Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojans and malware on wife's ASUS

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojans and malware on wife's ASUS

Unread postby bbduggan+ » December 14th, 2014, 7:54 pm

Here are the DDS files from my Flight Attendent wife's Windows & ASUS notebook and I have no idea what to do. It is slower than molasses.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17496 BrowserJavaVersion: 10.65.2
Run by ultimate at 16:42:13 on 2014-12-14
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1014.229 [GMT -7:00]
.
AV: Norton 360 *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton 360 *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton 360 *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Prey\platform\windows\cronsvc.exe
C:\Windows\system32\lxedcoms.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360\Engine\21.6.0.32\N360.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Norton 360\Engine\21.6.0.32\N360.exe
C:\Program Files\Lexmark S600 Series\lxedmon.exe
C:\Program Files\Lexmark S600 Series\ezprint.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uSearch Bar = www.google.com
uSearch Page = www.google.com
uDefault_Page_URL = www.google.com
mStart Page = www.google.com
mDefault_Page_URL = www.google.com
mDefault_Search_URL = www.google.com
uProxyOverride = <-loopback>
uSearchAssistant = www.google.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\21.6.0.32\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\21.6.0.32\ips\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: GamesBarBHO Class: {CB0D163C-E9F4-4236-9496-0597E24B23A5} - c:\program files\gamesbar\2.0.1.82\oberontb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\21.6.0.32\coieplg.dll
TB: GamesBar: {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - c:\program files\gamesbar\2.0.1.82\oberontb.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\21.6.0.32\coieplg.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [lxedmon.exe] "c:\program files\lexmark s600 series\lxedmon.exe"
mRun: [EzPrint] "c:\program files\lexmark s600 series\ezprint.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976}\4416973794E6E613 : DHCPNameServer = 208.67.222.222 8.8.8.8
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976}\64F657270205F696E64737 : DHCPNameServer = 10.128.128.128
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976}\74575637470294E6475627E6564702143636563737 : DHCPNameServer = 10.101.0.1 216.21.128.22 208.67.222.222
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976}\7594E444F5131324F577 : DHCPNameServer = 192.168.10.1
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976}\7596E676164756 : DHCPNameServer = 172.20.100.1
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976}\8497164747F57457563747 : DHCPNameServer = 192.168.16.1
TCP: Interfaces\{B7D54E76-4A43-4C6F-AFB1-A94278289976}\8697164747 : DHCPNameServer = 4.2.2.1
TCP: Interfaces\{E08B80E6-7FA4-45B6-84C2-4F667ECAAE85} : DHCPNameServer = 172.22.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\39.0.2171.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ultimate\appdata\roaming\mozilla\firefox\profiles\uxadcxx6.default-1396819375863\
FF - prefs.js: browser.search.selectedEngine - Yahoo US
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_246.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: extensions.shownSelectionUI - true
FF - user.js: extensions.astrmndasr.hmpg - true
FF - user.js: extensions.astrmndasr.hmpgUrl - hxxp://astromenda.com/?f=1&a=ast_dnldst ... 177444&ir=
FF - user.js: extensions.astrmndasr.dfltSrch - true
FF - user.js: extensions.astrmndasr.srchPrvdr - Astromenda
FF - user.js: extensions.astrmndasr.dnsErr - true
FF - user.js: extensions.astrmndasr_i.newTab - true
FF - user.js: extensions.astrmndasr.newTabUrl - hxxp://astromenda.com/?f=2&a=ast_dnldst ... 177444&ir=
FF - user.js: extensions.astrmndasr.tlbrSrchUrl - hxxp://astromenda.com/?f=3&a=ast_dnldst ... 444&ir=&q=
FF - user.js: extensions.astrmndasr.id - 485B397EB7B68790
FF - user.js: extensions.astrmndasr.instlDay - 16323
FF - user.js: extensions.astrmndasr.vrsn -
FF - user.js: extensions.astrmndasr.vrsni -
FF - user.js: extensions.astrmndasr_i.vrsnTs - 11:40:9
FF - user.js: extensions.astrmndasr.prtnrId - WSE_Astromenda
FF - user.js: extensions.astrmndasr.prdct - astrmndasr
FF - user.js: extensions.astrmndasr.aflt - ast_dnldstr_14_37_ff
FF - user.js: extensions.astrmndasr_i.smplGrp - none
FF - user.js: extensions.astrmndasr.tlbrId -
FF - user.js: extensions.astrmndasr.instlRef - 142905_a
FF - user.js: extensions.astrmndasr.dfltLng -
FF - user.js: extensions.astrmndasr.appId - {9CB2CD61-FFA0-406C-9D2D-8FDE6F4A4D8A}
FF - user.js: extensions.astrmndasr.excTlbr - false
FF - user.js: extensions.astrmndasr.cr - 966177444
FF - user.js: extensions.astrmndasr.cd - 2XzuyEtN2Y1L1QzuyEzzyD0BtAzyyB0E0ByB0ByCzzyBzytDtN0D0Tzu0SzyzzyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StA0B0DtB0F0EtA0EtG0BzzyDyDtG0CzztDtCtG0CyC0DtAtGyBzy0D0EtB0A0EtA0DyDtAtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytC0EyE0Czy0EyEtGyB0B0E0EtGyEzy0AtDtG0AyC0A0BtGzz0A0CtDzzyDzztBzytCyDtD2Q
FF - user.js: extensions.astrmndasr.AL - 4
.
.
.
.
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1506000.020\symds.sys [2014-10-8 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1506000.020\symefa.sys [2014-10-8 936152]
R1 BHDrvx86;BHDrvx86;c:\program files\norton 360\nortondata\21.1.0.18\definitions\bashdefs\20141209.001\BHDrvx86.sys [2014-12-11 1138392]
R1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\n360\1506000.020\ccsetx86.sys [2014-10-8 127064]
R1 IDSVix86;IDSVix86;c:\program files\norton 360\nortondata\21.1.0.18\definitions\ipsdefs\20141212.002\IDSvix86.sys [2014-12-12 479448]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1506000.020\ironx86.sys [2014-10-8 209624]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\1506000.020\symnets.sys [2014-10-8 447704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-12-11 111408]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-6-10 50688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-7-20 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-7-20 114904]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-7-20 51928]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [2013-12-6 16024]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-6-10 657408]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-10-17 14848]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2014-5-3 27192]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-10-17 49152]
.
=============== Created Last 30 ================
.
2014-12-13 05:28:48 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-12-13 04:49:00 -------- d-----w- c:\windows\system32\appraiser
2014-12-12 06:48:04 2048 ----a-w- c:\windows\system32\mferror.dll
2014-12-12 06:48:03 50176 ----a-w- c:\windows\system32\rrinstaller.exe
2014-12-12 06:48:03 3209728 ----a-w- c:\windows\system32\mf.dll
2014-12-12 06:48:03 23040 ----a-w- c:\windows\system32\mfpmp.exe
2014-12-12 06:48:03 103424 ----a-w- c:\windows\system32\mfps.dll
2014-12-11 18:58:59 772608 ----a-w- c:\program files\internet explorer\iedvtool.dll
2014-12-11 18:57:51 2048 ----a-w- c:\windows\system32\tzres.dll
2014-12-11 18:55:55 155136 ----a-w- c:\windows\system32\charmap.exe
2014-12-11 18:55:46 248832 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2014-12-11 18:55:46 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2014-12-11 18:55:46 1177088 ----a-w- c:\windows\system32\WsmSvc.dll
2014-12-11 18:55:45 198656 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2014-12-11 18:55:45 145920 ----a-w- c:\windows\system32\WsmAuto.dll
2014-11-25 20:59:38 18638520 ----a-w- c:\program files\common files\microsoft shared\office14\MSO.DLL
2014-11-20 18:20:26 186880 ----a-w- c:\windows\system32\pku2u.dll
2014-11-20 18:20:21 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-11-19 11:31:16 1217192 ----a-w- c:\windows\system32\FM20.DLL
2014-11-17 01:49:44 67584 ----a-w- c:\windows\system32\packager.dll
2014-11-17 01:49:42 571904 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-17 01:49:24 701440 ----a-w- c:\windows\system32\IMJP10K.DLL
2014-11-17 01:49:15 2363904 ----a-w- c:\windows\system32\msi.dll
2014-11-17 01:47:11 2744320 ----a-w- c:\windows\system32\rdpcorets.dll
2014-11-17 01:45:48 5703168 ----a-w- c:\windows\system32\mstscax.dll
2014-11-17 01:41:33 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-11-17 01:41:33 523776 ----a-w- c:\windows\system32\termsrv.dll
2014-11-17 01:41:32 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-11-17 01:41:32 136632 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-11-17 01:41:32 1059840 ----a-w- c:\windows\system32\lsasrv.dll
.
==================== Find3M ====================
.
2014-12-14 23:36:03 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2014-12-14 23:09:58 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-11 17:49:06 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-11 17:49:06 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-12-04 04:38:59 337920 ----a-w- c:\windows\system32\generaltel.dll
2014-12-04 04:38:45 610304 ----a-w- c:\windows\system32\invagent.dll
2014-12-04 04:38:40 315392 ----a-w- c:\windows\system32\devinv.dll
2014-12-04 04:38:37 728576 ----a-w- c:\windows\system32\appraiser.dll
2014-12-04 04:38:36 202752 ----a-w- c:\windows\system32\aepdu.dll
2014-12-04 04:38:36 159744 ----a-w- c:\windows\system32\aepic.dll
2014-12-04 04:34:13 873984 ----a-w- c:\windows\system32\aeinv.dll
2014-12-02 19:06:39 151552 ----a-w- c:\windows\KMSEmulator.exe
2014-12-01 23:28:26 1160872 ----a-w- c:\windows\system32\aitstatic.exe
2014-11-22 02:20:44 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-11-22 02:20:30 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:07:43 501248 ----a-w- c:\windows\system32\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- c:\windows\system32\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-11-22 01:55:16 115712 ----a-w- c:\windows\system32\ieUnatt.exe
2014-11-22 01:55:14 102912 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-11-22 01:54:30 620032 ----a-w- c:\windows\system32\jscript9diag.dll
2014-11-22 01:48:26 667648 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 01:40:04 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- c:\windows\system32\jscript9.dll
2014-11-22 01:22:49 2052096 ----a-w- c:\windows\system32\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- c:\windows\system32\wininet.dll
2014-11-21 13:14:20 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 13:14:10 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 13:14:06 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-11 02:44:45 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-10-10 00:45:54 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-10-03 01:44:42 442880 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-10-03 01:44:31 275968 ----a-w- c:\windows\system32\EncDump.dll
2014-10-03 01:44:26 475136 ----a-w- c:\windows\system32\audiosrv.dll
2014-10-03 01:44:26 374784 ----a-w- c:\windows\system32\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- c:\windows\system32\AudioSes.dll
2014-09-25 01:40:50 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-19 09:23:55 172032 ----a-w- c:\windows\system32\wdigest.dll
2014-09-19 09:23:52 65536 ----a-w- c:\windows\system32\TSpkg.dll
2014-09-19 09:23:49 248832 ----a-w- c:\windows\system32\schannel.dll
2014-09-19 09:23:46 221184 ----a-w- c:\windows\system32\ncrypt.dll
2014-09-19 09:23:45 259584 ----a-w- c:\windows\system32\msv1_0.dll
2014-09-19 09:23:36 17408 ----a-w- c:\windows\system32\credssp.dll
2013-10-08 01:07:28 50053120 ----a-w- c:\program files\GUTAF14.tmp
.
============= FINISH: 16:44:50.94 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 2/20/2012 2:32:32 PM
System Uptime: 12/14/2014 3:33:29 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | 1005P
Processor: Intel(R) Atom(TM) CPU N450 @ 1.66GHz | CPU 1 | 983/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 99.995 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0000
Service: vpnva
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP239: 8/20/2014 11:08:57 PM - Windows Update
RP240: 8/30/2014 6:05:31 PM - Windows Update
RP241: 9/10/2014 9:25:28 AM - Windows Update
RP242: 9/24/2014 8:50:50 PM - Windows Update
RP243: 10/11/2014 4:24:04 PM - Windows Update
RP244: 10/17/2014 11:07:36 AM - Windows Update
RP245: 10/17/2014 9:49:35 PM - Windows Update
RP246: 10/17/2014 10:34:51 PM - Windows Update
RP247: 11/16/2014 7:08:37 PM - Windows Update
RP248: 11/20/2014 12:32:35 PM - Windows Update
RP249: 12/1/2014 11:49:50 AM - Removed Cisco AnyConnect VPN Client
RP250: 12/2/2014 11:13:12 AM - Installed Microsoft Visual C++ 2005 Redistributable
RP251: 12/11/2014 11:24:36 PM - Windows Update
RP252: 12/14/2014 3:24:00 PM - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe AIR
Adobe Flash Player 15 ActiveX
Adobe Flash Player 15 Plugin
Adobe Reader XI (11.0.06)
ArcSoft WebCam Companion 2
CCleaner
Cisco AnyConnect VPN Client
Definition Update for Microsoft Office 2010 (KB2910899) 32-Bit Edition
GamesBar 2.0.1.82
Google Chrome
Google Update Helper
Intel(R) Graphics Media Accelerator Driver
Java 7 Update 65
Lexmark S600 Series
Mahjongg dimensions
Malwarebytes Anti-Malware version 2.0.4.1028
Microsoft .NET Framework 4.5.1
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 32.0.1 (x86 en-US)
Mozilla Maintenance Service
MyDefrag v4.3.1
Norton 360
Revo Uninstaller Pro 3.0.8
Secunia PSI (3.0.0.9016)
Security Update for Microsoft .NET Framework 4.5.1 (KB2894854v2)
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972107)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972216)
Security Update for Microsoft .NET Framework 4.5.1 (KB2978128)
Security Update for Microsoft .NET Framework 4.5.1 (KB2979578v2)
Security Update for Microsoft Excel 2010 (KB2910902) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553154) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2881071) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2899519) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Skype Click to Call
Skype™ 6.18
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Excel 2010 (KB2589348) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553140) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589386) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597089) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687275) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837602) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition
Update for Microsoft Office 2010 (KB2883019) 32-Bit Edition
Update for Microsoft Office 2010 (KB2889818) 32-Bit Edition
Update for Microsoft Office 2010 (KB2889828) 32-Bit Edition
Update for Microsoft Office 2010 (KB2910896) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2597088) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2880517) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
VLC media player
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
12/14/2014 3:35:15 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxedCATSCustConnectService service to connect.
12/14/2014 3:35:15 PM, Error: Service Control Manager [7000] - The lxedCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/14/2014 3:31:30 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
12/13/2014 2:33:33 AM, Error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
12/13/2014 2:33:33 AM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147024846.
12/13/2014 2:33:33 AM, Error: Service Control Manager [7000] - The SSDP Discovery service failed to start due to the following error: The service did not start due to a logon failure.
12/13/2014 2:33:33 AM, Error: Service Control Manager [7000] - The Computer Browser service failed to start due to the following error: A system shutdown is in progress.
12/13/2014 2:33:33 AM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x80070032.
12/13/2014 2:27:12 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MBAMScheduler service.
12/13/2014 2:26:37 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
12/12/2014 10:56:48 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: {5eeb83d0-96ea-4249-942c-beead6847053}Gw
12/11/2014 11:02:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
12/11/2014 11:02:36 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.
12/11/2014 11:02:36 AM, Error: Service Control Manager [7000] - The Volume Shadow Copy service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================
bbduggan+
Active Member
 
Posts: 5
Joined: December 14th, 2014, 7:01 pm
Advertisement
Register to Remove

Re: Trojans and malware on wife's ASUS

Unread postby Gary R » December 15th, 2014, 2:25 am

There are definite signs of infection on your computer, and there are also signs that this machine may be used for business purposes or may be regularly connected to a business network.

Can you please confirm whether this machine is used for any type of business use or not.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Trojans and malware on wife's ASUS

Unread postby bbduggan+ » December 15th, 2014, 11:22 am

The only business use is the VPN program my wife uses for her Flight Attendant scheduling.
bbduggan+
Active Member
 
Posts: 5
Joined: December 14th, 2014, 7:01 pm

Re: Trojans and malware on wife's ASUS

Unread postby Gary R » December 15th, 2014, 12:16 pm

In that case ....

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • As you're using Windows 7, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


To ensure we remove the infection completely, I'm first going to need you to first run a few additional scans for me, so I have a more complete picture of what we need to take care of.

First ...

Please download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan.
  • A logfile will automatically open after the scan has finished.
  • Close the adwCleaner window, click ok to the prompt.
  • Please post the contents of that logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[R1].txt.

AT THIS POINT, DO NOT ATTEMPT TO CLEAN ANYTHING THAT MAY BE FOUND

Next ...

  • Download FRST to your Desktop.
  • Double click Frst.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • When finished scanning 2 logs will open on your Desktop, FRST.txt and Addition.txt
    • Please post them in your next reply.

Next ...

I also need you to run a search for me with FRST ...

  • Double click Frst.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Copy/Paste or Type the following line into the Search: box.
    Fun4IM;Bandoo;Searchnu;Searchqu;iLivid;whitesmoke;datamngr;kelkoopartners;trolltech;babylon;conduit;astromenda;astrmndasr

    • Press the Search Registry button.
    • When finished searching a log will open on your Desktop ... Search.txt
    • Please post it in your next reply.

Summary of the logs I need from you in your next post:
  • ADWCleaner log
  • FRST.txt
  • Addition.txt
  • Search.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Trojans and malware on wife's ASUS

Unread postby bbduggan+ » December 15th, 2014, 2:05 pm

# AdwCleaner v4.105 - Report created 15/12/2014 at 10:36:51
# Updated 08/12/2014 by Xplode
# Database : 2014-12-08.2 [Local]
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : ultimate - ULTIMATE-PC
# Running from : C:\Users\ultimate\Downloads\adwcleaner_4.105.exe
# Option : Scan

***** [ Services ] *****

Service Found : c2cautoupdatesvc
Service Found : c2cpnrsvc

***** [ Files / Folders ] *****

File Found : C:\Users\Public\Desktop\DriverRestore.lnk
File Found : C:\Users\Public\Desktop\DriverRestore.lnk
File Found : C:\Users\ultimate\AppData\Roaming\Mozilla\Firefox\Profiles\uxadcxx6.default-1396819375863\user.js
Folder Found : C:\Program Files\DriverRestore
Folder Found : C:\Program Files\File Type Helper
Folder Found : C:\Program Files\GamesBar
Folder Found : C:\Program Files\OApps
Folder Found : C:\Program Files\Uninstaller
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\GamesBar
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverRestore
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GamesBar
Folder Found : C:\ProgramData\Tarma Installer
Folder Found : C:\Users\ultimate\AppData\LocalLow\Delta
Folder Found : C:\Users\ultimate\AppData\Roaming\Babylon
Folder Found : C:\Users\ultimate\AppData\Roaming\Conduit
Folder Found : C:\Users\ultimate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ArcadeParlor
Folder Found : C:\Users\ultimate\Documents\smart pc cleaner
Folder Found : C:\Windows\system32\BitGuard

***** [ Scheduled Tasks ] *****

Task Found : RocketTab Update Task
Task Found : RocketTab
Task Found : DriverRestore_ScheduledScan
Task Found : DriverRestore_DailyScan

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\5308c8cbc3be541
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\AppDataLow\Software\Smartbar
Key Found : HKCU\Software\BABSOLUTION
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Delta
Key Found : HKCU\Software\DriverRestore
Key Found : HKCU\Software\eSupport.com
Key Found : HKCU\Software\gamesbar
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{300BEC06-B743-4D19-86B9-11DC711D7FFB}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A93C934-025B-4C3A-B38E-9654A7003239}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Mozilla\Extends
Key Found : HKCU\Software\pc optimizer pro
Key Found : HKCU\Software\Search Extensions
Key Found : HKCU\Software\SmartBar
Key Found : HKCU\Software\Smartbar
Key Found : HKLM\SOFTWARE\{F2E9660B-98AF-42c0-8258-9CDDF07BF95D}
Key Found : HKLM\SOFTWARE\5308c8cbc3be541
Key Found : HKLM\SOFTWARE\Classes\AppID\SelectionLinks.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Found : HKLM\SOFTWARE\Classes\oberontb.band
Key Found : HKLM\SOFTWARE\Classes\oberontb.band.1
Key Found : HKLM\SOFTWARE\Classes\oberontb.GamesBarBHO
Key Found : HKLM\SOFTWARE\Classes\oberontb.GamesBarBHO.1
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\speedupmypc
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{AD76633E-E50D-4844-9E7F-4DFBC7C18467}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}
Key Found : HKLM\SOFTWARE\Delta
Key Found : HKLM\SOFTWARE\DriverRestore
Key Found : HKLM\SOFTWARE\gamesbar
Key Found : HKLM\SOFTWARE\GamesBarSetup
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\kdcnnmifdmlmjffdgeieikcokcogpbej
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A93C934-025B-4C3A-B38E-9654A7003239}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverRestore
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamesbar
Key Found : HKLM\SOFTWARE\SoftwareUpdater
Key Found : HKLM\SOFTWARE\Tarma Installer
Key Found : HKLM\SOFTWARE\Uniblue
Key Found : HKLM\SOFTWARE\V9Software
Key Found : HKLM\SOFTWARE\Vittalia
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
Value Found : HKCU\Software\Mozilla\Firefox\Extensions [{FB304EF5-15D3-D544-9F7F-4585F9A14A3B}]
Value Found : HKCU\Software\Mozilla\Firefox\Extensions [{FB304EF5-15D3-D544-9F7F-4585F9A14A3B}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6F282B65-56BF-4BD1-A8B2-A4449A05863D}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v34.0.5 (x86 en-US)

[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.internaldb.monetization_plugin_bundledUrls.value", "%7B%22dealply_s%22%3A%7B%22urls%22%3A%5B%22ssf[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.js", "\n\nappAPI.ready(function($) {\n\n $('body').bindExtensionEvent('requestNetworkData', functi[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_1.code", "appAPI._cr_config={appID:function(){var a=appAPI.appInfo;if(a){return app[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_103.code", "appAPI.internal.monetization = appAPI.internal.monetization || {};\nif [...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_119.code", "appAPI.internal.monetization = appAPI.internal.monetization || {};\nif [...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_13.name", "CrossriderAppUtils");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_14.name", "CrossriderUtils");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_16.code", "if((typeof isBackground===\"undefined\"||isBackground!==true)&&(typeof _[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_17.code", "if(typeof window!==\"undefined\"){\n/*!\n * jQuery JavaScript Library v1[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_177.code", "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(\"*crossrider[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_177.name", "crossriderDashboard");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_182.code", "(function(){if(typeof $jquery_171===\"undefined\"){return;}var c={DUMMY[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_194.code", "if(typeof appAPI.internal.monetization===\"undefined\"){appAPI.internal[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_21.code", "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.a[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_22.code", "(function(a){appAPI.queueManager={queue:[],register:function(b){this.que[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_246.code", "setup2=function(d,a){var b=function(i){var k=function(l){if(typeof l!==[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_28.code", "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_con[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_47.code", "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_78.name", "CrossriderInfo");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_9.code", "appAPI.hooks.addHook(\"searchEngine\",(function(a){return function(){var [...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.a588a2804b11d4809963ba886d1e8684e416c890211404f759037bf86b99379dbcom33254.33254.plugins.plugin_91.code", "(function(i){if(!appAPI.isBackground&&appAPI.dom&&appAPI.dom.isIframe())[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.astrmndasr.hmpgUrl", "hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_37_ff&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzyyB0E0ByB0ByCzzyBzytDtN0D0Tzu0SzyzzyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzyt[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.astrmndasr.newTabUrl", "hxxp://astromenda.com/?f=2&a=ast_dnldstr_14_37_ff&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzyyB0E0ByB0ByCzzyBzytDtN0D0Tzu0SzyzzyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBz[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.astrmndasr.prtnrId", "WSE_Astromenda");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.astrmndasr.srchPrvdr", "Astromenda");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.astrmndasr.tlbrSrchUrl", "hxxp://astromenda.com/?f=3&a=ast_dnldstr_14_37_ff&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzyyB0E0ByB0ByCzzyBzytDtN0D0Tzu0SzyzzyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEt[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.DockingPositionDown", false);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.SmartbarDisabled", false);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.Visibility", false);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.backPageCapacity", 3);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.backPageCounter", 0);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.backPageDay", 19);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.backPageLastEvent", "1405639517532");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.backPageMinInterval", 15);
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.barcodeid", "39182");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.countryiso", "us");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.downloadprovider", "bundlore");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.externalJsFiles", "{\"d\":\"[{\\\"ExcludeDomains\\\":[\\\"snap.do\\\",\\\"snapdo.com\\\",\\\".search.yahoo.com\\\\\\/yhs\\\\\\/search?hspart=lkry\\\",\\\"www.only-apart[...]
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.fromautoupdate", "false");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.installationid", "0ad5f889-51be-2884-72bc-d9f587439fd7");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.installdate", "19/07/2014");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.keepAliveLastevent", "1405812219");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.lastExternalJsUpdate", "1405812684182");
[uxadcxx6.default-1396819375863] - Line Found : user_pref("extensions.helperbar.publisher", "bundlore");

-\\ Google Chrome v39.0.2171.95

[C:\Users\ultimate\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.v9.com/web/?type=ds&ts=14 ... 5ee6fe0&q={searchTerms}
[C:\Users\ultimate\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_37_ff&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzyyB0E0ByB0ByCzzyBzytDtN0D0Tzu0SzyzzyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StA0B0DtB0F0EtA0EtG0BzzyDyDtG0CzztDtCtG0CyC0DtAtGyBzy0D0EtB0A0EtA0DyDtAtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytC0EyE0Czy0EyEtGyB0B0E0EtGyEzy0AtDtG0AyC0A0BtGzz0A0CtDzzyDzztBzytCyDtD2Q&cr=966177444&ir=
[C:\Users\ultimate\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\ultimate\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [18210 octets] - [15/12/2014 10:36:51]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [18271 octets] ##########

FRST has failed to download twice. Each a Norton box comes up saying a file (different each time) is not safe and has been removed.
bbduggan+
Active Member
 
Posts: 5
Joined: December 14th, 2014, 7:01 pm

Re: Trojans and malware on wife's ASUS

Unread postby bbduggan+ » December 15th, 2014, 2:07 pm

Also a PC Clean Maestro and a Driver Restore pages have opened on their own.
bbduggan+
Active Member
 
Posts: 5
Joined: December 14th, 2014, 7:01 pm

Re: Trojans and malware on wife's ASUS

Unread postby Gary R » December 15th, 2014, 6:16 pm

Try downloading FRST on a different computer, then transfer it to the infected machine using a USB drive.

Norton is a real PITA and in the opinion of many, not a particularly good AV program ..... FRST is not malicious, and Symantec have been notified that it is not a malicious program, but as usual they are incredibly slow at rectifying their false positives.

If you do not have access to another computer, and can't run FRST, then please do the following instead ...

Download OTL by OldTimer to your Desktop.

If you already have a copy of OTL delete it and use this version.

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Standard Output.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Next ...

Please download SystemLook from one of the links below and save it to your Desktop.

For 32 bit Systems

  • Double-click SystemLook.exe to run it.
  • Copy and paste the contents of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *AskToolbar*
    *Ask.com*
    *Bandoo*
    *Babylon*
    *Conduit*
    *datamngr*
    *searchab*
    *frostwire*
    *Fun4IM*
    *Funmoods*
    *iLivid*
    *IObit*
    *Iminent*
    *OpenCandy*
    *Searchqu*
    *Searchnu*
    *smartbar*
    *Tarma*
    *torrent*
    *trolltech*
    *Vafmusic2*
    *vshare*
    *whitesmoke*
    *Yontoo*
    *astromenda*
    *astrmndasr*
    
    :folderfind
    *AskToolbar*
    *Ask.com*
    *Bandoo*
    *Babylon*
    *Conduit*
    *datamngr*
    *searchab*
    *frostwire*
    *Fun4IM*
    *Funmoods*
    *iLivid*
    *IObit*
    *Iminent*
    *OpenCandy*
    *Searchqu*
    *Searchnu*
    *smartbar*
    *Tarma*
    *torrent*
    *trolltech*
    *Vafmusic2*
    *vshare*
    *whitesmoke*
    *Yontoo*
    *astromenda*
    *astrmndasr*
    
    :Regfind
    AskToolbar
    Ask.com
    Bandoo
    Babylon
    Conduit
    datamngr
    searchab
    frostwire
    Fun4IM
    Funmoods
    iLivid
    IObit
    Iminent
    OpenCandy
    Searchqu
    Searchnu
    smartbar
    Tarma
    torrent
    trolltech
    Vafmusic2
    vshare
    whitesmoke
    Yontoo
    astromenda
    astrmndasr
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Trojans and malware on wife's ASUS

Unread postby Gary R » December 18th, 2014, 1:42 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 311 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware