[Resolved] Malware installed when I clicked for information

  • 9 Replies
  • 2209 Views
*

Offline chuckles

  • Bronze Member
  • 101
[Resolved] Malware installed when I clicked for information
« on: April 13, 2014, 08:05:57 AM »
Hello Spyware Hammer. Yesterday on my I5 Windows 7 pro machine, I was looking for answers to fix my printer and as soon as I clicked, I knew they had me. Something started to installwith names like pc cleaner, expertPDF, Arcsde Parlor, and slowpitch etc.
I immediately got very upset and disconnected my computer from the internet.
I went in to add remove programs and only 1 which had been installed on 4-12 allowed me to remove it. The rest said I had to wait!
I re started and ram Malware Bytes paid version and this morning that removed 7 p.... something files.
I'm still offline... Need your help. Here are the DS and Attach files

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/28/2011 1:03:57 AM
System Uptime: 4/13/2014 9:13:31 AM (0 hours ago)
.
Motherboard: Hewlett-Packard |  | 0B48h
Processor: Intel(R) Core(TM) i5 CPU         660  @ 3.33GHz | XU1 PROCESSOR | 3466/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 464 GiB total, 292.328 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&FDB5190&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&FDB5190&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP406: 3/27/2014 10:10:13 PM - HPSF Restore Point
RP407: 3/29/2014 12:18:31 AM - Windows Update
RP408: 4/2/2014 12:18:52 AM - Windows Update
RP409: 4/2/2014 9:58:47 AM - Configured Sharpdesk
RP410: 4/2/2014 10:04:42 AM - Installed Sharpdesk.
RP411: 4/6/2014 12:07:09 AM - Windows Update
RP412: 4/9/2014 12:19:31 AM - Windows Update
RP413: 4/12/2014 9:35:41 AM - Windows Update
.
==== Installed Programs ======================
.
4Xlounge Traders Clock
ActiveCheck component for HP Active Support Library
Adobe Flash Player 12 ActiveX
Adobe Flash Player 12 Plugin
Adobe Reader XI (11.0.06)
Audacity 2.0.4
Cisco WebEx Meetings
Citrix Online Launcher
Corel PaintShop Pro X6
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DirectX 9 Runtime
DirectXInstallService
DisplayKEY USB Cradle
Dropbox
EMCGadgets64
File Uploader
Google Chrome
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 5.5.0.1132
hotComm® CL
HP Customer Experience Enhancements
HP Performance Advisor
HP SkyRoom
HP Support Assistant
HPAsset component for HP Active Support Library
IBFX - MT4 - Tools 4.7.4
IBFX MT4
ICA
Intel(R) Control Center
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Components
InterVideo WinDVD 8
IPM_PSP_COM
IPM_PSP_COM64
Java 7 Update 51
Java Auto Updater
LightScribe System Software
LogMeIn
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4.5.1
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox 28.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NEW HAMPSHIRE ASSOCIATION REALTORS FORMS
Nikon Message Center
Nikon Message Center 2
Nikon Movie Editor
Nitro Reader 3
PDF Complete Special Edition
Picture Control Utility x64
PipStrider II (tm)
PipStrider(tm)
PowerChute Personal Edition 3.0.2
PrimoPDF -- brought to you by Nitro PDF Software
Printer Status Monitor Version 4.2.0
PSPPContent
PSPPHelp
PSPPro64
Qlock Pro
QuickBooks
QuickBooks Pro 2014
QuickBooks Runtime Redistributable
Realtek High Definition Audio Driver
Remote Graphics Receiver
Remote Graphics Sender
Replay Video Capture
Replay Video Capture 7
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio RecordNow 10 Music Lab
Roxio RecordNow 9 Music Lab
Roxio Update Manager
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2837597) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Setup
SHARP MFP TWAIN V Scanner Driver
Sharpdesk
Sonic CinePlayer Decoder Pack
thinkorswim from TD AMERITRADE
Top Producer Editor
TradeStation 9.0
TradeStation 9.1
TrueForms Online 4.6.0.21
TTM Squeeze 2.2
TTM Squeeze Radar 3.2
TweetDeck
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition
VD64Inst
VectorVest 7
VectorVest U.S.
ViewNX 2
VirtualCloneDrive
WD SmartWare Drive Manager
Windows Live ID Sign-in Assistant
YouSendIt Express
zipForm6
.
==== Event Viewer Messages From Past Week ========
.
4/9/2014 3:13:02 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {D3DCB472-7261-43CE-924B-0704BD730D5F}  and APPID  {D3DCB472-7261-43CE-924B-0704BD730D5F}  to the user SteveDesk\Steve SID (S-1-5-21-1791241159-1826100194-129798548-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/9/2014 3:13:02 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {145B4335-FE2A-4927-A040-7C35AD3180EF}  and APPID  {145B4335-FE2A-4927-A040-7C35AD3180EF}  to the user SteveDesk\Steve SID (S-1-5-21-1791241159-1826100194-129798548-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/13/2014 9:15:18 AM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/13/2014 9:14:46 AM, Error: Service Control Manager [7024]  - The Remote Graphics Sender Service service terminated with service-specific error Incorrect function..
4/12/2014 4:05:39 PM, Error: Service Control Manager [7034]  - The Computer Backup (MyPC Backup) service terminated unexpectedly.  It has done this 1 time(s).
4/12/2014 11:35:57 AM, Error: Schannel [36888]  - The following fatal alert was generated: 40. The internal error state is 107.
4/12/2014 11:35:57 AM, Error: Schannel [36874]  - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
4/12/2014 11:18:34 AM, Error: Schannel [36888]  - The following fatal alert was generated: 43. The internal error state is 252.
.
==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.51.2
Run by Steve at 9:47:58 on 2014-04-13
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.12087.9851 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
C:\Windows\SysWOW64\atashost.exe
C:\dKEYUSBCradle\SyncService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\dKEYUSBCradle\ProxyDaemon.exe
C:\dKEYUSBCradle\stunnel-4.10.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\YouSendIt\Express\YouSendIt.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\dKEYUSBCradle\SyncInfoApp.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Sharp\Printer Status Monitor\Smon.exe
C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files (x86)\Sharp\Sharpdesk\FTPServer.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files (x86)\Intuit\QuickBooks 2014\QBW32.EXE
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Sharp\Sharpdesk\nsapp.exe
C:\Program Files (x86)\Qlock\qlock.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\WUDFHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=W3i_SP,204,0_0,StartPage,20140415,20029,0,31,6944
mWinlogon: Userinit = userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [YouSendIt.exe] C:\Program Files (x86)\YouSendIt\Express\YouSendIt.exe -ui none
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
mRun: [Display] C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun: [SharpTray.exe] "C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe"
mRun: [FtpServer.exe] "C:\Program Files (x86)\Sharp\Sharpdesk\FtpServer.exe" -usedefault
mRun: [IndexTray.exe] "C:\Program Files (x86)\Sharp\Sharpdesk\IndexTray.exe" /n
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\qlock.lnk - C:\Program Files (x86)\Qlock\qlock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\PowerChute Personal Edition\Display.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DISPLA~1.LNK - C:\dKEYUSBCradle\SyncInfoApp.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PRINTE~1.LNK - C:\Program Files (x86)\Sharp\Printer Status Monitor\Smon.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2014\QBW32.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDQUIC~1.LNK - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:3
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: getoffutt.com
Trusted Zone: marketlinx.com
DPF: {C269D811-8511-44CF-B310-28CDDFFB1B74} - hxxp://www.nnerenmls.com/nne/valid/osi_valid9m.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tradestation.webex.com/client/T28L/support/ieatgpc1.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1058
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{EFABDCBE-21BD-403B-8A95-21C8269076C6} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files (x86)\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files (x86)\Sharp\Sharpdesk\ExplorerExtensions.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SN52IPRW] C:\Windows\SysWOW64\SN52SELC.EXE -w
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 255.255.255.255   hcurltest5
Hosts: 255.255.255.255   vnsjs1.1stworks.com
Hosts: 69.174.255.126   hcurltest1
Hosts: 0.0.0.0   hcurltest2
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\aqopvbqa.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=W3i_SP,205,0_0,StartPage,20140415,20031,0,31,0
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20140415,20030,0,31,0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Nitro\Reader 3\npdf.dll
FF - plugin: C:\Program Files (x86)\Nitro\Reader 3\npnitroie.dll
FF - plugin: C:\Program Files (x86)\Nitro\Reader 3\npnitromozilla.dll
FF - plugin: C:\Program Files (x86)\thinkTDA\npthinkorswim.dll
FF - plugin: C:\Program Files (x86)\thinkTDA\nptossc.dll
FF - plugin: C:\Users\Steve\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Users\Steve\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-7-26 55280]
R2 APC Data Service;APC Data Service;C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe [2012-1-24 21880]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2013-5-10 137232]
R2 Hp.Skyroom.Windows.Service;HP SkyRoom;C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2010-3-3 124472]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-9-26 376144]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-9-16 16056]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2011-11-4 72216]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-12-2 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-12-2 701512]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 134944]
R2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [2013-3-26 230416]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-7-26 635416]
R2 PSI_SVC_2_x64;Protexis Licensing V2 x64;C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2010-11-30 336824]
R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2013-8-19 1248256]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-7-26 2320920]
R2 WDDMService;WDDMService;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-8-1 311296]
R3 e1kexpress;Intel(R) Network Connections Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2013-10-1 497424]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-7-26 289280]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-12-2 25928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 silabenm;CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\System32\drivers\silabenm.sys [2011-11-11 29576]
R3 silabser;CP210x USB to UART Bridge Driver;C:\Windows\System32\drivers\silabser.sys [2011-11-11 76680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 rgsender;Remote Graphics Sender Service;C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2011-7-26 379904]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-6-4 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-6-4 166384]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-1-25 111616]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-7-26 158976]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-12-18 19456]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-6-4 1120752]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-12-18 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-10-28 1255736]
.
=============== Created Last 30 ================
.
2014-04-12 19:43:10   --------   d-----w-   C:\ProgramData\Fighters
2014-04-12 13:36:16   10521840   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4E9B9027-977D-48D8-B25D-66A5864F8819}\mpengine.dll
2014-04-11 13:35:42   10521840   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-04 04:18:45   1031560   ------w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9CE1EC75-9503-4AFB-8480-3E9523216CDB}\gapaengine.dll
2014-04-02 14:07:12   27648   ----a-w-   C:\Windows\System32\Spool\prtprocs\x64\crprproc.dll
2014-04-02 14:06:48   --------   d-----w-   C:\Users\Steve\AppData\Roaming\Nuance
2014-04-02 14:05:06   --------   d-----w-   C:\ProgramData\Sharp
2014-04-02 14:05:06   --------   d-----w-   C:\Program Files (x86)\Common Files\Sharp Shared
2014-03-21 21:15:50   --------   d-----w-   C:\Users\Steve\AppData\Local\Macromedia
.
==================== Find3M  ====================
.
2014-04-11 00:08:36   92488   ----a-w-   C:\Windows\System32\LMIinit.dll
2014-04-11 00:08:36   35656   ----a-w-   C:\Windows\System32\LMIport.dll
2014-04-11 00:08:36   107368   ----a-w-   C:\Windows\System32\LMIRfsClientNP.dll
2014-03-21 21:15:31   71048   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-21 21:15:31   692616   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2014-01-21 21:23:17   107368   ----a-w-   C:\Windows\System32\LMIRfsClientNP.dll.000.bak
2014-01-19 07:33:29   270496   ------w-   C:\Windows\System32\MpSigStub.exe
.
============= FINISH:  9:48:27.81 ===============

 
« Last Edit: April 13, 2014, 08:15:41 AM by Hoov »

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Malware installed when I clicked for information
« Reply #1 on: April 13, 2014, 08:17:28 AM »
My name is Hoov and I will be helping you with your problems. As you have been helped here before, I will skip all the preliminaries. You know how we work.

Can you post up the log from Malwarebytes' Anti-Malware ?

Please follow these steps:

1.- Download AdwCleaner by Xplode onto your Desktop.
  •   Please close all open programs and internet browsers.
  •   Double click on Adwcleaner.exe to run the tool.
  •   Click on the Scan button..
  •   Please be patient as this can take a while to complete.
  •   You will get a prompt asking to close all programs. Click OK.
  •   Click OK again to reboot your computer. A text file will open after the restart.
  •   Please post the content of that logfile in your reply.
  •   You can find the logfile at C:\AdwCleaner[Sn].txt.
2.- Download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.
3.- Please download RogueKiller and Save to the desktop.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline chuckles

  • Bronze Member
  • 101
Re: [In Progress] Malware installed when I clicked for information
« Reply #2 on: April 13, 2014, 10:29:55 AM »
Here is the log fromMalwarebytes followed by the 3 you instructed.

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
http://www.malwarebytes.org

Database version: v2014.04.12.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16428
Steve :: STEVEDESK [administrator]

Protection: Enabled

4/12/2014 4:14:03 PM
mbam-log-2014-04-12 (16-14-03).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 530467
Time elapsed: 1 hour(s), 20 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCR\Typelib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F} (PUP.Optional.GetNow.A) -> Quarantined and deleted successfully.
HKCR\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967} (PUP.Optional.GetNow.A) -> Quarantined and deleted successfully.
HKLM\Software\InstallIQ (PUP.Optional.InstallBrain.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PNHPSK42\SHARP DX-C311 user guide provided through mypdfmanuals.com.exe (PUP.Optional.GetNow.A) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0DAZO5YQ\7zip_14371_stn.exe (PUP.Optional.SafeInstall.A) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\ibtmp395f617\component_640 (PUP.Optional.BestToolBars) -> Quarantined and deleted successfully.
C:\Users\Steve\Downloads\pdf_14395_stf_2.exe (PUP.Optional.InstallX) -> Quarantined and deleted successfully.

(end)

# AdwCleaner v3.023 - Report created 13/04/2014 at 12:02:13
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Steve - STEVEDESK
# Running from : C:\Users\Steve\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\aqopvbqa.default\user.js
Folder Found : C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\aqopvbqa.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Found C:\ProgramData\Ask
Folder Found C:\Users\Steve\AppData\Local\apn
Folder Found C:\Users\Steve\AppData\Local\Temp\TempDir
Folder Found C:\Users\Steve\Documents\smart pc cleaner

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\aqopvbqa.default\prefs.js ]


-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2832 octets] - [13/04/2014 12:02:13]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2892 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by Steve on Sun 04/13/2014 at 12:10:53.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BED9CA41-CC37-4E84-A581-4FFF96D56F4A}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\fighters"
Successfully deleted: [Folder] "C:\Users\Steve\documents\smart pc cleaner"
Successfully deleted: [Folder] "C:\ProgramData\ask"



~~~ FireFox

Successfully deleted: [File] C:\Users\Steve\AppData\Roaming\mozilla\firefox\profiles\aqopvbqa.default\user.js



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 04/13/2014 at 12:15:59.21
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Steve [Admin rights]
Mode : Scan -- Date : 04/13/2014 12:28:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


255.255.255.255   hcurltest5
255.255.255.255   vnsjs1.1stworks.com
69.174.255.126   hcurltest1
0.0.0.0   hcurltest2


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) Hitachi HDS721050CLA662 +++++
--- User ---
[MBR] 12ecea553df45dd7ee8c15aa5b03eb76
[BSP] 63605af66d0c711717ba74f5f557bf26 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 2047 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 4194304 | Size: 474891 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk U3 Cruzer Micro USB Device +++++
--- User ---
[MBR] e54939441f8af88a54d9fa4ab55f0dc1
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 34 | Size: 3898 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_04132014_122805.txt >>
RKreport[0]_S_04132014_121855.txt



Done!






*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Malware installed when I clicked for information
« Reply #3 on: April 13, 2014, 05:36:46 PM »
Please run ADWCleaner again. Run the scan and once the scan is done, click on the clean button. Post the resulting log.

After that, reboot your computer and see if you still see those programs installed. How is the computer running, any problems with the browsers?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline chuckles

  • Bronze Member
  • 101
Re: [In Progress] Malware installed when I clicked for information
« Reply #4 on: April 13, 2014, 06:34:29 PM »
Here is the results
# AdwCleaner v3.023 - Report created 13/04/2014 at 19:58:02
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Steve - STEVEDESK
# Running from : C:\Users\Steve\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Steve\AppData\Local\apn
Folder Deleted : C:\Users\Steve\AppData\Local\Temp\TempDir
Folder Deleted : C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\aqopvbqa.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\aqopvbqa.default\prefs.js ]


-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2988 octets] - [13/04/2014 12:02:13]
AdwCleaner[R1].txt - [1657 octets] - [13/04/2014 19:56:51]
AdwCleaner[S0].txt - [1588 octets] - [13/04/2014 19:58:02]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1648 octets] ##########

The Rogue Killer still identifies 5 items. I have not yet rebooted to the web but computer is working good.

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Malware installed when I clicked for information
« Reply #5 on: April 13, 2014, 06:49:29 PM »
In roguekiller go ahead and run it again and click the delete button.

Once you have done that, reboot the computer and go ahead and connect to the internet and let me know how it goes. Make sure to check your browsers homepage and search engine. Sometimes one or both get changed by this sort of malware.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline chuckles

  • Bronze Member
  • 101
Re: [In Progress] Malware installed when I clicked for information
« Reply #6 on: April 13, 2014, 09:05:07 PM »
Internet ok, seems to be working ok now.
Any other suggestions?

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Malware installed when I clicked for information
« Reply #7 on: April 13, 2014, 09:16:20 PM »
Go ahead and run it for a day and make sure nothing comes back. If all is fine tomorrow, we will do some cleanup and call it done.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline chuckles

  • Bronze Member
  • 101
Re: [In Progress] Malware installed when I clicked for information
« Reply #8 on: April 14, 2014, 07:16:37 AM »
OK All is good except there is a Yahoo main page in Firefox and crome. I knew how to change it in IE but Mozilla and Chrome I'll have to look that up in How to:

Please instruct me the next step for clean-up. This computer has not been serviced for clean-up since purchased.

Thanks for your help getting back up and running.

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27195
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Malware installed when I clicked for information
« Reply #9 on: April 14, 2014, 10:21:06 AM »
For Firefox, you need to go into Options and then in the General section you can change the start page. In chrome if you go to settings and then to the appearance section you can change the start page.

Now  there are a few thing's you need to do to fully clean your system and keep it secure.

Run OTC
Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. The one I use is Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Disable and Enable System Restore.
I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.
For Vista use these instructions, Windows Vista Restore Guide
For XP use these instructions, Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above
Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here.

Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
Firefox.
It is also worth trying Thunderbird for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may save you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
 
Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


 MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI. Download version 2. It is not the download button, but just underneath it. It will monitor the software you have installed and let you know when something needs to be updated.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!