Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Windows 7 Laptop infected with SASA,OBRONA Ads etc

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 13th, 2015, 1:12 pm

Son downloaded some free video editing software (has now been removed) but since then every web page visited is full of Ads sponsored by SASA, Obrona etc, if you click anywhere on the page another page opens with advertising of some description, the laptop is also extremely slow to start and perform basic tasks and quite often error messages of No Data received or pages unresponsive appear.
Any help would be appreciated.
Knoxy

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by C850-13D at 17:01:03 on 2015-01-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.1938.209 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\GFNEXSrv.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe
C:\Program Files (x86)\SchistEechinels\HttpsProxy.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\ismagent.exe
C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\updateui.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\Explorer.EXE
C:\windows\system32\Dwm.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\ismagent.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe
C:\Users\Aiden\AppData\Roaming\Spotify\spotify.exe
C:\Users\Aiden\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Users\Aiden\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Aiden\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Aiden\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Aiden\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Users\Aiden\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain ... &bmod=TEUA
mStart Page = about:blank
uProxyServer = hxxp=127.0.0.1:9880;https=127.0.0.1:9880
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} -
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} -
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} -
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -
uRun: [Sony PC Companion] "C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe" /Background
uRunOnce: [Uninstall C:\Users\C850-13D\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64] C:\windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\C850-13D\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRunOnce: [20150107] C:\Program Files\AVAST Software\Avast\setup\emupdate\9868afe1-e43c-4818-8b43-1ca09d4cc1cf.exe /check
dRun: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STARTUP
StartupFolder: C:\Users\C850-13D\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TOSHIB~1.LNK - C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{2BE653E5-38A0-4B09-84E5-999FE9761661} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{F63BFF6C-2ABB-4D07-B368-70F646320A08} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{F63BFF6C-2ABB-4D07-B368-70F646320A08}\4435C4D22363430325 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{F63BFF6C-2ABB-4D07-B368-70F646320A08}\4514C4B44514C4B4D2543354536443 : DHCPNameServer = 192.168.1.1 0.0.0.0
TCP: Interfaces\{F63BFF6C-2ABB-4D07-B368-70F646320A08}\54373756E6479616C6E45445 : DHCPNameServer = 192.168.81.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll
x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [SRS Premium Sound HD] "C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe" /f="C:\Program Files\SRS Labs\SRS Control Panel\SRS_Premium_Sound_HD.zip" /h
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [Toshiba TEMPRO] C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe
x64-Run: [Toshiba Registration] C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\windows\System32\drivers\aswRvrt.sys [2014-8-27 65776]
R0 aswVmm;avast! VM Monitor;C:\windows\System32\drivers\aswVmm.sys [2014-8-27 267632]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\windows\System32\drivers\iusb3hcs.sys [2012-1-5 16152]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2009-6-24 482384]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswsnx.sys [2014-8-27 1050432]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswsp.sys [2014-8-27 436624]
R2 aswHwid;avast! HardwareID;C:\windows\System32\drivers\aswHwid.sys [2014-8-27 29208]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2014-8-27 83280]
R2 aswStm;aswStm;C:\windows\System32\drivers\aswStm.sys [2014-8-27 116728]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-20 14472]
R3 IntcDAud;Intel(R) Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-12-6 331264]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\windows\System32\drivers\iusb3hub.sys [2012-1-5 355096]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\windows\System32\drivers\iusb3xhc.sys [2012-1-5 786200]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2012-6-15 38096]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-6-15 251496]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-6-15 565352]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2012-6-15 1145448]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 WSDScan;WSD Scan Support via UMB;C:\windows\System32\drivers\WSDScan.sys [2009-7-14 25088]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
.
=============== Created Last 30 ================
.
2015-01-13 15:19:31 11870360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{25C3D93E-54D0-42C3-9A64-CD93DCB4C3A9}\mpengine.dll
2014-12-24 13:33:24 -------- d-----w- C:\windows\System32\appraiser
2014-12-24 13:32:22 144384 ----a-w- C:\windows\System32\ieUnatt.exe
2014-12-24 13:32:22 115712 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2014-12-24 10:44:26 830976 ----a-w- C:\windows\System32\appraiser.dll
2014-12-24 10:44:26 192000 ----a-w- C:\windows\System32\aepic.dll
2014-12-24 10:44:26 1232040 ----a-w- C:\windows\System32\aitstatic.exe
2014-12-24 10:44:25 741376 ----a-w- C:\windows\System32\invagent.dll
2014-12-24 10:44:25 1083392 ----a-w- C:\windows\System32\aeinv.dll
2014-12-24 10:44:20 413184 ----a-w- C:\windows\System32\generaltel.dll
2014-12-24 10:44:20 396800 ----a-w- C:\windows\System32\devinv.dll
2014-12-24 10:44:18 227328 ----a-w- C:\windows\System32\aepdu.dll
2014-12-20 20:04:08 -------- d-----w- C:\f0eab5caa9a299b916
2014-12-20 19:56:24 -------- d-----w- C:\found.004
2014-12-18 21:35:00 -------- d-----w- C:\3d9149fed620b51bb1647bbf8e82
2014-12-18 21:23:39 3209728 ----a-w- C:\windows\SysWow64\mf.dll
2014-12-18 21:23:31 4121600 ----a-w- C:\windows\System32\mf.dll
2014-12-15 10:44:51 1424384 ----a-w- C:\windows\System32\WindowsCodecs.dll
2014-12-15 10:44:49 1230336 ----a-w- C:\windows\SysWow64\WindowsCodecs.dll
2014-12-15 10:44:44 119296 ----a-w- C:\windows\System32\drivers\tdx.sys
2014-12-15 10:39:57 165888 ----a-w- C:\windows\System32\charmap.exe
2014-12-15 10:39:52 155136 ----a-w- C:\windows\SysWow64\charmap.exe
2014-12-15 10:23:05 2020352 ----a-w- C:\windows\System32\WsmSvc.dll
2014-12-15 10:23:04 1177088 ----a-w- C:\windows\SysWow64\WsmSvc.dll
2014-12-15 10:23:03 310272 ----a-w- C:\windows\System32\WsmWmiPl.dll
2014-12-15 10:23:03 266240 ----a-w- C:\windows\System32\WSManHTTPConfig.exe
2014-12-15 10:23:02 346624 ----a-w- C:\windows\System32\WSManMigrationPlugin.dll
2014-12-15 10:22:57 181248 ----a-w- C:\windows\System32\WsmAuto.dll
2014-12-15 10:22:56 248832 ----a-w- C:\windows\SysWow64\WSManMigrationPlugin.dll
2014-12-15 10:22:56 214016 ----a-w- C:\windows\SysWow64\WsmWmiPl.dll
2014-12-15 10:22:56 198656 ----a-w- C:\windows\SysWow64\WSManHTTPConfig.exe
2014-12-15 10:22:55 145920 ----a-w- C:\windows\SysWow64\WsmAuto.dll
2014-12-15 10:22:48 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2014-12-15 10:22:48 2048 ----a-w- C:\windows\System32\tzres.dll
.
==================== Find3M ====================
.
2015-01-06 04:36:02 298120 ------w- C:\windows\System32\MpSigStub.exe
2014-12-09 19:41:33 1050432 ----a-w- C:\windows\System32\drivers\aswsnx.sys
2014-12-09 19:41:06 116728 ----a-w- C:\windows\System32\drivers\aswStm.sys
2014-12-09 19:41:05 83280 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2014-12-09 19:41:05 65776 ----a-w- C:\windows\System32\drivers\aswRvrt.sys
2014-12-09 19:41:05 29208 ----a-w- C:\windows\System32\drivers\aswHwid.sys
2014-12-09 19:41:05 267632 ----a-w- C:\windows\System32\drivers\aswVmm.sys
2014-12-09 19:41:03 93568 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2014-12-09 19:40:56 43152 ----a-w- C:\windows\avastSS.scr
2014-12-09 19:14:09 122584 ----a-w- C:\windows\System32\drivers\MBAMSwissArmy.sys
2014-12-08 22:51:28 0 ----a-w- C:\windows\SysWow64\sho6AD3.tmp
2014-11-22 03:06:23 2724864 ----a-w- C:\windows\System32\mshtml.tlb
2014-11-22 03:06:11 4096 ----a-w- C:\windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39 66560 ----a-w- C:\windows\System32\iesetup.dll
2014-11-22 02:50:10 580096 ----a-w- C:\windows\System32\vbscript.dll
2014-11-22 02:49:54 48640 ----a-w- C:\windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20 88064 ----a-w- C:\windows\System32\MshtmlDac.dll
2014-11-22 02:35:29 114688 ----a-w- C:\windows\System32\ieetwcollector.exe
2014-11-22 02:34:51 814080 ----a-w- C:\windows\System32\jscript9diag.dll
2014-11-22 02:34:07 6039552 ----a-w- C:\windows\System32\jscript9.dll
2014-11-22 02:26:31 968704 ----a-w- C:\windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44 2724864 ----a-w- C:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16 77824 ----a-w- C:\windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43 501248 ----a-w- C:\windows\SysWow64\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- C:\windows\SysWow64\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- C:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- C:\windows\SysWow64\MshtmlDac.dll
2014-11-22 01:54:30 620032 ----a-w- C:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10 1359360 ----a-w- C:\windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58 2125312 ----a-w- C:\windows\System32\inetcpl.cpl
2014-11-22 01:40:04 60416 ----a-w- C:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- C:\windows\SysWow64\jscript9.dll
2014-11-22 01:28:21 2358272 ----a-w- C:\windows\System32\wininet.dll
2014-11-22 01:22:49 2052096 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- C:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- C:\windows\SysWow64\wininet.dll
2014-11-19 04:31:16 1217192 ----a-w- C:\windows\SysWow64\FM20.DLL
2014-10-25 01:57:59 77824 ----a-w- C:\windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\windows\SysWow64\packager.dll
2014-10-18 02:05:23 861696 ----a-w- C:\windows\System32\oleaut32.dll
2014-10-18 01:33:18 571904 ----a-w- C:\windows\SysWow64\oleaut32.dll
.
============= FINISH: 17:04:27.29 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 28/08/2012 11:58:40
System Uptime: 04/01/2015 08:07:10 (225 hours ago)
.
Motherboard: Type2 - Board Vendor Name1 | | Type2 - Board Product Name1
Processor: Intel(R) Celeron(R) CPU B820 @ 1.70GHz | U3E1 | 799/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 281 GiB total, 113.192 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP153: 20/12/2014 13:05:09 - Windows Update
RP154: 20/12/2014 19:59:06 - avast! antivirus system restore point
RP155: 20/12/2014 20:03:44 - Device Driver Package Install: Avast Network Service
RP156: 24/12/2014 10:10:57 - Windows Update
RP157: 24/12/2014 13:08:04 - Windows Update
RP158: 27/12/2014 10:12:21 - Windows Update
RP159: 29/12/2014 00:40:34 - Windows Update
RP160: 29/12/2014 20:48:01 - avast! antivirus system restore point
RP161: 29/12/2014 23:07:30 - Windows Update
RP162: 31/12/2014 13:38:44 - Windows Update
RP163: 01/01/2015 01:35:10 - Windows Update
RP164: 04/01/2015 00:48:11 - Windows Update
RP165: 05/01/2015 12:19:51 - Windows Update
RP166: 06/01/2015 12:23:47 - Windows Update
RP167: 07/01/2015 11:39:22 - Windows Update
RP168: 08/01/2015 07:52:23 - Windows Update
RP169: 13/01/2015 15:17:43 - Windows Update
.
==== Installed Programs ======================
.
ABBYY FineReader 6.0 Sprint
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 11 ActiveX 64-bit
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader X (10.1.13) MUI
Adobe Refresh Manager
Adobe Shockwave Player 12.1
Adobe Stock Photos 1.0
Andica SA800 Partnership 2013
ArcSoft MediaImpression
Avast Free Antivirus
BBC iPlayer Desktop
Canon MG4100 series MP Drivers
CCleaner
CR2 Converter
D3DX10
Definition Update for Microsoft Office 2010 (KB2910899) 32-Bit Edition
Desktop Icon für Amazon
Dropbox
Epson Copy Utility 3.4
Epson Event Manager
EPSON PERFECTION V30_V300 PHOTO Manual
EPSON Scan
Google Chrome
Google Update Helper
High-Definition Video Playback
Intel(R) Manageability Engine Firmware Recovery Agent
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Intel(R) USB 3.0 eXtensible Host Controller Driver
Intel® Trusted Connect Service Client
Java Auto Updater
Java(TM) 6 Update 30
Junk Mail filter update
Malwarebytes Anti-Malware version 2.0.2.1012
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Mouse and Keyboard Center
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MSVCRT
MSVCRT_amd64
Nero 11 Essentials
Nero 11 Kwik Themes Basic
Nero BackItUp 11
Nero BackItUp 11 Help (CHM)
Nero BurnRights 11
Nero BurnRights 11 Help (CHM)
Nero ControlCenter 11
Nero ControlCenter 11 Help (CHM)
Nero Core Components 11
Nero Express 11
Nero Express 11 Help (CHM)
Nero Kwik Media
Nero Kwik Media Help (CHM)
Nero RescueAgent 11
Nero RescueAgent 11 Help (CHM)
Nero Update
nero.prerequisites.msi
PlayReady PC Runtime amd64
Premium Sound HD
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Security Update for Microsoft .NET Framework 4.5.1 (KB2894854v2)
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972107)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972216)
Security Update for Microsoft .NET Framework 4.5.1 (KB2978128)
Security Update for Microsoft .NET Framework 4.5.1 (KB2979578v2)
Security Update for Microsoft Excel 2010 (KB2910902) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553154) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2881071) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2899519) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
SketchUp 2013
Skype™ 6.16
Sony Mobile Update Engine
Sony PC Companion 2.10.211
Spotify
swMSM
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA Disc Creator
TOSHIBA eco Utility
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
Toshiba Manuals
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
TOSHIBA Online Product Information
TOSHIBA PC Health Monitor
TOSHIBA Places Icon Utility
TOSHIBA Recovery Media Creator
TOSHIBA Recovery Media Creator Reminder
TOSHIBA Resolution+ Plug-in for Windows Media Player
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA TEMPRO
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Excel 2010 (KB2589348) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553140) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589386) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597089) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687275) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837602) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition
Update for Microsoft Office 2010 (KB2883019) 32-Bit Edition
Update for Microsoft Office 2010 (KB2889818) 32-Bit Edition
Update for Microsoft Office 2010 (KB2889828) 32-Bit Edition
Update for Microsoft Office 2010 (KB2910896) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2597088) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2880517) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
welcome
Windows Live Communications Platform
Windows Live Essentials
Windows Live Fotogalleri
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Liven asennustyökalu
Windows Liven sähköposti
Windows Liven valokuvavalikoima
.
==== Event Viewer Messages From Past Week ========
.
08/01/2015 21:17:41, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WinDefend service.
08/01/2015 08:18:25, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800b0100: Security Update for Windows 7 for x64-based Systems (KB3003743).
08/01/2015 08:03:30, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800b0100: Security Update for Windows 7 for x64-based Systems (KB3011780).
08/01/2015 07:51:09, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.
08/01/2015 07:51:09, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
06/01/2015 13:01:50, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HomeGroupListener service.
.
==== End Of File ===========================
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm
Advertisement
Register to Remove

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Cypher » January 15th, 2015, 10:45 am

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Remember, absence of symptoms does not mean the infection is all gone.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Next.

I need you to run further scans for me.
Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
Important: Save all tools i ask you to download to your Desktop, if you don't know how to do this just ask.




Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Right click on adwcleaner.exe and select " Run as administrator " to run it.
  • Click on Scan.
  • When the scan has finished, uncheck any entries you don't want to remove, then click on Clean.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next.

Please download FRST ... by Farbar, from the link below and save it to your Desktop.

For 32 bit Systems

For 64 bit Systems

  • Right-click FRST.exe and select " Run as administrator " to run it.
  • When the tool opens click Yes to the disclaimer.
  • Press Scan button. ... When finished a log will be created, FRST.txt.
  • Please post the content of the FRST.txt in your next reply.
  • The first time the tool is run, it will create another log... Addition.txt.
  • Please post the content of the Addition.txt in your next reply.

Logs/Information to Post in your Next Reply

  • AdwCleaner log.
  • FRST.txt and Addition.txt contents.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 7:22 am

# AdwCleaner v4.107 - Report created 16/01/2015 at 10:50:46
# Updated 07/01/2015 by Xplode
# Database : 2015-01-13.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : C850-13D - C850-13D-TOSH
# Running from : C:\Users\C850-13D\Downloads\adwcleaner_4.107.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\windows\SysWOW64\SearchProtect
Folder Deleted : C:\Users\Aiden\AppData\Roaming\GetPrivate
Folder Deleted : C:\Users\Aiden\Documents\Updater
Folder Deleted : C:\Users\C850-13D\AppData\Roaming\DesktopIconForAmazon
Folder Deleted : C:\Users\C850-13D\AppData\Roaming\NCH Software
Folder Deleted : C:\Users\C850-13D\Documents\Optimizer Pro
Folder Deleted : C:\Users\C850-13D\Documents\Updater
Folder Deleted : C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi
File Deleted : C:\END
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
File Deleted : C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_inst.shoppingate.info_0.localstorage
File Deleted : C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_inst.shoppingate.info_0.localstorage
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_inst.shoppingate.info_0.localstorage-journal
File Deleted : C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_inst.shoppingate.info_0.localstorage-journal
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Deleted : C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal
File Deleted : C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markable00.re-markable.net_0.localstorage
File Deleted : C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markable00.re-markable.net_0.localstorage-journal

***** [ Scheduled Tasks ] *****

Task Deleted : Optimizer Pro Schedule
Task Deleted : pricemeterdownloader

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Nosibay
Key Deleted : HKCU\Software\OCS
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\Red Sky
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Store
Key Deleted : HKCU\Software\UpdateFiles
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\PriceMeterLiveUpdate
Key Deleted : [x64] HKLM\SOFTWARE\AllDaySavings
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Google Chrome v39.0.2171.99

[C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
[C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [6767 octets] - [16/01/2015 10:45:16]
AdwCleaner[S0].txt - [6371 octets] - [16/01/2015 10:50:46]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6431 octets] ##########
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 7:26 am

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2015 01
Ran by C850-13D (administrator) on C850-13D-TOSH on 16-01-2015 11:16:16
Running from C:\Users\C850-13D\Desktop
Loaded Profiles: C850-13D (Available profiles: C850-13D & Aiden)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Windows\System32\GFNEXSrv.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
() C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe
() C:\Program Files (x86)\SchistEechinels\HttpsProxy.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
() C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\Teco.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Toshiba Europe GmbH) C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Toshiba) C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12459112 2012-03-16] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound HD] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2165120 2012-03-22] (SRS Labs, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2866960 2011-12-19] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-09-23] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [989056 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1548208 2011-11-24] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-11-26] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba TEMPRO] => C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe [1546720 2011-02-10] (Toshiba Europe GmbH)
HKLM\...\Run: [Toshiba Registration] => C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe [150992 2012-05-11] (Toshiba Europe GmbH)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-05] (Intel Corporation)
HKLM-x32\...\Run: [ToshibaServiceStation] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1298816 2011-07-12] (TOSHIBA Corporation)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [591696 2008-05-07] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-13] (AVAST Software)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-19\...\Run: [TOPI.EXE] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe [846936 2011-05-16] (TOSHIBA)
HKU\S-1-5-20\...\Run: [TOPI.EXE] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe [846936 2011-05-16] (TOSHIBA)
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\Run: [Sony PC Companion] => C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe [466656 2014-05-23] (Sony)
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\RunOnce: [Uninstall C:\Users\C850-13D\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64] => C:\windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\C850-13D\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\MountPoints2: {2e2deb75-19e1-11e3-93a8-4c72b95e2e70} - F:\Startme.exe
HKU\S-1-5-18\...\Run: [TOPI.EXE] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe [846936 2011-05-16] (TOSHIBA)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Toshiba Places Icon Utility.lnk
ShortcutTarget: Toshiba Places Icon Utility.lnk -> C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe (Toshiba)
Startup: C:\Users\C850-13D\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
GroupPolicyUsers\S-1-5-21-1759270380-2726829519-464816427-1003\User: Group Policy restriction detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-1759270380-2726829519-464816427-1000] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-1759270380-2726829519-464816427-1000] => http=127.0.0.1:9880;https=127.0.0.1:9880
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=TEUA
SearchScopes: HKLM -> {9C1772B2-4892-43ED-8CB9-B1AF91349FAA} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TEUA;
SearchScopes: HKLM-x32 -> {9C1772B2-4892-43ED-8CB9-B1AF91349FAA} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TEUA;
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1759270380-2726829519-464816427-1000 -> {9C1772B2-4892-43ED-8CB9-B1AF91349FAA} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TEUA_enGB552
SearchScopes: HKU\S-1-5-21-1759270380-2726829519-464816427-1000 -> {DFFE8A11-91B2-4C0B-B612-E6E0D477577E} URL = http://uk.search.yahoo.com/search?fr=mc ... A011GB0&p={SearchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll No File
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL No File
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll No File
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
Toolbar: HKU\S-1-5-21-1759270380-2726829519-464816427-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @Nero.com/KM -> C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2013-09-26]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-08-27]

Chrome:
=======
CHR Profile: C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (GrooveShark JukeBox) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjgmfagolojoigoigjcadgnpcbnlcofa [2014-09-02]
CHR Extension: (Adblock Plus) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-08-29]
CHR Extension: (SiteAdvisor) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2013-09-26]
CHR Extension: (AdBlock) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-09-02]
CHR Extension: (avast! Online Security) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-08-29]
CHR Extension: (Dictionary Instant) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\hngaklbjlbjhmoilkegninbmpfigheol [2014-09-02]
CHR Extension: (Grooveplayer) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnimbhddlpolciagcmencndhlpepbdcm [2014-09-02]
CHR Extension: (Phone Place) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\khkfnlkbaknalfgfmnnabbeebffplgmn [2014-09-02]
CHR Extension: (Music for every moment - Spotify) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhfhbkmihfcbjcoimalmefbkbbepaloj [2014-09-02]
CHR Extension: (Universal Unit Converter) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafkejlpknmikohhgdelefdeeieplkog [2014-09-02]
CHR Extension: (Google Wallet) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-06]
CHR Extension: (Google Chrome to Phone Extension) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\oadboiipflhobonjjffjbfekfjcgkhco [2014-09-02]
CHR Profile: C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-29]
CHR Extension: (AdBlock) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-10-01]
CHR Extension: (Avast Online Security) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-09-29]
CHR Extension: (Google Wallet) - C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-29]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2014-08-27]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-09]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2013-11-19] (Adobe Systems) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-09] (AVAST Software)
R2 GFNEXSrv; C:\Windows\System32\GFNEXSrv.exe [162824 2010-09-10] ()
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
R2 SchistEechinels; C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe [4383192 2014-10-27] ()
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [112080 2011-02-10] (Toshiba Europe GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-12-09] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-12-09] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-12-09] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-12-09] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-12-09] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-12-09] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-12-09] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-12-09] ()
S3 MFE_RR; \??\C:\Users\C850-13D\AppData\Local\Temp\mfe_rr.sys [X]
S3 TDEIO; \??\C:\Windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-16 11:16 - 2015-01-16 11:17 - 00022554 _____ () C:\Users\C850-13D\Desktop\FRST.txt
2015-01-16 11:15 - 2015-01-16 11:16 - 00000000 ____D () C:\FRST
2015-01-16 11:06 - 2015-01-16 11:06 - 02125312 _____ (Farbar) C:\Users\C850-13D\Desktop\FRST64.exe
2015-01-16 10:44 - 2015-01-16 10:50 - 00000000 ____D () C:\AdwCleaner
2015-01-16 10:41 - 2015-01-16 10:42 - 02191360 _____ () C:\Users\C850-13D\Desktop\adwcleaner_4.107.exe
2015-01-16 10:29 - 2015-01-16 10:29 - 00000207 _____ () C:\windows\tweaking.com-regbackup-C850-13D-TOSH-Microsoft-Windows-7-Home-Premium-(64-bit).dat
2015-01-16 10:21 - 2015-01-16 10:21 - 00000000 ____D () C:\RegBackup
2015-01-16 10:16 - 2015-01-16 10:16 - 00002246 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2015-01-16 10:16 - 2015-01-16 10:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-01-16 10:16 - 2015-01-16 10:16 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2015-01-16 10:10 - 2015-01-16 10:14 - 04215584 _____ () C:\Users\C850-13D\Downloads\tweaking.com_registry_backup_setup.exe
2015-01-15 14:36 - 2015-01-15 14:36 - 00001109 _____ () C:\Users\C850-13D\Documents - Shortcut.lnk
2015-01-15 12:22 - 2015-01-15 12:22 - 00063225 _____ () C:\Users\C850-13D\Desktop\SA Tax Return - DGAFA7TZ44VEIQJBQQ6M5R2GNJBLYW2I.html
2015-01-15 10:10 - 2015-01-15 10:10 - 00000000 ___DC () C:\Users\C850-13D\AppData\Local\MigWiz
2015-01-14 15:20 - 2014-12-19 03:06 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-01-14 15:20 - 2014-12-19 01:46 - 00141312 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2015-01-14 15:20 - 2014-12-11 17:47 - 00052736 _____ (Microsoft Corporation) C:\windows\system32\TSWbPrxy.exe
2015-01-14 15:20 - 2014-12-06 04:17 - 00303616 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2015-01-14 15:20 - 2014-12-06 03:50 - 00156672 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncsi.dll
2015-01-14 15:20 - 2014-12-06 03:50 - 00052224 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2015-01-14 15:19 - 2014-12-12 05:35 - 05553592 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-01-14 15:19 - 2014-12-12 05:31 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-01-14 15:19 - 2014-12-12 05:31 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-01-14 15:19 - 2014-12-12 05:31 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-01-14 15:19 - 2014-12-12 05:11 - 03971512 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-01-14 15:19 - 2014-12-12 05:11 - 03916728 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-01-14 15:19 - 2014-12-12 05:07 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-01-14 08:45 - 2015-01-16 10:53 - 00001020 _____ () C:\windows\setupact.log
2015-01-14 08:45 - 2015-01-14 08:45 - 00000000 _____ () C:\windows\setuperr.log
2015-01-13 17:04 - 2015-01-13 17:04 - 00022610 _____ () C:\Users\C850-13D\Desktop\dds.txt
2015-01-13 17:04 - 2015-01-13 17:04 - 00010577 _____ () C:\Users\C850-13D\Desktop\attach.txt
2015-01-13 16:57 - 2015-01-13 17:00 - 00688992 ____R (Swearware) C:\Users\C850-13D\Downloads\dds.scr
2014-12-29 20:51 - 2014-12-29 20:51 - 00001975 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2014-12-29 20:51 - 2014-12-09 19:41 - 00364512 _____ (AVAST Software) C:\windows\system32\aswBoot.exe
2014-12-24 13:33 - 2014-12-24 13:33 - 00000000 ____D () C:\windows\system32\appraiser
2014-12-24 13:32 - 2014-12-13 05:09 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-12-24 13:32 - 2014-12-13 03:33 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-12-24 11:04 - 2014-12-24 11:04 - 00003886 _____ () C:\windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-24 10:44 - 2014-12-04 02:50 - 00830976 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2014-12-24 10:44 - 2014-12-04 02:50 - 00741376 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2014-12-24 10:44 - 2014-12-04 02:50 - 00413184 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2014-12-24 10:44 - 2014-12-04 02:50 - 00396800 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2014-12-24 10:44 - 2014-12-04 02:50 - 00227328 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-12-24 10:44 - 2014-12-04 02:50 - 00192000 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2014-12-24 10:44 - 2014-12-04 02:44 - 01083392 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-12-24 10:44 - 2014-12-01 23:28 - 01232040 _____ (Microsoft Corporation) C:\windows\system32\aitstatic.exe
2014-12-20 20:08 - 2014-12-20 20:08 - 00000000 ____D () C:\Users\Aiden\AppData\Local\{BEC37D48-B533-45E9-B464-26E6007D256C}
2014-12-20 20:04 - 2014-12-20 20:05 - 00000000 ____D () C:\f0eab5caa9a299b916
2014-12-20 19:56 - 2014-12-20 19:56 - 00000000 ____D () C:\found.004
2014-12-18 21:35 - 2014-12-18 21:35 - 00000000 ____D () C:\3d9149fed620b51bb1647bbf8e82
2014-12-18 21:23 - 2014-10-18 02:05 - 04121600 _____ (Microsoft Corporation) C:\windows\system32\mf.dll
2014-12-18 21:23 - 2014-10-18 01:33 - 03209728 _____ (Microsoft Corporation) C:\windows\SysWOW64\mf.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-16 11:05 - 2012-06-15 18:57 - 01923697 _____ () C:\windows\WindowsUpdate.log
2015-01-16 11:03 - 2009-07-14 04:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-16 11:03 - 2009-07-14 04:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-16 10:55 - 2014-08-27 15:55 - 00004182 _____ () C:\windows\System32\Tasks\avast! Emergency Update
2015-01-16 10:54 - 2012-06-15 19:00 - 00000828 _____ () C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-01-16 10:53 - 2014-08-27 17:31 - 00036086 _____ () C:\windows\PFRO.log
2015-01-16 10:53 - 2012-05-11 18:52 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-16 10:53 - 2012-05-11 18:47 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-01-16 10:53 - 2009-07-14 05:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-01-16 10:38 - 2014-05-08 19:13 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA1cf6af19244d1f2.job
2015-01-15 19:04 - 2009-07-14 05:13 - 00783400 _____ () C:\windows\system32\PerfStringBackup.INI
2015-01-15 15:44 - 2014-02-05 19:55 - 00760320 ___SH () C:\Users\C850-13D\Downloads\Thumbs.db
2015-01-15 14:36 - 2012-08-28 10:58 - 00000000 ____D () C:\Users\C850-13D
2015-01-15 13:53 - 2012-06-15 19:00 - 00000830 _____ () C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2015-01-14 23:11 - 2013-09-28 07:20 - 00000000 ____D () C:\windows\system32\MRT
2015-01-14 23:01 - 2013-09-28 07:20 - 113365784 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-01-14 18:56 - 2014-09-22 16:18 - 00000000 ____D () C:\Users\Aiden\AppData\Roaming\Spotify
2015-01-13 15:57 - 2014-10-10 17:47 - 00000000 ____D () C:\found.002
2015-01-13 14:44 - 2014-09-23 20:06 - 00000000 ____D () C:\Users\Aiden\AppData\Local\Spotify
2015-01-06 04:36 - 2010-11-21 03:27 - 00298120 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2015-01-04 15:12 - 2013-10-12 17:55 - 00000000 ____D () C:\Users\C850-13D\AppData\Roaming\Spotify
2014-12-29 20:55 - 2014-12-09 19:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2014-12-27 10:51 - 2013-10-12 18:01 - 00000000 ____D () C:\Users\C850-13D\AppData\Local\Spotify
2014-12-24 19:00 - 2014-08-30 08:24 - 00000000 ____D () C:\Users\Aiden
2014-12-24 19:00 - 2009-07-14 03:20 - 00000000 ____D () C:\windows\registration
2014-12-24 13:33 - 2014-05-06 22:57 - 00000000 ___SD () C:\windows\system32\CompatTel
2014-12-24 13:29 - 2013-09-09 07:14 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-24 00:55 - 2009-07-14 05:08 - 00032608 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2014-12-20 12:53 - 2009-07-14 03:20 - 00000000 ____D () C:\windows\PolicyDefinitions

Some content of TEMP:
====================
C:\Users\Aiden\AppData\Local\Temp\ICReinstall_adobe-photoshop-cs5.exe
C:\Users\C850-13D\AppData\Local\Temp\Quarantine.exe
C:\Users\C850-13D\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-06 16:11

==================== End Of Log ============================
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 7:28 am

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-01-2015 01
Ran by C850-13D at 2015-01-16 11:17:54
Running from C:\Users\C850-13D\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABBYY FineReader 6.0 Sprint (HKLM-x32\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1395.4512 - ABBYY Software House)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.0.3.13070 - Adobe Systems Inc.)
Adobe Flash Player 11 ActiveX 64-bit (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.2.202.228 - Adobe Systems Incorporated)
Adobe Photoshop CS2 (HKLM-x32\...\Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}) (Version: 9.0 - Adobe Systems, Inc.)
Adobe Reader X (10.1.13) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.13 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
ArcSoft MediaImpression (HKLM-x32\...\{531F0013-964C-4BE6-B382-4117DC8BCDF9}) (Version: - ArcSoft)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.0.2208 - AVAST Software)
BBC iPlayer Desktop (HKLM-x32\...\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1) (Version: 3.0.7 - British Broadcasting Corp.)
BBC iPlayer Desktop (x32 Version: 3.0.7 - British Broadcasting Corp.) Hidden
Canon MG4100 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG4100_series) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 4.06 - Piriform)
CR2 Converter (HKLM-x32\...\{775F32A5-7BA0-4717-89D0-32B3EC25B2C9}_is1) (Version: - cr2converter.com)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dropbox (HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\Dropbox) (Version: 2.6.24 - Dropbox, Inc.)
Epson Copy Utility 3.4 (HKLM-x32\...\{AA72FB28-73B4-49E5-B6B4-E78F44BBD0AD}) (Version: 3.4.0.0 - )
Epson Event Manager (HKLM-x32\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 2.01.00 - SEIKO EPSON Corporation)
EPSON PERFECTION V30_V300 PHOTO Manual (HKLM-x32\...\EPSON PERFECTION V30_V300 PHOTO User’s Guide) (Version: - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.99 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
High-Definition Video Playback (x32 Version: 11.1.10500.2.65 - Nero AG) Hidden
Intel(R) Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{A6C48A9F-694A-4234-B3AA-62590B668927}) (Version: 1.0.0.35342 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.3.1427 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2712 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.1.209 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Java(TM) 6 Update 30 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216030FF}) (Version: 6.0.300 - Oracle)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.2.173.0 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Nero 11 Essentials (HKLM-x32\...\{F8635CF8-B797-4EFD-80BC-DE2D26C65D4F}) (Version: 11.0.00300 - Nero AG)
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
Premium Sound HD (HKLM\...\{3007FF9F-5B2C-41FF-8BFC-08BF25DB2681}) (Version: 1.12.1800 - SRS Labs, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6597 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7601.30130 - Realtek Semiconductor Corp.)
Realtek WLAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4fed-B2B9-173001290E16}) (Version: 2.00.0016 - REALTEK Semiconductor Corp.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
SketchUp 2013 (HKLM-x32\...\{B75BC01B-4586-43F8-9349-D250DB98F26F}) (Version: 13.0.4812 - Trimble Navigation Limited)
Skype™ 6.16 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.16.105 - Skype Technologies S.A.)
Sony Mobile Update Engine (HKLM-x32\...\Update Engine) (Version: 2.13.13.201311080941 - Sony Mobile Communications AB)
Sony PC Companion 2.10.211 (HKLM-x32\...\{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}) (Version: 2.10.211 - Sony)
Spotify (HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\Spotify) (Version: 0.9.15.27.g87efe634 - Spotify AB)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.38.2 - Synaptics Incorporated)
TOSHIBA Assist (HKLM-x32\...\{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}) (Version: 4.2.3.0 - TOSHIBA CORPORATION)
TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.1.0.11 for x64 - TOSHIBA Corporation)
TOSHIBA eco Utility (HKLM\...\{2C486987-D447-4E36-8D61-86E48E24199C}) (Version: 1.3.10.64 - TOSHIBA Corporation)
TOSHIBA Hardware Setup (HKLM-x32\...\{2FD5D2C5-A7A1-4065-89BA-90542BF7CCD3}) (Version: 2.00.0020 - TOSHIBA)
TOSHIBA HDD/SSD Alert (HKLM\...\{D4322448-B6AF-4316-B859-D8A0E84DCB38}) (Version: 3.1.64.11 - TOSHIBA Corporation)
Toshiba Manuals (HKLM-x32\...\{90FF4432-21B7-4AF6-BA6E-FB8C1FED9173}) (Version: 10.04 - TOSHIBA)
TOSHIBA Media Controller (HKLM-x32\...\{C7A4F26F-F9B0-41B2-8659-99181108CDE3}) (Version: 1.0.87.5 - TOSHIBA CORPORATION)
TOSHIBA Media Controller Plug-in (HKLM-x32\...\{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}) (Version: 1.0.7.7 - TOSHIBA CORPORATION)
TOSHIBA Online Product Information (HKLM-x32\...\{2290A680-4083-410A-ADCC-7092C67FC052}) (Version: 4.01.0000 - TOSHIBA)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.7.15.64 - TOSHIBA Corporation)
TOSHIBA Places Icon Utility (HKLM-x32\...\{461F6F0D-7173-4902-9604-AB1A29108AF2}) (Version: 1.1.1.4 - TOSHIBA Corporation)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.1.6.52020009 - TOSHIBA CORPORATION)
TOSHIBA Recovery Media Creator Reminder (HKLM-x32\...\InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}) (Version: 1.00.0019 - TOSHIBA)
TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.1.2004 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM-x32\...\{AC6569FA-6919-442A-8552-073BE69E247A}) (Version: 2.2.13 - TOSHIBA)
TOSHIBA Supervisor Password (HKLM-x32\...\{119826A8-4EF6-4BE5-A88B-D2D81FA7CEE2}) (Version: 2.00.0009 - TOSHIBA)
TOSHIBA TEMPRO (HKLM-x32\...\{F082CB11-4794-4259-99A1-D91BA762AD15}) (Version: 3.35 - Toshiba Europe GmbH)
TOSHIBA Value Added Package (HKLM-x32\...\InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}) (Version: 1.6.0021.640203 - TOSHIBA Corporation)
TOSHIBA Web Camera Application (HKLM-x32\...\InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}) (Version: 2.0.3.33 - TOSHIBA Corporation)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.1 - Tweaking.com)
welcome (x32 Version: 11.0.22500.0.0 - Nero AG) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1759270380-2726829519-464816427-1000_Classes\CLSID\{00000001-0E3A-4123-8B32-4B68A91E104A}\InprocServer32 -> C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIBasePlace.dll (Toshiba Corporation)
CustomCLSID: HKU\S-1-5-21-1759270380-2726829519-464816427-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\C850-13D\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1759270380-2726829519-464816427-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\C850-13D\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1759270380-2726829519-464816427-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\C850-13D\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1759270380-2726829519-464816427-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\C850-13D\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)

==================== Restore Points =========================

29-12-2014 23:07:30 Windows Update
31-12-2014 13:38:44 Windows Update
01-01-2015 01:35:10 Windows Update
04-01-2015 00:48:11 Windows Update
05-01-2015 12:19:51 Windows Update
06-01-2015 12:23:47 Windows Update
07-01-2015 11:39:22 Windows Update
08-01-2015 07:52:23 Windows Update
13-01-2015 15:17:43 Windows Update
14-01-2015 08:50:26 Windows Update
14-01-2015 23:00:29 Windows Update
15-01-2015 09:35:53 Windows Backup
15-01-2015 10:11:39 Windows Backup
15-01-2015 10:30:10 Windows Backup
15-01-2015 14:44:48 Removed Andica SA800 Partnership 2013.
15-01-2015 19:04:11 Windows Backup
16-01-2015 07:53:37 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 02:34 - 2009-06-10 21:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {085F1673-6C7C-4E85-B640-9178266F30A7} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {13428A3D-2E88-4AAC-A655-0E2946A2F6D6} - System32\Tasks\{136198FC-BFCE-4960-9CE2-A358D5A656BB} => pcalua.exe -a C:\Users\C850-13D\AppData\Local\Temp\{F5D068F6-608B-478A-9810-4EA94348BB83}\setup.exe -d "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117"
Task: {14D2EA99-61CB-4257-AB36-E63302D8ECE9} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2013-05-13] (Microsoft)
Task: {23894463-BCE2-47B8-8710-8A6184A264AC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: {37AB40CC-6DA8-472B-8A61-B3B80B966380} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-09-19] (Piriform Ltd)
Task: {3B295987-97C8-4B1B-93FA-98480F106579} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2013-05-13] (Microsoft Corporation)
Task: {47CE91A9-D32A-4399-92E1-92FDC871C0C8} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {497F60B3-204F-402E-8B90-0044E59E5E69} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-12-09] (AVAST Software)
Task: {7253024E-5D34-4D67-8348-15F2DD758648} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2013-05-13] (Microsoft Corporation)
Task: {776A9BB9-C1E1-41D9-9ABD-129E401200B3} - System32\Tasks\Adobe Flash Player Updater
Task: {7F43191D-AE4A-4BDE-9143-E4A1F15A61A4} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2013-05-13] (Microsoft Corporation)
Task: {9EDFCD36-BFC9-441F-B9E6-380BB56E89DE} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {F6C240B7-AAEC-4701-BCA5-B8E8CAA0CDFF} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2013-05-13] (Microsoft Corporation)
Task: {F81C6AD9-BFDA-4BA1-B67B-D6A3E8D35F31} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {FD6E2650-3CC8-4885-9440-1E93B3C732E9} - System32\Tasks\GoogleUpdateTaskMachineUA1cf6af19244d1f2 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1cf6af19244d1f2.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe
Task: C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe

==================== Loaded Modules (whitelisted) =============

2012-06-15 19:18 - 2010-09-10 00:26 - 00162824 _____ () C:\Windows\System32\GFNEXSrv.exe
2012-06-15 18:59 - 2012-02-21 19:29 - 00128280 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
2014-07-22 20:04 - 2014-10-27 08:56 - 04383192 _____ () C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe
2014-10-27 08:56 - 2014-10-27 08:56 - 00417752 _____ () C:\Program Files (x86)\SchistEechinels\HttpsProxy.exe
2014-10-27 11:21 - 2014-10-27 11:21 - 00160728 ____R () C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe
2011-08-22 22:19 - 2011-08-22 22:19 - 11204992 _____ () C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
2010-12-15 22:19 - 2010-12-15 22:19 - 00124320 _____ () C:\Program Files\TOSHIBA\TECO\MUIHelp.dll
2012-03-27 00:33 - 2012-03-27 00:33 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-05-11 18:36 - 2011-12-15 13:55 - 00063360 _____ () C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIInternal.XmlSerializers.dll
2011-11-26 01:51 - 2011-11-26 01:51 - 00079784 _____ () C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll
2015-01-15 22:14 - 2015-01-15 22:14 - 02910720 _____ () C:\Program Files\AVAST Software\Avast\defs\15011502\algo.dll
2015-01-16 10:54 - 2015-01-16 10:54 - 02911744 _____ () C:\Program Files\AVAST Software\Avast\defs\15011600\algo.dll
2014-03-07 18:56 - 2014-03-07 18:56 - 00117262 _____ () C:\Program Files (x86)\SchistEechinels\libgcc_s_dw2-1.dll
2014-03-07 18:56 - 2014-03-07 18:56 - 00970766 _____ () C:\Program Files (x86)\SchistEechinels\libstdc++-6.dll
2014-12-09 19:40 - 2014-12-09 19:40 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2012-06-15 18:59 - 2012-02-21 19:09 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2015-01-14 09:51 - 2015-01-09 00:35 - 01077064 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.99\libglesv2.dll
2015-01-14 09:51 - 2015-01-09 00:35 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.99\libegl.dll
2015-01-14 09:51 - 2015-01-09 00:35 - 09009480 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.99\pdf.dll
2015-01-14 09:51 - 2015-01-09 00:35 - 01677128 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.99\ffmpegsumo.dll
2015-01-14 09:51 - 2015-01-09 00:35 - 14913352 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.99\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Users^C850-13D^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk => C:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupreg: ArcSoft Connection Service => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSCONFIG\startupreg: Facebook Update => "C:\Users\C850-13D\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
MSCONFIG\startupreg: mcpltui_exe => "C:\Program Files\Common~1\McAfee\Platform\mcuicnt.exe" /platui /runkey
MSCONFIG\startupreg: NBAgent => "C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart
MSCONFIG\startupreg: Obrona Block Ads => "C:\Users\C850-13D\AppData\Local\Obrona Block Ads\ObronaBlockAds.exe" --hidden
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: Wondershare Helper Compact.exe => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-1759270380-2726829519-464816427-500 - Administrator - Disabled)
Aiden (S-1-5-21-1759270380-2726829519-464816427-1003 - Limited - Enabled) => C:\Users\Aiden
C850-13D (S-1-5-21-1759270380-2726829519-464816427-1000 - Administrator - Enabled) => C:\Users\C850-13D
Guest (S-1-5-21-1759270380-2726829519-464816427-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1759270380-2726829519-464816427-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/16/2015 10:53:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/15/2015 10:00:49 AM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: The backup was not successful. The error is: There is not enough space on this drive to save the backup. Free up space by deleting older backups and unnecessary data or change your backup settings. (0x81000005).

Error: (01/15/2015 08:55:52 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/14/2015 06:53:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/14/2015 08:45:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/08/2015 09:26:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SynTPEnh.exe, version: 15.3.38.2, time stamp: 0x4eef93f1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000008a00000025
Faulting process id: 0x1374
Faulting application start time: 0xSynTPEnh.exe0
Faulting application path: SynTPEnh.exe1
Faulting module path: SynTPEnh.exe2
Report Id: SynTPEnh.exe3

Error: (01/04/2015 08:08:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 11:47:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: spoolsv.exe, version: 6.1.7601.17777, time stamp: 0x4f35fc1d
Faulting module name: WSDCHNGR.DLL, version: 6.1.7601.17514, time stamp: 0x4ce7ca32
Exception code: 0xc0000005
Fault offset: 0x0000000000003d55
Faulting process id: 0x68c
Faulting application start time: 0xspoolsv.exe0
Faulting application path: spoolsv.exe1
Faulting module path: spoolsv.exe2
Report Id: spoolsv.exe3

Error: (01/02/2015 05:09:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/01/2015 00:27:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (01/16/2015 10:54:57 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (01/16/2015 10:53:45 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee SiteAdvisor Service service failed to start due to the following error:
%%2

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TOSHIBA HDD SSD Alert Service service terminated unexpectedly. It has done this 1 time(s).

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Application Virtualization Client service terminated unexpectedly. It has done this 1 time(s).

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Nero Update service terminated unexpectedly. It has done this 1 time(s).

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TPCH Service service terminated unexpectedly. It has done this 1 time(s).

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).

Error: (01/16/2015 10:51:13 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Client Virtualization Handler service terminated unexpectedly. It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (01/16/2015 10:53:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/15/2015 10:00:49 AM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: There is not enough space on this drive to save the backup. Free up space by deleting older backups and unnecessary data or change your backup settings. (0x81000005)

Error: (01/15/2015 08:55:52 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/14/2015 06:53:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/14/2015 08:45:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/08/2015 09:26:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: SynTPEnh.exe15.3.38.24eef93f1unknown0.0.0.000000000c00000050000008a00000025137401d027f5955b9882C:\Program Files\Synaptics\SynTP\SynTPEnh.exeunknownfca94113-977c-11e4-b045-4c72b95e2e70

Error: (01/04/2015 08:08:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 11:47:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: spoolsv.exe6.1.7601.177774f35fc1dWSDCHNGR.DLL6.1.7601.175144ce7ca32c00000050000000000003d5568c01d026aec0d5583dC:\windows\System32\spoolsv.exeC:\windows\system32\WSDCHNGR.DLLbb1e4214-92d9-11e4-8956-4c72b95e2e70

Error: (01/02/2015 05:09:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/01/2015 00:27:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Processor: Intel(R) Celeron(R) CPU B820 @ 1.70GHz
Percentage of memory in use: 73%
Total physical RAM: 1937.8 MB
Available physical RAM: 517.09 MB
Total Pagefile: 3875.61 MB
Available Pagefile: 1800.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (TI30875400C) (Fixed) (Total:280.9 GB) (Free:117.54 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: B0DE4F87)
Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Not Active) - (Size=280.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15.7 GB) - (Type=17)

==================== End Of Log ============================
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Cypher » January 16th, 2015, 7:56 am

Hi,

Please go to Virustotal or jotti.org

Navigate to the below file:
You might see a message saying this file has been analysed before, if you do submit it to be reanalysed.
C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.

Now repeat the process for the following.
C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe

Please post the results in your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 9:38 am

Hi,

I hope this is the info you need.

https://www.virustotal.com/en/file/268f ... 421415056/
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 9:42 am

Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Cypher » January 16th, 2015, 10:30 am

Hi,
I hope this is the info you need.

Yes it was, good work.
Ok lets start to clean up your computer.

Click Start > Control Panel > Uninstall a program.
Uninstall the following if present.
Adobe Reader X (10.1.13) MUI
Java(TM) 6 Update 30


Next.

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: select all
    • (Click the select all button next to code to select the entire script).
    Code: Select all
    () C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe
    () C:\Program Files (x86)\SchistEechinels\HttpsProxy.exe
    () C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe
    R2 SchistEechinels; C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe [4383192 2014-10-27] ()
    C:\Program Files (x86)\SchistEechinels
    HKLM\...\Run: [] => [X]
    HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\MountPoints2: {2e2deb75-19e1-11e3-93a8-4c72b95e2e70} - F:\Startme.exe
    GroupPolicyUsers\S-1-5-21-1759270380-2726829519-464816427-1003\User: Group Policy restriction detected <======= ATTENTION
    ProxyEnable: [S-1-5-21-1759270380-2726829519-464816427-1000] => Internet Explorer proxy is enabled.
    ProxyServer: [S-1-5-21-1759270380-2726829519-464816427-1000] => http=127.0.0.1:9880;https=127.0.0.1:9880
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll No File
    BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll No File
    BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
    BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL No File
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
    BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll No File
    Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
    Toolbar: HKU\S-1-5-21-1759270380-2726829519-464816427-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
    S3 MFE_RR; \??\C:\Users\C850-13D\AppData\Local\Temp\mfe_rr.sys [X]
    S3 TDEIO; \??\C:\Windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [X]
    2014-12-20 20:04 - 2014-12-20 20:05 - 00000000 ____D () C:\f0eab5caa9a299b916
    2014-12-20 19:56 - 2014-12-20 19:56 - 00000000 ____D () C:\found.004
    2014-12-18 21:35 - 2014-12-18 21:35 - 00000000 ____D () C:\3d9149fed620b51bb1647bbf8e82
    2015-01-13 15:57 - 2014-10-10 17:47 - 00000000 ____D () C:\found.002
    C:\Users\Aiden\AppData\Local\Temp\ICReinstall_adobe-photoshop-cs5.exe
    C:\Users\C850-13D\AppData\Local\Temp\Quarantine.exe
    C:\Users\C850-13D\AppData\Local\Temp\sqlite3.dll
    
    EmptyTemp:
    CMD: ipconfig /flushdns
    
  • Save it next to FRST.exe on your Desktop as filename fixlist.txt
  • NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are saved in the same location or the fix will not work.
  • Right-click FRST.exe and select " Run as administrator " to run it.
  • Press the Fix button just once. Then wait.
  • When finished, it will create a Fixlog.txt log on your Desktop.
  • Please post the content of the Fixlog.txt in your next reply.

Next.

First please Disable any Antivirus you have active, as shown in This topic.
Note: Don't forget to re-enable it after the scan.

Next please download zoek.exe and save it to your desktop.
  • Close any open browsers.
  • Right click on zoek.exe and select " Run as administrator " to run it.
  • Please wait while the tool starts. It will appear to be doing nothing and may take a few seconds to come up.
  • Click the More Options button below the large panel and check the box:

    • Auto Clean
  • Click on Run script button
  • Please wait patiently (it may take a few minutes) until a log report will open (this may be after reboot, if required)
  • Copy (Ctrl +C) and paste (Ctrl +V) the contents of the opened entire report back here.

    Note: It will also create a log in the C:\ directory named "zoek-results.log"

Logs/Information to Post in your Next Reply

  • FRST Fixlog.txt.
  • zoek-results.log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 12:28 pm

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2015 01
Ran by C850-13D at 2015-01-16 15:37:44 Run:1
Running from C:\Users\C850-13D\Desktop
Loaded Profiles: C850-13D (Available profiles: C850-13D & Aiden)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
() C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe
() C:\Program Files (x86)\SchistEechinels\HttpsProxy.exe
() C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe
R2 SchistEechinels; C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe [4383192 2014-10-27] ()
C:\Program Files (x86)\SchistEechinels
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\...\MountPoints2: {2e2deb75-19e1-11e3-93a8-4c72b95e2e70} - F:\Startme.exe
GroupPolicyUsers\S-1-5-21-1759270380-2726829519-464816427-1003\User: Group Policy restriction detected <======= ATTENTION
ProxyEnable: [S-1-5-21-1759270380-2726829519-464816427-1000] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-1759270380-2726829519-464816427-1000] => http=127.0.0.1:9880;https=127.0.0.1:9880
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll No File
BHO-x32: MCAFEE SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\MCAFEE\SITEAD~1\mcieplg.dll No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL No File
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll No File
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
Toolbar: HKU\S-1-5-21-1759270380-2726829519-464816427-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
S3 MFE_RR; \??\C:\Users\C850-13D\AppData\Local\Temp\mfe_rr.sys [X]
S3 TDEIO; \??\C:\Windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [X]
2014-12-20 20:04 - 2014-12-20 20:05 - 00000000 ____D () C:\f0eab5caa9a299b916
2014-12-20 19:56 - 2014-12-20 19:56 - 00000000 ____D () C:\found.004
2014-12-18 21:35 - 2014-12-18 21:35 - 00000000 ____D () C:\3d9149fed620b51bb1647bbf8e82
2015-01-13 15:57 - 2014-10-10 17:47 - 00000000 ____D () C:\found.002
C:\Users\Aiden\AppData\Local\Temp\ICReinstall_adobe-photoshop-cs5.exe
C:\Users\C850-13D\AppData\Local\Temp\Quarantine.exe
C:\Users\C850-13D\AppData\Local\Temp\sqlite3.dll

EmptyTemp:
CMD: ipconfig /flushdns
*****************

[1488] C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe => Process closed successfully.
[2424] C:\Program Files (x86)\SchistEechinels\HttpsProxy.exe => Process closed successfully.
[2640] C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe => Process closed successfully.
SchistEechinels => Unable to stop service
SchistEechinels => Service deleted successfully.

"C:\Program Files (x86)\SchistEechinels" directory move:

C:\Program Files (x86)\SchistEechinels\cacert.crt => Moved successfully.
C:\Program Files (x86)\SchistEechinels\CertMgr.Exe => Moved successfully.
C:\Program Files (x86)\SchistEechinels\HttpsProxy.exe => Moved successfully.
C:\Program Files (x86)\SchistEechinels\libeay32.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\libgcc_s_dw2-1.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\libstdc++-6.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\libwinpthread-1.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\LoopbackForWin8.exe => Moved successfully.
C:\Program Files (x86)\SchistEechinels\msvcp100.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\msvcr100.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\Qt5Core.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\Qt5Gui.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\Qt5Network.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\Qt5Sql.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\SchistEechinels.exe => Moved successfully.
C:\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe => Moved successfully.
C:\Program Files (x86)\SchistEechinels\ssleay32.dll => Moved successfully.
C:\Program Files (x86)\SchistEechinels\platforms\qwindows.dll => Moved successfully.
Could not move "C:\Program Files (x86)\SchistEechinels" directory. => Scheduled to move on reboot.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKU\S-1-5-21-1759270380-2726829519-464816427-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e2deb75-19e1-11e3-93a8-4c72b95e2e70}" => Key deleted successfully.
HKCR\CLSID\{2e2deb75-19e1-11e3-93a8-4c72b95e2e70} => Key not found.
C:\windows\system32\GroupPolicyUsers\S-1-5-21-1759270380-2726829519-464816427-1003\User => Moved successfully.
C:\windows\system32\GroupPolicy\GPT.ini => Moved successfully.
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3C88694-EFFA-4d78-B409-54B7B2535B14}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{F3C88694-EFFA-4d78-B409-54B7B2535B14}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" => Key deleted successfully.
HKU\S-1-5-21-1759270380-2726829519-464816427-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0" => Key deleted successfully.
MFE_RR => Service deleted successfully.
TDEIO => Service deleted successfully.
C:\f0eab5caa9a299b916 => Moved successfully.
C:\found.004 => Moved successfully.
C:\3d9149fed620b51bb1647bbf8e82 => Moved successfully.
C:\found.002 => Moved successfully.
C:\Users\Aiden\AppData\Local\Temp\ICReinstall_adobe-photoshop-cs5.exe => Moved successfully.
C:\Users\C850-13D\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\C850-13D\AppData\Local\Temp\sqlite3.dll => Moved successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 3.8 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-01-16 15:41:58)<=

C:\Program Files (x86)\SchistEechinels => Is moved successfully.

==== End of Fixlog 15:41:58 ====
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 12:30 pm

Zoek.exe v5.0.0.0 Updated 15-01-2015
Tool run by C850-13D on 16/01/2015 at 15:55:15.98.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\C850-13D\Downloads\zoek.exe [Scan all users] [Checkboxes used]

==== System Restore Info ======================

16/01/2015 15:58:00 Zoek.exe System Restore Point Created Succesfully.

==== Empty Folders Check ======================

C:\PROGRA~2\LEGO Company deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Program Files\005 deleted successfully
C:\Program Files\Google deleted successfully
C:\Program Files\stinger deleted successfully
C:\Users\C850-13D\AppData\Roaming\TP deleted successfully
C:\Users\C850-13D\AppData\Roaming\Windows Live Writer deleted successfully
C:\Users\Aiden\AppData\Local\{038DE797-D136-482D-882B-EB5D95D8F86E} deleted successfully
C:\Users\Aiden\AppData\Local\{08257D53-BC82-4CFC-AE71-BA9FD899E90C} deleted successfully
C:\Users\Aiden\AppData\Local\{0EB095FE-F26F-4EDD-B1D9-64851D84979F} deleted successfully
C:\Users\Aiden\AppData\Local\{12506130-D7D6-4D8A-A7E9-22CCF3102DEA} deleted successfully
C:\Users\Aiden\AppData\Local\{1530CF25-CEE7-4799-A80D-94D679CE75EE} deleted successfully
C:\Users\Aiden\AppData\Local\{18A1915F-2A57-4EEA-89B0-62169E539391} deleted successfully
C:\Users\Aiden\AppData\Local\{1AC6771E-03FA-40CA-A030-37D3A280D62E} deleted successfully
C:\Users\Aiden\AppData\Local\{262D01E5-4CA5-4586-9E34-94EA3357EC3D} deleted successfully
C:\Users\Aiden\AppData\Local\{2E8A5F54-6097-4CB2-AD14-C1D153CD1D2A} deleted successfully
C:\Users\Aiden\AppData\Local\{30DA1825-055F-43A0-99BB-7740A38DFAB3} deleted successfully
C:\Users\Aiden\AppData\Local\{32660979-E375-4C40-8C46-E7C0A6DEC670} deleted successfully
C:\Users\Aiden\AppData\Local\{3AD8AFF0-1DDE-4C03-B13A-EC3B32683C3B} deleted successfully
C:\Users\Aiden\AppData\Local\{3EE33E43-1FE4-4D1F-8AF8-E922AFA95B5E} deleted successfully
C:\Users\Aiden\AppData\Local\{5A56BB1F-9286-4046-8512-DF4519420592} deleted successfully
C:\Users\Aiden\AppData\Local\{5BBBDC03-3DE8-42AA-9A27-736260D3680C} deleted successfully
C:\Users\Aiden\AppData\Local\{5E490FE7-569B-40BA-806C-E4E3E7D1F1A9} deleted successfully
C:\Users\Aiden\AppData\Local\{5F416A4D-B368-435B-B7EF-EE838FED3246} deleted successfully
C:\Users\Aiden\AppData\Local\{5F591FBE-0AC1-41DF-8A9B-F70C3DB38B62} deleted successfully
C:\Users\Aiden\AppData\Local\{68DF1338-4903-4904-80AB-1E4C9327AF4F} deleted successfully
C:\Users\Aiden\AppData\Local\{6B971EB9-123C-4158-B986-B0C874A01C39} deleted successfully
C:\Users\Aiden\AppData\Local\{6CA249D0-6A31-4220-A6E6-8D31C76C64D5} deleted successfully
C:\Users\Aiden\AppData\Local\{6D7E2AE2-56E3-47E3-A9FF-45A1A299D346} deleted successfully
C:\Users\Aiden\AppData\Local\{71B713E0-DC0D-45CD-B850-87E12C0D02BD} deleted successfully
C:\Users\Aiden\AppData\Local\{7AA76DF5-ED54-49C2-A6A3-27897BB677AD} deleted successfully
C:\Users\Aiden\AppData\Local\{7BF36207-32AD-4C15-998E-D11FA31EFD31} deleted successfully
C:\Users\Aiden\AppData\Local\{8248F9E6-4E34-4956-8D12-F57F5B4ADFE9} deleted successfully
C:\Users\Aiden\AppData\Local\{850FC0F9-E8B8-4D0F-8D1B-36EC991B1F4C} deleted successfully
C:\Users\Aiden\AppData\Local\{89BF1106-BD73-4AB0-B05A-E0BF0B5753EB} deleted successfully
C:\Users\Aiden\AppData\Local\{8B6D77EE-C9F9-445D-A483-2B64166EDA80} deleted successfully
C:\Users\Aiden\AppData\Local\{93F8B2E4-4AB5-4D87-ADCD-EDAFCC005A3E} deleted successfully
C:\Users\Aiden\AppData\Local\{96AF806D-07D6-4FD9-A32D-E4C98A7F6333} deleted successfully
C:\Users\Aiden\AppData\Local\{9BC4A848-AC68-4330-AAD4-C25B1056F6AA} deleted successfully
C:\Users\Aiden\AppData\Local\{9E00D730-503B-4DC9-876A-BFA44AB2F748} deleted successfully
C:\Users\Aiden\AppData\Local\{A470D0E2-2D3C-4AF0-886F-21CF1B024810} deleted successfully
C:\Users\Aiden\AppData\Local\{A9D85722-A62A-4467-AECC-1198691CD89E} deleted successfully
C:\Users\Aiden\AppData\Local\{BD83CAD0-312C-4F4E-B021-F3DD63976FDD} deleted successfully
C:\Users\Aiden\AppData\Local\{BEC37D48-B533-45E9-B464-26E6007D256C} deleted successfully
C:\Users\Aiden\AppData\Local\{C01E1D3B-C659-4120-B6E4-885C2414DFFC} deleted successfully
C:\Users\Aiden\AppData\Local\{C265849C-88AC-456B-86AA-2121EA6971D0} deleted successfully
C:\Users\Aiden\AppData\Local\{D2F96F02-9DBF-4B27-B82C-30134BD67E67} deleted successfully
C:\Users\Aiden\AppData\Local\{DB2710B2-B052-4544-B348-AF5950BCA475} deleted successfully
C:\Users\Aiden\AppData\Local\{E67C982F-4BB3-4752-A0F1-5AA83F6CD4E1} deleted successfully
C:\Users\Aiden\AppData\Local\{EF2B3465-C3DB-4C43-A347-2DAEF74F6258} deleted successfully
C:\Users\Aiden\AppData\Local\{F4F3ADCE-7FC2-4897-A312-11A3579FA856} deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1759270380-2726829519-464816427-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DFFE8A11-91B2-4C0B-B612-E6E0D477577E} deleted successfully
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4169044D-6BA4-4661-B7D6-E29274F1F458} deleted successfully
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4169044D-6BA4-4661-B7D6-E29274F1F458} deleted successfully
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4169044D-6BA4-4661-B7D6-E29274F1F458} deleted successfully
HKEY_USERS\S-1-5-21-1759270380-2726829519-464816427-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4169044D-6BA4-4661-B7D6-E29274F1F458} deleted successfully
HKEY_USERS\S-1-5-21-1759270380-2726829519-464816427-1000\Software\Classes\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4169044D-6BA4-4661-B7D6-E29274F1F458} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4169044D-6BA4-4661-B7D6-E29274F1F458} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{4169044D-6BA4-4661-B7D6-E29274F1F458} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\COMMON~1\Wondershare deleted
C:\found.000 deleted
C:\Users\C850-13D\AppData\Local\Wondershare deleted
C:\Users\C850-13D\Downloads\rcp_dcomnew_sec_728.exe deleted
C:\windows\wininit.ini deleted
C:\windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\Syswow64\sho6AD3.tmp deleted
C:\windows\Syswow64\sho7828.tmp deleted
C:\windows\Syswow64\sho951E.tmp deleted
"C:\Users\C850-13D\AppData\Local\ChromeHitoryDB" deleted
"C:\Users\C850-13D\AppData\Local\{9A8BD8F3-332A-4AE1-BFFA-0E8232F943AD}" deleted
"C:\found.001" deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [29/12/2014 20:51]

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
fheoggkfdfchfphceeifdbepaooicaho - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx[30/06/2014 14:21]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[09/12/2014 19:40]

Google Voice Search Hotword (Beta) - Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Avast Online Security - Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Google Voice Search Hotword (Beta) - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
GrooveShark JukeBox - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjgmfagolojoigoigjcadgnpcbnlcofa
SiteAdvisor - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho
AdBlock - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
avast Online Security - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Dictionary Instant - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\hngaklbjlbjhmoilkegninbmpfigheol
Grooveplayer - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnimbhddlpolciagcmencndhlpepbdcm
Phone Place - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\khkfnlkbaknalfgfmnnabbeebffplgmn
Music for every moment - Spotify - C850-13D\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhfhbkmihfcbjcoimalmefbkbbepaloj
Google Voice Search Hotword (Beta) - C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
AdBlock - C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Avast Online Security - C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki

==== Chromium Fix ======================

C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_findmusicbylyrics.com_0.localstorage deleted successfully
C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_findmusicbylyrics.com_0.localstorage-journal deleted successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\https_www.superfish.com_0.localstorage deleted successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\http_www.superfish.com_0.localstorage deleted successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\http_static.re-markable00.re-markable.net_0.localstorage deleted successfully
C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.selectgo00.selectgo.net_0.localstorage deleted successfully
C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.selectgo00.selectgo.net_0.localstorage-journal deleted successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\https_static.selectgo00.selectgo.net_0.localstorage deleted successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\http_www.productsandservices.bt.com_0.localstorage deleted successfully
C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.localdatasearch.com_0.localstorage deleted successfully
C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.localdatasearch.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{9C1772B2-4892-43ED-8CB9-B1AF91349FAA} Google Url="http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TEUA_enGB552"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcpltui_exe deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Obrona Block Ads deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wondershare Helper Compact.exe deleted successfully

==== Empty IE Cache ======================

C:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\C850-13D\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\C850-13D\AppData\Local\Google\Chrome\User Data\Profile 1\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=75 folders=25 22636372 bytes)

==== Empty Temp Folders ======================

C:\Users\Aiden\AppData\Local\Temp emptied successfully
C:\Users\C850-13D\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\windows\Temp successfully emptied
C:\Users\C850-13D\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 16/01/2015 at 16:23:24.80 ======================
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 16th, 2015, 12:33 pm

Hi,

It seems ok, have visited a couple of sites and no sign of sasa or obrona!
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Cypher » January 16th, 2015, 12:51 pm

Hi,
Knoxy wrote:It seems ok, have visited a couple of sites and no sign of sasa or obrona!

Excellent :thumbleft:
I need you to run one more scan for me, this will check for any malware "leftovers".

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Click on Run ESET Online Scanner, then elect the option YES, I accept the Terms of Use, then click Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Knoxy » January 17th, 2015, 7:48 am

Hi Cypher,
I ran the scan and copied the log but when I clicked finish and tried to open the c:\eset txt log it couldn't find it! I don't know what i did wrong. So below is what I copied to notepad before I clicked finish. It appears to have deleted what it found, I am running the scan again at the moment and will post what it finds. Apologies if I have done something wrong. :roll:

C:\AdwCleaner\Quarantine\C\Users\Aiden\AppData\Roaming\GetPrivate\gp_upd.exe.vir a variant of Win32/Techsnab.B potentially unwanted application deleted - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\SchistEechinels\HttpsProxy.exe.xBAD a variant of Win32/Adware.ObronaAds.C application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\SchistEechinels\SchistEechinels.exe.xBAD Win32/Adware.ObronaAds.B application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\SchistEechinels\SchistEechinelsHelper.exe.xBAD Win32/Adware.ObronaAds.B application cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files (x86)\SchistEechinels\platforms\qwindows.dll\SchistEechinelsHelper.exe Win32/Adware.ObronaAds.B application cleaned by deleting (after the next restart) - quarantined
C:\FRST\Quarantine\C\Users\Aiden\AppData\Local\Temp\ICReinstall_adobe-photoshop-cs5.exe.xBAD a variant of Win32/InstallCore.QW potentially unwanted application deleted - quarantined
C:\Users\Aiden\Downloads\adobe-photoshop-cs5.exe a variant of Win32/InstallCore.QW potentially unwanted application deleted - quarantined
C:\Users\Aiden\Downloads\Installation.exe Win32/OutBrowse.BK potentially unwanted application deleted - quarantined
C:\Users\C850-13D\Downloads\FLVPlayer-Chrome.exe NSIS/TrojanDownloader.Adload.AA trojan cleaned by deleting - quarantined
C:\Users\C850-13D\Downloads\Unconfirmed 279364.crdownload Win32/InstallMonetizer.AF potentially unwanted application deleted - quarantined
C:\Windows\assembly\GAC_MSIL\Interop.SHDocVw\1.1.0.0__84542ff99aed6a4d\Interop.SHDocVw.dll a variant of Win32/Toolbar.Linkury.G potentially unwanted application deleted - quarantined
C:\zoek_backup\C_Users_C850-13D_Downloads_rcp_dcomnew_sec_728.exe.vir Win32/Systweak.D potentially unwanted application deleted - quarantined
Knoxy
Regular Member
 
Posts: 21
Joined: January 13th, 2015, 12:46 pm

Re: Windows 7 Laptop infected with SASA,OBRONA Ads etc

Unread postby Cypher » January 17th, 2015, 8:00 am

Hi,
Knoxy wrote: I am running the scan again at the moment and will post what it finds. Apologies if I have done something wrong

Ok, post the new log when ready.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 105 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware