Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

pop ups and internet explorer problems [Solved]


  • This topic is locked This topic is locked

#1
fertigline

fertigline

    Member

  • Member
  • PipPip
  • 17 posts
Recently I have had ads pop up at the bottom of the google homepage. Also I have had ads pop up in new windows and increasingly when I online internet explorer will stop working and say that is seek for a solution to the problem. I think I may have picked up an adware virus.

Here is my otl report

OTL logfile created on: 2/28/2014 8:39:52 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\David\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16518)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 55.71% Memory free
5.98 Gb Paging File | 4.53 Gb Available in Paging File | 75.86% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 434.18 Gb Free Space | 93.23% Space Free | Partition Type: NTFS

Computer Name: DAVID-PC | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/02/28 20:38:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
PRC - [2014/01/27 15:45:12 | 000,546,112 | ---- | M] () -- C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe
PRC - [2013/12/21 01:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/11/20 01:54:20 | 000,283,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe
PRC - [2013/11/20 01:54:00 | 004,411,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgui.exe
PRC - [2013/10/23 01:06:16 | 001,117,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgnsx.exe
PRC - [2013/10/23 01:05:52 | 000,799,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgemcx.exe
PRC - [2013/08/28 19:23:38 | 001,861,968 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2013/07/10 00:33:22 | 000,452,144 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgcsrvx.exe
PRC - [2013/07/04 14:53:28 | 000,763,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgrsx.exe
PRC - [2013/07/04 14:53:10 | 004,939,312 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgidsagent.exe
PRC - [2013/05/20 14:55:30 | 001,015,984 | ---- | M] (AVG Secure Search) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
PRC - [2012/11/22 21:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/10/30 03:29:14 | 001,234,432 | ---- | M] (Hiroyuki Yamamoto) -- C:\Program Files\Sylpheed\sylpheed.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/20 15:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/10 15:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2007/01/11 07:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE


========== Modules (No Company Name) ==========

MOD - [2014/02/18 10:17:48 | 000,086,800 | ---- | M] () -- C:\Program Files\SavingsBull\IEOptimizer.dll
MOD - [2013/08/28 19:25:02 | 000,100,688 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2013/08/28 19:23:38 | 001,861,968 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2012/10/30 03:30:04 | 000,011,264 | ---- | M] () -- C:\Program Files\Sylpheed\plugins\attachment_tool.dll
MOD - [2012/10/30 03:29:10 | 000,054,277 | ---- | M] () -- C:\Program Files\Sylpheed\libsylpheed-plugin-0-1.dll
MOD - [2012/10/30 03:28:30 | 000,566,664 | ---- | M] () -- C:\Program Files\Sylpheed\libsylph-0-1.dll
MOD - [2012/04/13 00:47:14 | 000,131,584 | ---- | M] () -- C:\Program Files\Sylpheed\libpng13.dll
MOD - [2011/09/05 01:59:00 | 000,051,712 | ---- | M] () -- C:\Program Files\Sylpheed\lib\gtk-2.0\2.10.0\engines\libwimp.dll
MOD - [2010/01/20 03:23:46 | 000,176,128 | ---- | M] () -- C:\Program Files\Sylpheed\libgpgme-11.dll
MOD - [2009/07/20 15:27:14 | 000,017,936 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\khalwrapper.dll
MOD - [2007/08/29 23:10:58 | 000,025,088 | ---- | M] () -- C:\Program Files\Sylpheed\lib\gtk-2.0\2.10.0\loaders\libpixbufloader-xpm.dll
MOD - [2007/06/21 02:57:54 | 000,418,816 | ---- | M] () -- C:\Program Files\Sylpheed\libcairo-2.dll
MOD - [2007/03/15 04:42:28 | 000,025,600 | ---- | M] () -- C:\Program Files\Sylpheed\libgpg-error-0.dll
MOD - [2006/08/03 23:49:02 | 000,016,896 | ---- | M] () -- C:\Program Files\Sylpheed\libcompface.dll
MOD - [2006/08/03 19:35:46 | 000,210,432 | ---- | M] () -- C:\Program Files\Sylpheed\libonig.dll
MOD - [2006/05/27 05:25:06 | 000,033,280 | ---- | M] () -- C:\Program Files\Sylpheed\libpangocairo-1.0-0.dll
MOD - [2006/05/27 05:25:06 | 000,008,704 | ---- | M] () -- C:\Program Files\Sylpheed\lib\pango\1.5.0\modules\pango-basic-win32.dll
MOD - [2005/10/11 04:17:18 | 000,917,504 | ---- | M] () -- C:\Program Files\Sylpheed\iconv.dll
MOD - [2005/07/19 22:48:10 | 000,059,904 | ---- | M] () -- C:\Program Files\Sylpheed\zlib1.dll


========== Services (SafeList) ==========

SRV - [2014/02/20 21:20:29 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/02/06 04:47:18 | 000,108,032 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV - [2014/01/27 15:45:12 | 000,546,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe -- (Level Quality Watcher)
SRV - [2013/12/21 01:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/11/20 01:54:20 | 000,283,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe -- (avgwd)
SRV - [2013/07/04 14:53:10 | 004,939,312 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2013\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2013/05/26 23:57:27 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/05/20 14:55:30 | 001,015,984 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe -- (vToolbarUpdater15.2.0)
SRV - [2012/01/21 16:03:57 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/20 15:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2007/01/11 07:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- system32\drivers\hlnfd.sys -- (hlnfd)
DRV - [2013/11/25 01:48:36 | 000,208,184 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2013/10/23 01:05:20 | 000,022,328 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2013/10/23 01:05:10 | 000,039,224 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2013/07/20 00:51:00 | 000,246,072 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avglogx.sys -- (Avglogx)
DRV - [2013/07/20 00:50:56 | 000,060,216 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2013/07/20 00:50:50 | 000,171,320 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2013/07/01 00:45:28 | 000,096,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2013/05/20 14:55:30 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2013/03/21 02:08:24 | 000,182,072 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/02/14 05:42:36 | 000,020,864 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2011/02/14 05:42:34 | 000,025,216 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2011/02/14 05:42:32 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2010/12/07 17:23:00 | 000,025,088 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgandmodem.sys -- (ANDModem)
DRV - [2010/12/07 17:23:00 | 000,020,736 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lganddiag.sys -- (AndDiag)
DRV - [2010/12/07 17:23:00 | 000,020,096 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgandgps.sys -- (AndGps)
DRV - [2010/12/07 17:22:58 | 000,014,336 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgandbus.sys -- (Andbus)
DRV - [2010/11/20 16:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 16:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 16:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010/11/20 16:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 16:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 16:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 16:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010/11/20 16:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 16:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009/06/17 11:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2009/06/17 11:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 11:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B4 84 61 74 62 D8 CC 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE11SR
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...Box&FORM=IE11SR
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Web Player Plug-In,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - Extension: Google Docs = C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Google Wallet = C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0\
CHR - Extension: Gmail = C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2013/05/21 15:21:06 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IEOptimizer) - {10AD2C61-0898-4348-8600-14A342F22AC3} - C:\Program Files\SavingsBull\IEOptimizer.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll File not found
O4 - HKLM..\Run: [AVG_UI] C:\Program Files\AVG\AVG2013\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe (DivX, LLC)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Add to Wish List - {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files\Amazon\Add to Wish List IE Extension\run.htm ()
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F5CFB83D-4674-45F5-B64D-C75316FE2D3F}: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/02/28 20:38:38 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
[2014/02/27 03:03:12 | 000,000,000 | ---D | C] -- C:\Windows\Migration
[2014/02/21 17:29:07 | 000,000,000 | ---D | C] -- C:\Program Files\SavingsBull
[2014/02/06 12:53:02 | 000,017,496 | ---- | C] (System Speedup) -- C:\Windows\System32\roboot.exe
[2014/02/06 12:53:00 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Roaming\systweak
[2014/02/06 12:52:09 | 000,000,000 | ---D | C] -- C:\Program Files\SavingsBullFilter
[2014/02/06 12:52:05 | 000,000,000 | ---D | C] -- C:\temp
[2014/02/06 12:52:02 | 000,000,000 | ---D | C] -- C:\Program Files\Level Quality Watcher

========== Files - Modified Within 30 Days ==========

[2014/02/28 20:38:55 | 000,021,904 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/02/28 20:38:55 | 000,021,904 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/02/28 20:38:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\David\Desktop\OTL.exe
[2014/02/28 20:36:05 | 000,662,400 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/02/28 20:36:05 | 000,122,268 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/02/28 20:31:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/02/28 20:31:46 | 2407,747,584 | -HS- | M] () -- C:\hiberfil.sys
[2014/02/28 20:20:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/02/23 11:47:47 | 000,017,344 | ---- | M] () -- C:\Users\David\Desktop\Extra Money Log.ods

========== Files Created - No Company Name ==========


========== ZeroAccess Check ==========

[2009/07/13 23:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/07/25 20:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 16:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 20:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/12/27 19:07:18 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\AVG2013
[2013/12/02 21:00:33 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\gtk-2.0
[2012/01/16 01:00:15 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\Leadertech
[2012/03/16 21:55:29 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\OpenOffice.org
[2014/02/28 20:33:10 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\Sylpheed
[2014/02/07 07:29:16 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\systweak
[2012/12/27 19:02:04 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\TuneUp Software

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Virus, Spyware, Malware Removal forum and wait for help.

Hi and welcome back to Geeks to Go. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download the installer for Registry Backup from here or here and save to your desktop.
  • Right-click on tweaking.com_registry_backup_setup.exe and select Run as Administrator >> Follow the prompts for a default installation
  • Ensure the option Open "Tweaking.com - Registry Backup" When Install Completes is selected >> Next > >> Finish
  • Once the GUI(graphical user interface) has appeared/loaded:-
Posted Image

  • Click on Backup Now >> once the process is complete, similar to the below will displayed in the GUI:-
Posted Image

  • Close Tweaking.com - Registry Backup
Note: There will now be a folder at the root of the Hard-Drive named C:\RegBackup, do not delete this as it is the actual backup just created.

A tutorial for Registry Backup explaining the various features can be viewed here.

Next:

Let myself know when completed the above. Also post the extras log created by OTL(it should be on your desktop) and we will then go from there, thank you.
  • 0

#3
fertigline

fertigline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Dakeyras,
I did the registry backup and here is the otl extras.

OTL Extras logfile created on: 2/28/2014 8:39:52 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\David\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16518)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 55.71% Memory free
5.98 Gb Paging File | 4.53 Gb Available in Paging File | 75.86% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 434.18 Gb Free Space | 93.23% Space Free | Partition Type: NTFS

Computer Name: DAVID-PC | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0592AF6D-5F37-4254-86AE-DE8B0E38DC8A}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{0E9EAF11-BE75-4080-AE9C-CC2A90F82672}" = rport=138 | protocol=17 | dir=out | app=system |
"{3CA27007-784A-470C-9E1E-FB0784AA8318}" = rport=10243 | protocol=6 | dir=out | app=system |
"{3CD4129E-C5CC-4BA2-A99C-399DE7B5C708}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4189F6D3-23DE-4F1F-9818-A0F276D743D5}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{45433BF9-C45A-4923-B674-F163307516F2}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4FF70062-8E45-4C5A-A037-915D6E2B4CDB}" = lport=138 | protocol=17 | dir=in | app=system |
"{5F5DDF8A-D631-45AA-8391-9E29D06C2A58}" = rport=445 | protocol=6 | dir=out | app=system |
"{76567CC0-A896-4FAF-B45C-EFFDC5C5EC70}" = lport=10243 | protocol=6 | dir=in | app=system |
"{77616396-7CC1-4C65-A37C-AE89E5B14FE1}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7B88A75E-659A-44D9-8FE1-9596EA428474}" = lport=445 | protocol=6 | dir=in | app=system |
"{7FACECB3-194E-4CEB-85CF-3A39C9E9076A}" = rport=139 | protocol=6 | dir=out | app=system |
"{952088EF-7F39-467F-A234-9BF322092C39}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{98FCB567-5849-41C4-A3B5-8206B8F1FABB}" = lport=139 | protocol=6 | dir=in | app=system |
"{9BEDAE14-26AF-41F0-A48B-DB45B8BC6053}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{A98BE8A1-1D0D-42B5-846C-4C7C255CB06B}" = lport=137 | protocol=17 | dir=in | app=system |
"{BD579A49-8B46-4559-8106-F7AC43146E29}" = rport=137 | protocol=17 | dir=out | app=system |
"{C7CAC198-CEB4-4689-B0C7-657B151F9D6D}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{CC86925D-4842-41DA-9EEB-C580E7C54126}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{D2E7A667-1B4E-41E8-9771-81709E1EB6B9}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DF1DE780-ACD9-4E3E-BF34-600C1162ECB5}" = lport=2869 | protocol=6 | dir=in | app=system |
"{EA90C871-1F04-4A53-9BC0-2199E6367A3A}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{EC331CF9-6356-4FA9-B5FB-C80E568B370E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04EC6B8C-E609-4CAC-A1E0-6AE747426B83}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgdiagex.exe |
"{0B1486D9-D346-4778-B9B9-FBEEEBF1DE45}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{0E176719-5126-496C-9163-9594372E8B01}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgdiagex.exe |
"{12B21C99-D4E8-442C-8111-279583C3DCD2}" = protocol=1 | dir=out | [email protected],-28544 |
"{51194EE4-8E14-4E8B-9B86-1D8B6874E44D}" = protocol=1 | dir=in | [email protected],-28543 |
"{59F26F58-8A78-4567-B559-140D0A54CDF7}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{5DB27BDC-CCF8-4B2E-8A99-AFF0B40F6EEA}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{6CBFC2B5-ABC3-49AA-AAEA-51E6F5440B5A}" = protocol=58 | dir=in | [email protected],-28545 |
"{6D841B79-00C3-4D7C-B48A-1AA49138BD0D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{72D1EA72-8F38-41FB-B5C8-850A8586102A}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgnsx.exe |
"{76EC6504-B45B-4E6B-AF4F-52C971D8B666}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{7E4429CC-A684-4AC4-B6B2-BBB45D6E9FC9}" = protocol=6 | dir=out | app=system |
"{82450C1E-61EE-4CD8-851F-D15D7B5D78AF}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgmfapx.exe |
"{833C86F1-41F7-461D-BA4F-613FEAC48E44}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgmfapx.exe |
"{9B920760-9E38-4258-910D-4C097CAB588D}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgemcx.exe |
"{AB5A1228-6E84-41E4-AA91-53CD2F499012}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{C981487C-C12B-43DB-A2D1-7A33D3ECD8FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{CBCCCF3B-2367-4F99-983B-6049980BB666}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgnsx.exe |
"{CC7C9D97-54AD-49FB-AE27-5C91F8D097BC}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{D0F3DFAE-91B8-4CB2-9A35-0B5E793012FC}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{D637412E-BD55-45BE-A8A3-EAC409538B62}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{DB3D37A2-34D1-4E67-A3F8-D4F682BEAEC6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DBE2B55D-2555-4549-A027-C8C84FB7988B}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgemcx.exe |
"{E3420C17-6D00-43DC-898B-DB35831C81FC}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{FD899582-89B9-4F94-B38E-5BA66EB48AA9}" = protocol=58 | dir=out | [email protected],-28546 |
"{FE716252-8981-4DF6-85A7-8896460B9DC4}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{4903D172-DCCB-392F-93A3-34CA9D47FE3D}" = Microsoft .NET Framework 4.5.1
"{6DDE8071-E4BA-461B-8A96-990DFAA0EBD1}" = SavingsBull
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81FAD5EA-19B2-4A06-89EC-D65CD23AAD55}" = AVG 2013
"{851FB37B-65AD-43FD-AB4C-0D69310AD7AC}" = AVG 2013
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EA79DBF-D637-448A-89D6-410A087A4493}" = Samsung_MonSetup
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.06)
"{B03954CC-E130-4E57-BC83-869978685902}" = LG United Mobile Drivers
"{E36E864B-BFB6-440A-9A23-2B0BEDE59A92}" = MultiScreen
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 12 ActiveX
"Amazon Add to Wish List IE Extension" = Amazon Add to Wish List IE Extension 1.2
"AVG" = AVG 2013
"CCleaner" = CCleaner
"DivX Setup" = DivX Setup
"EPSON Printer and Utilities" = EPSON Printer Software
"HDMI" = Intel® Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Sylpheed" = Sylpheed 3.3

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 9000
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 7040
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 7042
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 9002
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 3029
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 3029
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 3028
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 3058
Description =

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Windows Search Service | ID = 7010
Description =

Error - 2/28/2014 9:33:20 PM | Computer Name = David-PC | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 2/28/2014 1:03:50 AM | Computer Name = David-PC | Source = Microsoft-Windows-Application-Experience | ID = 205
Description = The Program Compatibility Assistant service failed to perform the
phase two initialization.

Error - 2/28/2014 2:41:05 AM | Computer Name = David-PC | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 2/28/2014 3:15:08 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
hlnfd

Error - 2/28/2014 3:15:14 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7024
Description = The Windows Search service terminated with service-specific error
%%-1073473535.

Error - 2/28/2014 3:15:14 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 2/28/2014 9:30:56 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 2/28/2014 9:31:53 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
hlnfd

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7024
Description = The Windows Search service terminated with service-specific error
%%-1073473535.

Error - 2/28/2014 9:32:03 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 2/28/2014 9:32:33 PM | Computer Name = David-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Search service, but
this action failed with the following error: %%1056


< End of report >
  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

I did the registry backup and here is the otl extras.

Acknowledged, lets proceed as follows shall we...

Download/run Rkill:

Please download Rkill from one of the following links and save to your desktop:

One, Two,Three, Four or Five

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Post the log created, found on the desktop rkill.txt. in your next reply.
Note: If your security software warns about Rkill, please ignore and allow the download to continue. If one fails to work delete it and download/try another.

Uninstall Undesirable Software:

Please go to Start(Windows 7 Orb) >> Control Panel >> Uninstall a program or Programs and Features and remove the following (if present):

SavingsBull

To do so click once on the above to highlight, then click on Uninstall/Change and follow the prompts.

Custom OTL Script:

  • Right-click OTL.exe and select Run as Administrator to start the program.
  • Copy the lines from the Quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Commands
[CreateRestorePoint]

:OTL
MOD - [2014/02/18 10:17:48 | 000,086,800 | ---- | M] () -- C:\Program Files\SavingsBull\IEOptimizer.dll
DRV - File not found [Kernel | System | Stopped] -- system32\drivers\hlnfd.sys -- (hlnfd)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
O2 - BHO: (IEOptimizer) - {10AD2C61-0898-4348-8600-14A342F22AC3} - C:\Program Files\SavingsBull\IEOptimizer.dll ()
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2014/02/21 17:29:07 | 000,000,000 | ---D | C] -- C:\Program Files\SavingsBull
[2014/02/06 12:53:02 | 000,017,496 | ---- | C] (System Speedup) -- C:\Windows\System32\roboot.exe
[2014/02/06 12:53:00 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Roaming\systweak
[2014/02/06 12:52:09 | 000,000,000 | ---D | C] -- C:\Program Files\SavingsBullFilter
[2014/02/06 12:52:02 | 000,000,000 | ---D | C] -- C:\Program Files\Level Quality Watcher
[2014/02/07 07:29:16 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\systweak
[2012/12/27 19:02:04 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\TuneUp Software

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
netsh winsock reset all /c
netsh int ip reset all /c
netsh advfirewall reset /c
netsh advfirewall set allprofiles state on /c

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DivXMediaServer"=-
"DivXUpdate"=-
"Kernel and Hardware Abstraction Layer"=-

:Commands
[ResetHosts]
[EmptyTemp]
[Reboot]

  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • When OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Please download the installer for Malwarebytes' Anti-Malware to your desktop.

Note: The installer will be randomly named, say for example something like 549od2jqai.exe

  • Right-click on the randomly named exe file and select Run as Administrator, then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
When the program loads, Decline the Malwarebytes' Anti-Malware Trial (You can activate this when we've finished, if you so wish)
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:

  • Launch Malwarebytes' Anti-Malware
  • Click on the Logs radio tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered ?
  • Rkill log.
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.

  • 0

#5
fertigline

fertigline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi,
Yeah I'm still having the pop ups and stuff I mentioned before. Nothing has changed.

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingc...opic308364.html

Program started at: 03/02/2014 12:22:58 PM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 03/02/2014 12:23:33 PM
Execution time: 0 hours(s), 0 minute(s), and 34 seconds(s)



All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
Error: Unable to interpret < :OTL> in the current context!
Error: Unable to interpret < MOD - [2014/02/18 10:17:48 | 000,086,800 | ---- | M] () -- C:\Program Files\SavingsBull\IEOptimizer.dll> in the current context!
Error: Unable to interpret < DRV - File not found [Kernel | System | Stopped] -- system32\drivers\hlnfd.sys -- (hlnfd)> in the current context!
Error: Unable to interpret < IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret < O2 - BHO: (IEOptimizer) - {10AD2C61-0898-4348-8600-14A342F22AC3} - C:\Program Files\SavingsBull\IEOptimizer.dll ()> in the current context!
Error: Unable to interpret < O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)> in the current context!
Error: Unable to interpret < O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found> in the current context!
Error: Unable to interpret < O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.> in the current context!
Error: Unable to interpret < [2014/02/21 17:29:07 | 000,000,000 | ---D | C] -- C:\Program Files\SavingsBull> in the current context!
Error: Unable to interpret < [2014/02/06 12:53:02 | 000,017,496 | ---- | C] (System Speedup) -- C:\Windows\System32\roboot.exe> in the current context!
Error: Unable to interpret < [2014/02/06 12:53:00 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Roaming\systweak> in the current context!
Error: Unable to interpret < [2014/02/06 12:52:09 | 000,000,000 | ---D | C] -- C:\Program Files\SavingsBullFilter> in the current context!
Error: Unable to interpret < [2014/02/06 12:52:02 | 000,000,000 | ---D | C] -- C:\Program Files\Level Quality Watcher> in the current context!
Error: Unable to interpret < [2014/02/07 07:29:16 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\systweak> in the current context!
Error: Unable to interpret < [2012/12/27 19:02:04 | 000,000,000 | ---D | M] -- C:\Users\David\AppData\Roaming\TuneUp Software> in the current context!
Error: Unable to interpret < :Files> in the current context!
Error: Unable to interpret < ipconfig /release /c> in the current context!
Error: Unable to interpret < ipconfig /renew /c> in the current context!
Error: Unable to interpret < ipconfig /flushdns /c> in the current context!
Error: Unable to interpret < netsh winsock reset all /c> in the current context!
Error: Unable to interpret < netsh int ip reset all /c> in the current context!
Error: Unable to interpret < netsh advfirewall reset /c > in the current context!
Error: Unable to interpret < netsh advfirewall set allprofiles state on /c > in the current context!
Error: Unable to interpret < :Reg> in the current context!
Error: Unable to interpret < [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]> in the current context!
Error: Unable to interpret < "DivXMediaServer"=-> in the current context!
Error: Unable to interpret <"DivXUpdate"=-> in the current context!
Error: Unable to interpret <"Kernel and Hardware Abstraction Layer"=-> in the current context!
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: David
->Temp folder emptied: 282398 bytes
->Temporary Internet Files folder emptied: 254630546 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 3051 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4686787 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 248.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 03022014_122712

Files\Folders moved on Reboot...
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\4A72F430-B40C-4D36-A068-CE33ADA5ADF9.dat moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIO1JNZW\LW44BTV7.htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NLDJ20HU\userData[1].htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NLDJ20HU\xdm[1].htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2NZA7EAS\page__pid__2379202[1].htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...



Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.02.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16518
David :: DAVID-PC [administrator]

3/2/2014 12:42:45 PM
mbam-log-2014-03-02 (12-42-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205673
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Detected: 1
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe (PUP.Optional.Savingsbull) -> 1952 -> No action taken.

Memory Modules Detected: 1
C:\Program Files\SavingsBull\IEOptimizer.dll (PUP.Optional.ScorpionSaver) -> No action taken.

Registry Keys Detected: 12
HKLM\SYSTEM\CurrentControlSet\Services\Level Quality Watcher (PUP.Optional.Savingsbull) -> No action taken.
HKCR\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> No action taken.
HKCU\Software\SavingsBull (PUP.Optional.SavingsBull.A) -> No action taken.
HKCU\Software\AppDataLow\Software\Crossrider (PUP.Optional.CrossRider.A) -> No action taken.
HKCU\Software\AppDataLow\Software\Savings Bull (PUP.Optional.SavingsBull.A) -> No action taken.
HKCU\Software\AppDataLow\Software\SavingsBull (PUP.Optional.SavingsBull.A) -> No action taken.
HKLM\SOFTWARE\Highlightly (PUP.Optional.Highlightly) -> No action taken.
HKLM\SOFTWARE\SavingsbullFilter (PUP.Optional.SavingsBull.A) -> No action taken.
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HLNFD (PUP.Optional.Highlightly) -> No action taken.

Registry Values Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\hlnfd|DisplayName (PUP.Optional.Highlightly) -> Data: hlnfd -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files\Level Quality Watcher\v1.01 (PUP.Optional.Adpeak) -> No action taken.
C:\Program Files\SavingsBull (PUP.Optional.SavingsBull.A) -> No action taken.

Files Detected: 108
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe (PUP.Optional.Savingsbull) -> No action taken.
C:\Program Files\SavingsBull\IEOptimizer.dll (PUP.Optional.ScorpionSaver) -> No action taken.
C:\temp\InstallFilter32.msi (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Windows\System32\roboot.exe (PUP.Optional.PCPerformer.A) -> No action taken.
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe (PUP.Optional.Adpeak) -> No action taken.
C:\Program Files\SavingsBull\background.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\bootstrap.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\bootstrap.js.old (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\CustomActionInstall (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\CustomActionUninstall (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_addon_runner.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_api-utils.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_base64.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_byte-streams.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_collection.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_content.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_cortex.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_cuddlefish.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_deprecate.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_environment.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_errors.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_events.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_functional.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_globals.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_heritage.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_hidden-frame.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_light-traits.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_list.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_loader.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_match-pattern.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_memory.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_namespace.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_observer-service.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_plain-text-console.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_preferences-service.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_promise.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_querystring.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_addonkit_page-mod.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_addonkit_private-browsing.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_addonkit_request.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_sandbox.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_self.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_system.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_text-streams.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_timer.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_traceback.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_traits.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_unload.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_url.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_uuid.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_window-utils.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_xhr.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_xpcom.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_xul-app.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_addonkit_windows.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_file.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_base_runtime.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_locales.json (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_traits_core.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_bootstrap.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_content_content-proxy.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_content_content-worker.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_content_loader.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_content_symbiont.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_content_worker.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_dom_events.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_events_assembler.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_event_core.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_event_target.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_harness-options.json (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_icon.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_icon64.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_install.rdf (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_l10n_core.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_l10n_html.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_l10n_loader.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_l10n_locale.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_l10n_prefs.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_main.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_main.js.old (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_prefs.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_privatebrowsing_utils.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_system_events.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_tabs_events.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_tabs_observer.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_tabs_tab.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_tabs_utils.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_utils_data.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_utils_object.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_utils_registry.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_utils_thumbnail.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_windows_dom.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_windows_loader.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_windows_observer.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_windows_tabs.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\ff_window_utils.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\icon128.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\icon16.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\icon32.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\icon48.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\icon64.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\icon8.png (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\IEOptimizer64.dll (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\manifest.json (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\marcopolo.js (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\Microsoft.Deployment.WindowsInstaller.dll (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\Microsoft.Deployment.WindowsInstaller.xml (PUP.Optional.SavingsBull.A) -> No action taken.
C:\Program Files\SavingsBull\SendJson.dll (PUP.Optional.SavingsBull.A) -> No action taken.

(end)
  • 0

#6
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Yeah I'm still having the pop ups and stuff I mentioned before. Nothing has changed.

It appears the formatting of the custom script did not quite cut and paste correctly for some reason. Nor did you let Malwarebytes Anti-Malware remove what it found. Not to worry we will merely take a different approach as follows...

Custom OTL Script:

Please download the attached fix.txt(see below) file to your desktop.

[attachment=69393:fix.txt]

  • Right-click on OTL.exe and select Run as Administrator to start OTL.
  • Click on Run Fix
  • When prompted with:-

No fix has been provided!

Click Ok to load it from a file or Cancel to cancel

  • Click the Ok button and navigate to the file fix.txt which you just saved to the desktop.
  • Select fix.txt and click Open. Writing will now appear under the Custom Scan box.
  • Then click the red Run Fix button again.
  • Let the program run unhindered.
  • When OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator.

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered ?
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.

  • 0

#7
fertigline

fertigline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi,
It seems to be working a lot better. I surfed the internet for awhile after the fixes and it seemed to be working normally.

here's the logs:


All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Releasing module C:\Program Files\SavingsBull\IEOptimizer.dll
C:\Program Files\SavingsBull\IEOptimizer.dll moved successfully.
Service hlnfd stopped successfully!
Service hlnfd deleted successfully!
File system32\drivers\hlnfd.sys not found.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10AD2C61-0898-4348-8600-14A342F22AC3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}\ deleted successfully.
File C:\Program Files\SavingsBull\IEOptimizer.dll not found.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\linkscanner\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}\ deleted successfully.
File {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
C:\Program Files\SavingsBull folder moved successfully.
C:\Windows\System32\roboot.exe moved successfully.
C:\Users\David\AppData\Roaming\systweak\ssd folder moved successfully.
C:\Users\David\AppData\Roaming\systweak\BeforeUninstall folder moved successfully.
C:\Users\David\AppData\Roaming\systweak folder moved successfully.
C:\Program Files\SavingsBullFilter folder moved successfully.
C:\Program Files\Level Quality Watcher\v1.01 folder moved successfully.
C:\Program Files\Level Quality Watcher folder moved successfully.
Folder C:\Users\David\AppData\Roaming\systweak\ not found.
C:\Users\David\AppData\Roaming\TuneUp Software\TU2012\Backups folder moved successfully.
C:\Users\David\AppData\Roaming\TuneUp Software\TU2012 folder moved successfully.
C:\Users\David\AppData\Roaming\TuneUp Software folder moved successfully.
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::965:6e9f:c84b:e6a3%11
Default Gateway . . . . . . . . . :
C:\Users\David\Desktop\cmd.bat deleted successfully.
C:\Users\David\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : columbus.rr.com
Link-local IPv6 Address . . . . . : fe80::965:6e9f:c84b:e6a3%11
IPv4 Address. . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\David\Desktop\cmd.bat deleted successfully.
C:\Users\David\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\David\Desktop\cmd.bat deleted successfully.
C:\Users\David\Desktop\cmd.txt deleted successfully.
< netsh winsock reset all /c >
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
C:\Users\David\Desktop\cmd.bat deleted successfully.
C:\Users\David\Desktop\cmd.txt deleted successfully.
< netsh int ip reset all /c >
Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.
C:\Users\David\Desktop\cmd.bat deleted successfully.
C:\Users\David\Desktop\cmd.txt deleted successfully.
< netsh advfirewall reset /c >
Ok.
C:\Users\David\Desktop\cmd.bat deleted successfully.
C:\Users\David\Desktop\cmd.txt deleted successfully.
< netsh advfirewall set allprofiles state on /c >
Ok.
C:\Users\David\Desktop\cmd.bat deleted successfully.
C:\Users\David\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DivXMediaServer deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DivXUpdate deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Kernel and Hardware Abstraction Layer deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: David
->Temp folder emptied: 18570 bytes
->Temporary Internet Files folder emptied: 59103077 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1169 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13592 bytes
RecycleBin emptied: 639448 bytes

Total Files Cleaned = 57.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 03032014_171218

Files\Folders moved on Reboot...
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\4A72F430-B40C-4D36-A068-CE33ADA5ADF9.dat moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KXS2OI78\page__pid__2379532[1].htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7SLXHBD\BS8DBE1E.htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A3Q037OZ\__rapid-worker-1.1[1].js moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...




Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.02.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16518
David :: DAVID-PC [administrator]

3/3/2014 5:17:41 PM
mbam-log-2014-03-03 (17-17-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205402
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 9
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10AD2C61-0898-4348-8600-14A342F22AC3} (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.
HKCU\Software\SavingsBull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\Crossrider (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\Savings Bull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\SavingsBull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Highlightly (PUP.Optional.Highlightly) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\SavingsbullFilter (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Level Quality Watcher (PUP.Optional.AdPeak.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\temp\InstallFilter32.msi (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.

(end)
  • 0

#8
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

It seems to be working a lot better. I surfed the internet for awhile after the fixes and it seemed to be working normally.

Good lets proceed as follows shall we...

Scan with JRT:

Please download Junkware Removal Tool to your desktop.

Note: Temp' disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

  • Right-click on on JRT.exe and select Run as Administrator to launch the application >> follow the on-screen prompt.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Note: Reboot your machine and ensure all disabled security software is now enabled etc.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan...

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then right click on it and select Run as Administrator to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files (x86)/ESET/ESET Online Scanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

My friendly advice is you consider keeping the online scanner installed then run it say once per month as a extra check. A quick easy way to do so would be via:-

Click on Start(Windows 7 Orb) >> Computer >> C: >> Program Files (x86) >> ESET >> ESET Online Scanner >> then right click on OnlineScannerApp and select Run as Administrator.

Next:

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered ?
  • Junkware Removal Tool Log
  • ESET Online Scanner Log.

  • 0

#9
fertigline

fertigline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi,
My computer still seems to be working good.

Here are the logs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Professional x86
Ran by David on Wed 03/05/2014 at 13:15:22.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\systweak
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\systweak



~~~ Files

Successfully deleted: [File] "C:\end"



~~~ Folders

Successfully deleted: [Folder] "C:\Users\David\appdata\locallow\boost_interprocess"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/05/2014 at 13:19:15.44
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




[email protected] as CAB hook log:
OnlineScanner.ocx - delete file error:Access is denied.

OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=11.00.9600.16428 (winblue_gdr.131013-1700)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=d2f38f689a688844afb5164673ed3b26
# engine=17331
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-03-05 07:42:12
# local_time=2014-03-05 02:42:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1039 16777213 100 92 0 80239316 0 0
# compatibility_mode=5893 16776574 66 85 19685654 145593323 0 0
# scanned=91358
# found=7
# cleaned=0
# scan_time=1993
sh=6205DDE47C041E3B67EFC540F89F24344835EE11 ft=0 fh=0000000000000000 vn="Win32/AdWare.Adpeak.B application" ac=I fn="C:\temp\t.msi"
sh=2FEC2BB06C11B711B37E7D1BAC0004F8F25A4C7B ft=1 fh=9586b0754c97a9e0 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\David\Downloads\ccsetup401.exe"
sh=6205DDE47C041E3B67EFC540F89F24344835EE11 ft=0 fh=0000000000000000 vn="Win32/AdWare.Adpeak.B application" ac=I fn="C:\Windows\Installer\47bfb1b.msi"
sh=80DC1B8044FE7F2BC57777F9559C5050B1DF5736 ft=1 fh=3a2e66d2f7d1673f vn="a variant of Win32/AdWare.Adpeak.D application" ac=I fn="C:\_OTL\MovedFiles\03032014_171218\C_Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe"
sh=408E4906C3F215C0E44282D24B340DAF03D014A4 ft=1 fh=94d81bcdb603e2f9 vn="a variant of Win64/Adware.Adpeak.C application" ac=I fn="C:\_OTL\MovedFiles\03032014_171218\C_Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe"
sh=C326A12172A76DCE91D9290C0EB7045945E032FB ft=0 fh=0000000000000000 vn="Win32/AdWare.Adpeak.B application" ac=I fn="C:\_OTL\MovedFiles\03032014_171218\C_Program Files\SavingsBull\bootstrap.js"
sh=AFF6026DD64A6AD95B73CD2D1EE61EAEBA192C4E ft=0 fh=0000000000000000 vn="Win32/AdWare.Adpeak.B application" ac=I fn="C:\_OTL\MovedFiles\03032014_171218\C_Program Files\SavingsBull\bootstrap.js.old"
  • 0

#10
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

My computer still seems to be working good.

Good, lets deal with the results of the online scan as follows...

If a copy of fix.txt is still present on your desktop, please delete that as I have a new one for you to download.

Custom OTL Script:

Please download the attached fix.txt(see below) file to your desktop.

[attachment=69432:fix.txt]

  • Right-click on OTL.exe and select Run as Administrator to start OTL.
  • Click on Run Fix
  • When prompted with:-

No fix has been provided!

Click Ok to load it from a file or Cancel to cancel

  • Click the Ok button and navigate to the file fix.txt which you just saved to the desktop.
  • Select fix.txt and click Open. Writing will now appear under the Custom Scan box
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Software Update Check:

  • Download and install FileHippo Update Checker from here.
  • Once installed(during the installation process deselect the option:- Run at Startup >> Start(Windows 7 Orb) >> All Programs >> right-click on Update Checker and select Run as Administrator >> a browser window will open after the scan is complete.
  • Download any updates detected(apart from beta updates) to the desktop >> uninstall anything that requires updating via Uninstall a program or Programs and Features in the Control Panel.
  • Re-install the updated software, delete the installers and then empty the Recycle Bin.
  • When completed the above let myself know. Plus if any further issues remaining and the post the contents of the Custom OTL Script , thank you.
Note: When I give the all clear my advice would be to consider keeping FileHippo Update Checker installed. Then periodically use it to check for any updates as having certain software outdated is a potential for malware to gain a foothold and exploit a system etc.
  • 0

#11
fertigline

fertigline

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi,
I ran the fix and installed the updates. Also my computer seems to be running normally , no problems.
Here's the log:

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\temp\t.msi moved successfully.
C:\Users\David\Downloads\ccsetup401.exe moved successfully.
C:\Windows\Installer\47bfb1b.msi moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David
->Temp folder emptied: 8720207 bytes
->Temporary Internet Files folder emptied: 251857561 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 4205 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 35029 bytes
RecycleBin emptied: 1813 bytes

Total Files Cleaned = 249.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 03072014_210107

Files\Folders moved on Reboot...
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\4A72F430-B40C-4D36-A068-CE33ADA5ADF9.dat moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OSGDZIHD\Ohio[1].htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MTKG5ZX7\page__pid__2380539[1].htm moved successfully.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Edited by fertigline, 07 March 2014 - 08:59 PM.

  • 0

#12
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

installed the updates. Also my computer seems to be running normally , no problems.

Good...congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Clean-Up with DelFix:

Please download DelFix to your desktop

  • Right-click on delfix.exe and select Run as Administrator to launch the application.
  • Referring to the image below, select all available options:
Posted Image

  • Then click on Run.
  • Once it has finished processing, a notepad file named DelFix.txt will open. Post the contents in your next reply for my review.
  • The log can also be located at the root of the system drive, C:\DelFix.txt.
  • After you have posted the aforementioned DelFix.txt, delete it and empty the Recycle Bin.
The above process should clean up and remove the vast majority of scanners used and logs created etc and reset the System Restore points.

Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan at least once per week.

Other installed security software:

Your presently installed security application, AVG2013 automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also at least once per week.

Registry Backup:

Tweaking.com - Registry Backup, I advise you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Note: As mentioned prior a tutorial for Registry Backup explaining the various features be viewed here.

Further reading/resources:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

As is this: Computer Security - a short guide to staying safer online

And these are worth reading also: Understanding Windows Firewall settings & Securing Your Router

Keep Your System Updated:

Microsoft releases patches for Windows and other products regularly:

  • Click on Start(Windows 7 Orb) >> All Programs >> Windows Update.
  • In the navigation pane, click Check for updates.
  • After Windows Update has finished checking for updates, click View available updates.
  • Click to select the check box for any found, then click Install.
  • When completed Reboot(restart) your computer if not prompted to do so.
Plus check Automatic Updates is enabled.

Update to Internet Explorer v11:

IE9 has been superseded by IE11 for Windows 7 and above. I strongly advise you download and install the new browser from here. This will increase overall security whist browsing online.

Even if you do not use IE often having the latest version installed will still increase your machines overall security. This web-page is worth bookmarking/reading for future reference:-

Securing Your Web Browser

Be careful when opening attachments and downloading files:

1 - Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.

2 - Never open emails from unknown senders.

4 - Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.

5 - Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on FileHippo or MajorGeeks

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze. Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Virtually all of these recent infections will compromise your Security, and some can turn your machine into a useless "doorstop".

I will further add; P2P software has the ability to create a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their infected dross onto your computer. Further to that, if your P2P software is not configured correctly you may be sharing more files than you realise. There have been cases where people's address books, passwords, other personal, private and financial details have been exposed to the file sharing network by a badly configured P2P applications

My friendly advice is to avoid these types of software applications.

Consider the below extra/layered security for your machine:

Custom Host File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

Only use one of the above!

CryptoPrevent Tool:

How to prevent your computer from becoming infected by CryptoLocker

WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

Next:

Post the requested DelFix.txt. Any questions? Feel free to ask, if not stay safe!
  • 0

#13
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP