Optimizer\SuperOptimizer.exe
 
Error: (11/06/2014 07:39:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.1723953d22946CommonSharebho.dll1.0.0.3544206e5c00000050000342116d001cffa233f0802f7C:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\CommonShare\CommonSharebho.dll88c2c9ca-6616-11e4-967e-1cc1de5b3f91
 
Error: (11/06/2014 07:29:34 PM) (Source: Application on Demand - GPlayer) (EventID: 0) (User: )
Description: ALoggerFileCyclic:  Failed to delete an old log file Last error code: 32
 
Type:    
    ERROR
Location:
    ::(0) : error 0: 
Computer:
    Id: 0, Name:Null
 
Error: (11/06/2014 06:45:55 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/06/2014 04:12:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/06/2014 00:42:44 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: AFastJar-PC)
Description: 1C:\Program Files\LPT\linmsl.exelinmsl0511739480
 
Error: (11/06/2014 00:34:57 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
==================== Memory info =========================== 
 
Processor: AMD Sempron 145 Processor
Percentage of memory in use: 48%
Total physical RAM: 1789.39 MB
Available physical RAM: 916.74 MB
Total Pagefile: 3578.78 MB
Available Pagefile: 2520.74 MB
Total Virtual: 2047.88 MB
Available Virtual: 1912.93 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:149.05 GB) (Free:21.65 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 9767EF6D)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

 

Link to post
Share on other sites

Hello Jastafar, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important file before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
     

======================================================
 
Acknowledged what you said in regards to uTorrent. Step 1 will remove this programme, so you do not need to worry about the general P2P/Piracy notice. This is a standard notice, given to all users. 
 
STEP 1
6JO0hXH.png Revo Uninstaller

  • Please download and install Revo Uninstaller Free.
  • Double-click Revo Uninstaller to run the programme. 
  • From the list of programmes, locate the following, or anything similar and carry out the steps below one at a time.
    • I.d.l.e  C.r.a.w.l.e.r
    • qBittorrent 3.1.9.2
  • Double-click the programme. 
  • When prompted if you want to uninstall click Yes.
  • Ensure the Moderate option is selected and click Next.
  • The programme uninstaller will run. If prompted again click Yes.
  • Work your way through the uninstaller, ensuring you read each page thoroughly.
  • Note: Ensure you decline offers of additional software if applicable. 
  • Once the built-in uninstaller is finished click Next.
  • Once the programme has searched for leftovers click Next.
  • Check items in bold only in the list and click Delete. You may have to expand folders by clicking the "+" mark.
  • When prompted click Yes, followed by Next.
  • Click Select all, followed by Delete.
  • When prompted click Yes, followed by Next.
  • Once done click Finish.
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKU\S-1-5-21-3882845266-2567279142-2214949279-1001\...\Run: [uTorrent] => "C:\Users\AFastJar\Downloads\uTorrent.exe"  /MINIMIZEDC:\Users\AFastJar\Downloads\uTorrent.exeHKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.c...q={searchTerms}HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://feed.snapdo.c...9S8d0QjF8iJcqiw,HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.c...q={searchTerms}HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKLM - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}SearchScopes: HKLM - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}SearchScopes: HKCU - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}SearchScopes: HKCU - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com...rchTerms}&SSPV=FF DefaultSearchEngine: Web SearchCHR StartupUrls: Default -> "hxxp://Lasaoren.com/?f=7&a=lrn_cmi_14_45_ie&cd=2XzuyEtN2Y1L1QzutC0C0CtC0D0EyD0BtA0FzytC0D0BzytCtN0D0Tzu0StCtDyEtCtN1L2XzutAtFyCtFtCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBzz0D0C0F0Azy0AtG0C0C0BzztG0BtAyC0AtGtCyE0B0FtGyEtD0AyCtDyByB0FtA0EyEtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0DyE0Czzzy0DtDtGtBzytB0EtGyEzyyEtCtGzytCzz0FtGyBtA0E0CzzyCzztBtAtCyEtA2Q&cr=768584262&ir="S3 cpuz135; \??\C:\Users\AFastJar\AppData\Local\Temp\cpuz135\cpuz135_x32.sys [X]S3 VGPU; System32\drivers\rdvgkmd.sys [X]2014-11-06 20:12 - 2014-11-06 20:13 - 00001132 _____ () C:\Users\AFastJar\Desktop\Live PC Help.lnk2014-11-06 19:34 - 2014-11-06 20:11 - 00000000 ____D () C:\Program Files\Super Optimizer2014-11-06 19:34 - 2014-11-06 19:34 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\AdvancedSystemProtector2014-11-06 19:33 - 2014-11-06 20:13 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\Systweak2014-11-06 19:33 - 2014-11-06 20:12 - 00000000 ____D () C:\Program Files\Optimizer Pro2014-11-06 19:33 - 2014-08-05 19:14 - 00018280 _____ () C:\Windows\system32\roboot.exeC:\Program Files\Super Optimizer2014-11-06 19:29 - 2014-11-06 19:29 - 00000064 _____ () C:\Windows\GPlrLanc.dat2014-11-06 19:28 - 2014-11-06 19:28 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\itesing2014-11-06 19:27 - 2014-11-07 00:11 - 00000000 ____D () C:\ProgramData\SmartOnes2014-11-06 19:27 - 2014-11-06 19:44 - 00000000 ____D () C:\ProgramData\182826bc28fd09bc2014-11-06 19:27 - 2014-11-06 19:44 - 00000000 ____D () C:\Program Files\SmartOnes2014-11-06 11:51 - 2014-11-06 12:37 - 00000005 _____ () C:\end2014-11-06 11:46 - 2014-11-06 19:51 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\uTorrent2014-11-06 12:09 - 2014-11-06 12:09 - 00000000 __SHD () C:\Users\AFastJar\AppData\Roaming\AnyProtectEx2014-11-06 12:27 - 2014-11-06 12:27 - 00613042 _____ (CMI Limited) C:\Users\AFastJar\AppData\Local\nsk24B0.tmp2014-11-06 12:09 - 2014-11-06 12:09 - 00613042 _____ (CMI Limited) C:\Users\AFastJar\AppData\Local\nsi1ED6.tmpC:\Users\AFastJar\AppData\Local\Temp\crdli.dllC:\Users\AFastJar\AppData\Local\Temp\speccycpuid.dllC:\Users\AFastJar\AppData\Local\Temp\SRLDetectionLibrary5158151834672728350.dllC:\Users\AFastJar\AppData\Local\Temp\Windows%208.1%20Product%20Key%20Finder%20Ultimate%20v14.05.1.exe2014-11-06 12:37 - 2014-11-06 12:37 - 00000000 ____D () C:\Program Files\predmTask: {E4225DA9-5910-464E-A460-E049FDBB7B9F} - \Microsoft\Windows\Maintenance\IC Update Procedure No Task File <==== ATTENTIONTask: {EC97A68B-EFEF-41E0-81AF-6773BE666BFD} - \IC Runner Procedure No Task File <==== ATTENTIONTask: {FA3A16A5-408E-4D28-9826-AD7BD2EACB53} - \ASP No Task File <==== ATTENTIONCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 4
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

======================================================

STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did the programmes uninstall OK?
  • Fixlog.txt
  • AdwCleaner[s0].txt
  • JRT.txt
Link to post
Share on other sites

Still in the middle of your instructions. Couple of things, I ran into a snag with Revo Uninstaller. The uninstall program for Idle Crawler couldn't be run, I don't know if MalwareBytes deleted it or what. I've attached a screenshot to show you what I saw. 

 

Second, I'm currently at the AdwCleaner step. I don't know if any of this is legitimate because I don't regularly go over registry keys.So I'm not sure how safe it is to delete just everything found. There are some things I recognize to be malware though. 

post-177448-0-64210100-1415376499_thumb.

Link to post
Share on other sites

Alright, all are done. Posting the logs now. One thing though, when I first ran AdwCleaner, there were more things in it. Several registry keys. The second time, there was nothing under Registry. I'm not sure if someone did something without my knowledge. AdwCleaner[s0].txt is posted below, containing the original stuff, the newer log with less stuff, S1, is the one that's the most recent though, and the one that I cleaned with.

 

Did the programs uninstall okay? I'm not sure, as you know, we ran into a snag with Revo. But here are the logs now, in order of your request. 

 

 

 

 

 

 

 

 

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-11-2014
Ran by AFastJar at 2014-11-07 10:43:43 Run:1
Running from C:\Users\AFastJar\Downloads
Loaded Profile: AFastJar (Available profiles: AFastJar)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\...\Run: [uTorrent] => "C:\Users\AFastJar\Downloads\uTorrent.exe"  /MINIMIZED
C:\Users\AFastJar\Downloads\uTorrent.exe
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.c...q={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://feed.snapdo.c...9S8d0QjF8iJcqiw,
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.c...q={searchTerms}
HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}
SearchScopes: HKLM - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}
SearchScopes: HKCU - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}
SearchScopes: HKCU - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.c...q={searchTerms}
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com...rchTerms}&SSPV=
FF DefaultSearchEngine: Web Search
CHR StartupUrls: Default -> "hxxp://Lasaoren.com/?f=7&a=lrn_cmi_14_45_ie&cd=2XzuyEtN2Y1L1QzutC0C0CtC0D0EyD0BtA0FzytC0D0BzytCtN0D0Tzu0StCtDyEtCtN1L2XzutAtFyCtFtCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBzz0D0C0F0Azy0AtG0C0C0BzztG0BtAyC0AtGtCyE0B0FtGyEtD0AyCtDyByB0FtA0EyEtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0DyE0Czzzy0DtDtGtBzytB0EtGyEzyyEtCtGzytCzz0FtGyBtA0E0CzzyCzztBtAtCyEtA2Q&cr=768584262&ir="
S3 cpuz135; \??\C:\Users\AFastJar\AppData\Local\Temp\cpuz135\cpuz135_x32.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2014-11-06 20:12 - 2014-11-06 20:13 - 00001132 _____ () C:\Users\AFastJar\Desktop\Live PC Help.lnk
2014-11-06 19:34 - 2014-11-06 20:11 - 00000000 ____D () C:\Program Files\Super Optimizer
2014-11-06 19:34 - 2014-11-06 19:34 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\AdvancedSystemProtector
2014-11-06 19:33 - 2014-11-06 20:13 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\Systweak
2014-11-06 19:33 - 2014-11-06 20:12 - 00000000 ____D () C:\Program Files\Optimizer Pro
2014-11-06 19:33 - 2014-08-05 19:14 - 00018280 _____ () C:\Windows\system32\roboot.exe
C:\Program Files\Super Optimizer
2014-11-06 19:29 - 2014-11-06 19:29 - 00000064 _____ () C:\Windows\GPlrLanc.dat
2014-11-06 19:28 - 2014-11-06 19:28 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\itesing
2014-11-06 19:27 - 2014-11-07 00:11 - 00000000 ____D () C:\ProgramData\SmartOnes
2014-11-06 19:27 - 2014-11-06 19:44 - 00000000 ____D () C:\ProgramData\182826bc28fd09bc
2014-11-06 19:27 - 2014-11-06 19:44 - 00000000 ____D () C:\Program Files\SmartOnes
2014-11-06 11:51 - 2014-11-06 12:37 - 00000005 _____ () C:\end
2014-11-06 11:46 - 2014-11-06 19:51 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\uTorrent
2014-11-06 12:09 - 2014-11-06 12:09 - 00000000 __SHD () C:\Users\AFastJar\AppData\Roaming\AnyProtectEx
2014-11-06 12:27 - 2014-11-06 12:27 - 00613042 _____ (CMI Limited) C:\Users\AFastJar\AppData\Local\nsk24B0.tmp
2014-11-06 12:09 - 2014-11-06 12:09 - 00613042 _____ (CMI Limited) C:\Users\AFastJar\AppData\Local\nsi1ED6.tmp
C:\Users\AFastJar\AppData\Local\Temp\crdli.dll
C:\Users\AFastJar\AppData\Local\Temp\speccycpuid.dll
C:\Users\AFastJar\AppData\Local\Temp\SRLDetectionLibrary5158151834672728350.dll
C:\Users\AFastJar\AppData\Local\Temp\Windows%208.1%20Product%20Key%20Finder%20Ultimate%20v14.05.1.exe
2014-11-06 12:37 - 2014-11-06 12:37 - 00000000 ____D () C:\Program Files\predm
Task: {E4225DA9-5910-464E-A460-E049FDBB7B9F} - \Microsoft\Windows\Maintenance\IC Update Procedure No Task File <==== ATTENTION
Task: {EC97A68B-EFEF-41E0-81AF-6773BE666BFD} - \IC Runner Procedure No Task File <==== ATTENTION
Task: {FA3A16A5-408E-4D28-9826-AD7BD2EACB53} - \ASP No Task File <==== ATTENTION
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************
 
HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\Software\Microsoft\Windows\CurrentVersion\Run\\uTorrent => value deleted successfully.
"C:\Users\AFastJar\Downloads\uTorrent.exe" => File/Directory not found.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
"HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key deleted successfully.
"HKCR\CLSID\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key deleted successfully.
"HKCR\CLSID\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}" => Key deleted successfully.
"HKCR\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}" => Key not found.
Firefox DefaultSearchEngine deleted successfully.
Chrome StartupUrls deleted successfully.
cpuz135 => Service deleted successfully.
VGPU => Service deleted successfully.
C:\Users\AFastJar\Desktop\Live PC Help.lnk => Moved successfully.
C:\Program Files\Super Optimizer => Moved successfully.
C:\Users\AFastJar\AppData\Roaming\AdvancedSystemProtector => Moved successfully.
C:\Users\AFastJar\AppData\Roaming\Systweak => Moved successfully.
C:\Program Files\Optimizer Pro => Moved successfully.
C:\Windows\system32\roboot.exe => Moved successfully.
"C:\Program Files\Super Optimizer" => File/Directory not found.
C:\Windows\GPlrLanc.dat => Moved successfully.
C:\Users\AFastJar\AppData\Roaming\itesing => Moved successfully.
C:\ProgramData\SmartOnes => Moved successfully.
C:\ProgramData\182826bc28fd09bc => Moved successfully.
C:\Program Files\SmartOnes => Moved successfully.
C:\end => Moved successfully.
C:\Users\AFastJar\AppData\Roaming\uTorrent => Moved successfully.
C:\Users\AFastJar\AppData\Roaming\AnyProtectEx => Moved successfully.
C:\Users\AFastJar\AppData\Local\nsk24B0.tmp => Moved successfully.
C:\Users\AFastJar\AppData\Local\nsi1ED6.tmp => Moved successfully.
C:\Users\AFastJar\AppData\Local\Temp\crdli.dll => Moved successfully.
C:\Users\AFastJar\AppData\Local\Temp\speccycpuid.dll => Moved successfully.
C:\Users\AFastJar\AppData\Local\Temp\SRLDetectionLibrary5158151834672728350.dll => Moved successfully.
C:\Users\AFastJar\AppData\Local\Temp\Windows%208.1%20Product%20Key%20Finder%20Ultimate%20v14.05.1.exe => Moved successfully.
C:\Program Files\predm => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E4225DA9-5910-464E-A460-E049FDBB7B9F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4225DA9-5910-464E-A460-E049FDBB7B9F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\IC Update Procedure" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EC97A68B-EFEF-41E0-81AF-6773BE666BFD}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EC97A68B-EFEF-41E0-81AF-6773BE666BFD}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\IC Runner Procedure" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FA3A16A5-408E-4D28-9826-AD7BD2EACB53}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA3A16A5-408E-4D28-9826-AD7BD2EACB53}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASP" => Key deleted successfully.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv4 reset =========
 
Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv6 reset =========
 
Reseting Interface, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
EmptyTemp: => Removed 4.8 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====
 
 
 
 
 
 
 
 
 
 
 
# AdwCleaner v3.311 - Report created 07/11/2014 at 13:46:16
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : AFastJar - AFASTJAR-PC
# Running from : C:\Users\AFastJar\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default\user.js
File Deleted : C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_adultcatfinder.com_0.localstorage
File Deleted : C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_lyrics.wikia.com_0.localstorage
File Deleted : C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage
File Deleted : C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage
File Deleted : C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsmode.com_0.localstorage
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\superfish.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.superfish.com
Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\TutoTag
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Deleted : HKLM\SOFTWARE\NpApp
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKLM\SOFTWARE\Tutorials
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17239
 
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Default_Search_URL]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [searchAssistant]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default]
 
-\\ Mozilla Firefox v33.0.3 (x86 en-US)
 
[ File : C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default\prefs.js ]
 
Line Deleted : user_pref("extensions.yxbYiBrrizXWQwkL.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11.com\")>-1||url.indexOf(\[...]
 
-\\ Google Chrome v38.0.2125.111
 
[ File : C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [4356 octets] - [07/11/2014 10:58:22]
AdwCleaner[s0].txt - [3518 octets] - [07/11/2014 13:46:16]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3578 octets] ##########
 
 
 
 
 
 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.6 (11.05.2014:1)
OS: Windows 7 Ultimate x86
Ran by AFastJar on Fri 11/07/2014 at 20:17:07.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Successfully deleted the following from C:\Users\AFastJar\AppData\Roaming\mozilla\firefox\profiles\al6ew212.default\prefs.js
 
user_pref("extensions.yxbYiBrrizXWQwkL.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11
Emptied folder: C:\Users\AFastJar\AppData\Roaming\mozilla\firefox\profiles\al6ew212.default\minidumps [34 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 11/07/2014 at 20:18:25.09
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Link to post
Share on other sites

OK, that's fine. 

Lets have a look for Idle Crawler. 

 

YjhLJro.png SystemLook

  • Please download SystemLook (x32) and save the file to your Desktop.
  • Right-Click SystemLook.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Copy the entire contents of the codebox below and paste into the textfield.
    :filefind*MILE 27**I.d.l.e  C.r.a.w.l.e.r**Idle Crawler*:folderfind*MILE 27**I.d.l.e  C.r.a.w.l.e.r**Idle Crawler*:regfindMILE 27I.d.l.e  C.r.a.w.l.e.rIdle Crawler
  • Click the Ji0XpU4.png button to start the scan.
  • Upon completion, a log (SystemLook.txt) will open. Copy the contents of the log and paste in your next reply.
  • Click the OCFv7xc.png button. 
Link to post
Share on other sites

Here it is, just finished it. It was just the one result. 

 

 

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 23:12 on 07/11/2014 by AFastJar
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "*MILE 27*"
No files found.
 
Searching for "*I.d.l.e  C.r.a.w.l.e.r*"
No files found.
 
Searching for "*Idle Crawler*"
No files found.
 
========== folderfind ==========
 
Searching for "*MILE 27*"
No folders found.
 
Searching for "*I.d.l.e  C.r.a.w.l.e.r*"
No folders found.
 
Searching for "*Idle Crawler*"
No folders found.
 
========== regfind ==========
 
Searching for "MILE 27"
No data found.
 
Searching for "I.d.l.e  C.r.a.w.l.e.r"
[HKEY_LOCAL_MACHINE\SOFTWARE\GigaClicks]
"AppName"="I.d.l.e  C.r.a.w.l.e.r"
 
Searching for "Idle Crawler"
No data found.
 
-= EOF =-
Link to post
Share on other sites

Strange. I was expecting to see more. 

Lets take another look.

 

xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
Link to post
Share on other sites

Here's the logs, sir. Firefox still has ads from SmartOnes, not sure if these logs show evidence of that.

 

 

 

 

 

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-11-2014
Ran by AFastJar (administrator) on AFASTJAR-PC on 07-11-2014 23:44:40
Running from C:\Users\AFastJar\Downloads
Loaded Profile: AFastJar (Available profiles: AFastJar)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_15_0_0_189.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_15_0_0_189.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKU\S-1-5-21-3882845266-2567279142-2214949279-1001\...\Run: [skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} 
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 64.233.222.2 64.233.222.7
 
FireFox:
========
FF ProfilePath: C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Extension: SmartOnes - C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default\Extensions\SV@7.edu [2014-11-07]
FF Extension: Adblock Plus - C:\Users\AFastJar\AppData\Roaming\Mozilla\Firefox\Profiles\al6ew212.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-21]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-10-29]
 
Chrome: 
=======
CHR HomePage: Default -> https://www.google.com/
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-17]
CHR Extension: (Google Drive) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-17]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-17]
CHR Extension: (YouTube) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-17]
CHR Extension: (Adblock Plus) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-08-21]
CHR Extension: (Google Search) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-17]
CHR Extension: (Skype Click to Call) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-08-20]
CHR Extension: (Google Wallet) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-17]
CHR Extension: (Gmail) - C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-17]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-07 23:12 - 2014-11-07 23:20 - 00001540 _____ () C:\Users\AFastJar\Desktop\SystemLook.txt
2014-11-07 23:11 - 2014-11-07 23:11 - 00139264 _____ () C:\Users\AFastJar\Desktop\SystemLook.exe
2014-11-07 20:18 - 2014-11-07 20:18 - 00001072 _____ () C:\Users\AFastJar\Desktop\JRT.txt
2014-11-07 20:17 - 2014-11-07 20:17 - 00000000 ____D () C:\Windows\ERUNT
2014-11-07 20:16 - 2014-11-07 20:16 - 01706939 _____ (Thisisu) C:\Users\AFastJar\Desktop\JRT.exe
2014-11-07 10:58 - 2014-11-07 20:08 - 00000000 ____D () C:\AdwCleaner
2014-11-07 10:58 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2014-11-07 10:57 - 2014-11-07 10:57 - 01375089 _____ () C:\Users\AFastJar\Desktop\AdwCleaner.exe
2014-11-07 10:25 - 2014-11-07 10:25 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\AFastJar\Downloads\revosetup.exe
2014-11-07 10:25 - 2014-11-07 10:25 - 00001226 _____ () C:\Users\AFastJar\Desktop\Revo Uninstaller.lnk
2014-11-07 10:25 - 2014-11-07 10:25 - 00000000 ____D () C:\Program Files\VS Revo Group
2014-11-07 09:08 - 2014-11-07 09:08 - 00000181 _____ () C:\Users\AFastJar\Desktop\Missing Hats.txt
2014-11-07 01:20 - 2014-11-07 01:21 - 00016262 _____ () C:\Users\AFastJar\Downloads\Addition.txt
2014-11-07 01:19 - 2014-11-07 23:45 - 00007768 _____ () C:\Users\AFastJar\Downloads\FRST.txt
2014-11-07 01:19 - 2014-11-07 23:44 - 00000000 ____D () C:\FRST
2014-11-07 01:17 - 2014-11-07 01:17 - 01106432 _____ (Farbar) C:\Users\AFastJar\Downloads\FRST.exe
2014-11-06 18:45 - 2014-11-06 18:46 - 00000000 ____D () C:\Users\AFastJar\AppData\Local\Adobe
2014-11-06 12:54 - 2014-11-06 19:42 - 00000000 ____D () C:\Program Files\MagicISO
2014-11-06 12:54 - 2014-11-06 12:54 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicISO
2014-11-06 11:56 - 2014-11-06 19:42 - 00000000 ____D () C:\Program Files\Windows 8.1 Product Key Finder Ultimate v14.05.1
2014-11-03 12:15 - 2014-11-03 12:17 - 00000000 ____D () C:\Users\AFastJar\Desktop\Win 7
2014-11-03 12:10 - 2014-11-06 19:41 - 00000000 ____D () C:\Users\AFastJar\Desktop\temp
2014-11-02 20:07 - 2014-11-04 23:04 - 00001131 _____ () C:\Users\AFastJar\Desktop\Missing Custom Moves.txt
2014-10-25 21:50 - 2014-10-25 21:50 - 00005572 _____ () C:\Users\AFastJar\Desktop\Peanuts - Charlie Brown - High Quality - Shortcut.lnk
2014-10-20 20:18 - 2014-10-20 20:18 - 00000250 _____ () C:\Users\AFastJar\Downloads\playlist (1).asx
2014-10-18 13:46 - 2014-10-18 13:46 - 00000989 _____ () C:\Users\AFastJar\Desktop\Recent - Shortcut.lnk
2014-10-15 22:41 - 2014-10-16 05:24 - 00010669 _____ () C:\Users\AFastJar\Desktop\Petpage Notes.txt
2014-10-13 21:56 - 2014-10-14 21:16 - 00004232 _____ () C:\Users\AFastJar\Desktop\NoBody Blocked.html
2014-10-13 20:29 - 2014-10-13 20:29 - 00000250 _____ () C:\Users\AFastJar\Downloads\playlist.asx
2014-10-13 20:28 - 2014-10-13 20:29 - 00000144 _____ () C:\Users\AFastJar\Downloads\playlist.qtl
2014-10-09 22:30 - 2014-10-09 22:30 - 00001821 _____ () C:\Users\AFastJar\Desktop\SILVER - Shortcut.lnk
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-07 23:45 - 2014-08-19 19:43 - 00000000 ____D () C:\Users\AFastJar\AppData\Roaming\Skype
2014-11-07 23:29 - 2014-08-17 23:18 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-07 23:21 - 2014-08-17 23:19 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-07 21:51 - 2009-07-13 23:39 - 00030386 _____ () C:\Windows\setupact.log
2014-11-07 20:16 - 2009-07-13 23:34 - 00020272 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-07 20:16 - 2009-07-13 23:34 - 00020272 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-07 20:12 - 2014-08-18 01:25 - 02038376 _____ () C:\Windows\WindowsUpdate.log
2014-11-07 20:09 - 2014-08-17 23:18 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-07 20:09 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-07 20:08 - 2010-11-20 16:48 - 00060194 _____ () C:\Windows\PFRO.log
2014-11-07 10:51 - 2014-08-17 23:25 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-07 10:18 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-11-07 02:48 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-11-07 01:34 - 2014-09-24 21:34 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-11-07 01:34 - 2014-08-17 23:25 - 00001121 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-11-07 01:34 - 2014-08-17 23:25 - 00001109 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-11-07 01:16 - 2010-11-20 16:01 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-07 00:11 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\schemas
2014-11-06 19:42 - 2014-09-25 18:36 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-11-06 19:42 - 2014-09-24 21:34 - 00000000 ____D () C:\Program Files\Mozilla Firefox.bak
2014-11-06 19:42 - 2014-08-19 19:43 - 00000000 ___RD () C:\Program Files\Skype
2014-11-06 19:42 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\AppCompat
2014-11-06 19:41 - 2014-08-19 19:43 - 00000000 ____D () C:\ProgramData\Skype
2014-11-06 19:41 - 2011-04-11 21:24 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-11-06 19:41 - 2009-07-13 21:37 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-11-06 19:41 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\registration
2014-11-06 18:56 - 2014-08-21 20:46 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-06 18:55 - 2014-08-21 20:46 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-06 18:55 - 2014-08-21 20:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-06 18:55 - 2014-08-21 20:45 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-06 18:46 - 2014-08-17 23:19 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-11-06 18:46 - 2014-08-17 23:19 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-11-06 18:44 - 2014-08-17 23:04 - 00000000 ____D () C:\Users\AFastJar
2014-11-06 18:44 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-11-04 21:59 - 2014-08-16 23:14 - 00228134 _____ () C:\Users\AFastJar\Documents\temp.txt
2014-10-29 21:18 - 2013-06-01 20:56 - 00000000 ____D () C:\Users\AFastJar\Documents\temporary
2014-10-29 03:56 - 2014-08-16 18:31 - 00002846 _____ () C:\Users\AFastJar\Documents\Plotters Guestbook.txt
2014-10-27 21:33 - 2014-08-17 23:19 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-23 23:00 - 2014-07-22 21:36 - 00016386 _____ () C:\Users\AFastJar\Documents\MMO List.txt
2014-10-20 03:15 - 2014-09-21 13:17 - 00032472 _____ () C:\Users\AFastJar\Desktop\Defender Camp.html
2014-10-20 02:29 - 2014-08-31 22:29 - 00003778 _____ () C:\Users\AFastJar\Desktop\Temporary.txt
2014-10-12 22:54 - 2014-10-05 11:22 - 00004871 _____ () C:\Users\AFastJar\Desktop\NoBody.html
 
Some content of TEMP:
====================
C:\Users\AFastJar\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-05 15:13
 
==================== End Of Log ============================
 
 
 
 
 
 
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04-11-2014
Ran by AFastJar at 2014-11-07 23:45:48
Running from C:\Users\AFastJar\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.189 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Mozilla Firefox 33.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 33.0.3 (x86 en-US)) (Version: 33.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.0.3 - Mozilla)
qBittorrent 3.1.9.2 (HKLM\...\qbittorrent) (Version: 3.1.9.2 - The qBittorrent project)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Skype Click to Call (HKLM\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 6.20 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System Requirements Lab CYRI (HKLM\...\{19B0831B-0C18-4103-86E4-90FCD04CD3B9}) (Version: 6.0.12.5 - Husdawg, LLC)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
07-11-2014 15:27:05 Revo Uninstaller's restore point - I.d.l.e  C.r.a.w.l.e.r
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {04CD32A0-83A0-4525-B509-CE2C2D1A8865} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-08-17] (Google Inc.)
Task: {14C8081E-C13F-48A9-B2FF-761D1EEC11BA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-08-17] (Google Inc.)
Task: {45A7EC35-501F-4527-9FAF-50EB250CC8BC} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-06] (Adobe Systems Incorporated)
Task: {6C757C2E-B482-4BFB-A814-D1609A11E183} - System32\Tasks\{1F77234B-8E86-4AAA-9065-4B6FAB4D5E0E} => Iexplore.exe http://ui.skype.com/ui/0/6.18.0.106/en/abandoninstall?source=lightinstaller&page=tsPlugin
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2014-10-27 21:32 - 2014-10-21 23:04 - 08910664 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\pdf.dll
2014-10-27 21:32 - 2014-10-21 23:04 - 01681224 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\ffmpegsumo.dll
2014-10-29 20:08 - 2014-11-06 06:09 - 03649648 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll
2014-11-06 18:46 - 2014-11-06 18:46 - 16832176 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll
2014-08-18 00:12 - 2014-02-10 12:44 - 04592128 _____ () C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2014-08-18 00:12 - 2014-02-10 12:44 - 00112128 _____ () C:\Users\AFastJar\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-3882845266-2567279142-2214949279-500 - Administrator - Disabled)
AFastJar (S-1-5-21-3882845266-2567279142-2214949279-1001 - Administrator - Enabled) => C:\Users\AFastJar
Guest (S-1-5-21-3882845266-2567279142-2214949279-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3882845266-2567279142-2214949279-1002 - Limited - Enabled)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
 
System errors:
=============
Error: (11/07/2014 09:51:58 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
 
 
Microsoft Office Sessions:
=========================
 
==================== Memory info =========================== 
 
Processor: AMD Sempron 145 Processor
Percentage of memory in use: 79%
Total physical RAM: 1789.39 MB
Available physical RAM: 374.5 MB
Total Pagefile: 3578.78 MB
Available Pagefile: 1853.68 MB
Total Virtual: 2047.88 MB
Available Virtual: 1915.97 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:149.05 GB) (Free:28.23 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 9767EF6D)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
Link to post
Share on other sites

Hello, 
 
I still see qBittorrent 3.1.9.2 installed. Were you unable to uninstall this programme? 
Idle Crawler is gone. 
 
-----------------------------------
 
Please consider the following suggestion, and proceed with the instructions below. After completing the steps, please provide an update on your computer. Are there any outstanding issues?
 

goGMWSt.gifNo Anti-Virus Installed
 
------------------------------
 
Connecting to the Internet without an Anti-Virus is a risk to you, and to everyone. Your computer is susceptible to malware infections involving Botnets and Zombie Computers . Using Anti-Virus software will help minimize the risk and help prevent your computer from being used to pass on infections to other machines. When infected and compromised, malware spreads faster and more extensively, distributed denial-of-service (DDoS) attacks are easier to launch, spammers have more platforms from which to send E-mails and more zombies are created to perpetuate the cycle.
 
Nowadays, a multi-layed approach to security that incorporates Anti-Virus software is required to protect your computer from the latest threats. Many of attackers today employ advanced techniques which involve sophisticated Backdoor Trojans and Rootkits to hide their presence on a computer. Without an Anti-Virus, your computer is not only more susceptible to infection, but also means you are more unlikely to realise your computer is infected - sometimes the only symptom is an alert from your Anti-Virus.

For the reasons above, please download and install ONE of the Anti-Virus' listed below.

 
STEP 1
b8zkrsY.png Browser Reset
 
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

Proceed with the reset once done.

STEP 2
GIRjHjL.png Reg Fix 

  • Press the Windows Key r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    Windows Registry Editor Version 5.00[-HKEY_LOCAL_MACHINE\SOFTWARE\GigaClicks]
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file regfix.reg.
  • Select All Files as the Save as type.
  • Save the file to your Desktop
  • Locate regfix.reg GIRjHjL.png on your Desktop. Right-click the file and click Merge with the Registry
  • Accept any prompts. 
  • Reboot your computer for the changes to take effect.
     

STEP 3
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 4
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click Finish.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Which Anti-Virus did you install?
  • Did Firefox reset OK? 
  • Did the regfix merge successfully?
  • MBAM Scan log
  • ESET Online Scan log
  • Are there any outstanding issues?
Link to post
Share on other sites

After Revo had its snag, I plumb forgot about qBitorrent. I hadn't tried to uninstall it yet because I forgot it was an issue. 

 

Also, do I need to install an antivirus program before I proceed with those steps? If not, should I anyway? Is it preferable, or is it something I can do after the malware is removed?

Link to post
Share on other sites

That took a while, sorry about that, here are the two logs. qBitorrent seems gone, the regfix seems to have merged fine, Firefox seems to be reset, I haven't seen any SmartOnes ads so far. MalwareBytes found nothing, but ESET did. 

 

 

 

 

 

 

 

 

 

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 11/8/2014

Scan Time: 1:19:14 AM

Logfile: 

Administrator: Yes

 

Version: 2.00.3.1025

Malware Database: v2014.11.08.02

Rootkit Database: v2014.11.01.02

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x86

File System: NTFS

User: AFastJar

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 278611

Time Elapsed: 15 min, 53 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

 

 

 

 

 

 

 

 

 


C:\FRST\Quarantine\C\Users\AFastJar\AppData\Local\Temp\Windows%208.1%20Product%20Key%20Finder%20Ultimate%20v14.05.1.exe.xBAD a variant of MSIL/Riskware.HackTool.WinActivator.A application

C:\FRST\Quarantine\C\Windows\system32\roboot.exe.xBAD a variant of Win32/Systweak.A potentially unwanted application

C:\Users\AFastJar\Documents\aTubeCatcher.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application

C:\Users\AFastJar\Documents\rcsetup148.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Users\AFastJar\Documents\spsetup116.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application

C:\Users\AFastJar\Documents\Downloads\YouTubeDownloader\YouTubeDownloaderSetup34.exe a variant of Win32/Toolbar.Widgi potentially unwanted application

C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\hvsetup.zip Win32/Somoto.E potentially unwanted application

C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\MCD3.2.zip a variant of Java/Obfuscated.AllatoriDemo.B potentially unsafe application

C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\playpickle-setup.exe Win32/DownloadAdmin.A.Gen potentially unwanted application

C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\Shockwave_Installer_Slim.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\hvsetup\hvsetup.exe Win32/Somoto.E potentially unwanted application

C:\Windows.old\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aagedjdadigedadidcgfgdgcdedhdddf\background.js Win32/TrojanDownloader.Tracur.V trojan

C:\Windows.old\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aagedjdadigedadidcgfgdgcdedhdddf\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan

C:\Windows.old\Documents and Settings\Parent\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\28\212d271c-2c69f0ba Java/Exploit.CVE-2013-0422.BE trojan

C:\Windows.old\Program Files\Cheat Engine 6.1\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application

C:\Windows.old\Program Files\InstallBrainService\InstallBrainService(2).exe Win32/InstallBrain potentially unwanted application

 

Link to post
Share on other sites

Hello, 
 
Update Java (watch out for "Optional Offers" or bundled software). 
Ensure Java 7 Update 67 is no longer installed afterwards. 
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startC:\Users\AFastJar\Documents\aTubeCatcher.exeC:\Users\AFastJar\Documents\rcsetup148.exeC:\Users\AFastJar\Documents\spsetup116.exe C:\Users\AFastJar\Documents\Downloads\YouTubeDownloader\YouTubeDownloaderSetup34.exeC:\Users\AFastJar\Documents\temporary\New Documents\Downloads\hvsetup.zip C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\MCD3.2.zip C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\playpickle-setup.exe C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\Shockwave_Installer_Slim.exe C:\Users\AFastJar\Documents\temporary\New Documents\Downloads\hvsetupC:\Windows.old\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aagedjdadigedadidcgfgdgcdedhdddfC:\Windows.old\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aagedjdadigedadidcgfgdgcdedhdddfC:\Windows.old\Documents and Settings\Parent\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\28\212d271c-2c69f0baJavaC:\Windows.old\Program Files\InstallBrainServiceEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

----------------------------
 
Now for the good news!
 
All Clean!
Congratulations, your computer appears clean!  :)
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
 

AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
  • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing. :)    
Adam (LiquidTension).

Link to post
Share on other sites

One more thing. After leaving my computer on for a while, it enters a state where the power light on the tower flashes, and in order to get back in, I have to press the power button and so on, as opposed to just moving the mouse or pressing a button. Why is that? It didn't do that before.

Link to post
Share on other sites

  1. Open Power Options by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_818, clicking Control Panel, clicking System and Security, and then clicking Power Options.

  2. On the Select a power plan page, click Change plan settings next to the selected plan.

  3. On the Change settings for the plan page, click Change advanced power settings.

  4. On the Advanced settings tab, double-click Sleep, double-click Sleep after, and then do one of the following:

    • If you're using a laptop, click On battery or Plugged in (or both), click the arrow, and then click Never.

    • If you're using a desktop computer, click Setting, click the arrow, and then click Never.

  5. Double-click Hibernate after, and then do one of the following:

    • If you're using a laptop, click On battery or Plugged in (or both), click the arrow, and then click Never.

    • If you're using a desktop computer, click Setting, click the arrow, and then click Never.

  6. If you also want the display to stay turned on, double-click Display, double-click Turn off display after, and then do one of the following:

    • If you're using a laptop, click On battery or Plugged in (or both), click the arrow, and then click Never.

    • If you're using a desktop computer, click Setting, click the arrow, and then click Never.

  7. Click OK, and then click Save changes.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.