Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop up window appearing once every 4-6 hours [Closed]

adobe

  • This topic is locked This topic is locked

#1
jtemail

jtemail

    Member

  • Member
  • PipPip
  • 26 posts

I am getting a pop-up window in the bottom right corner of my screen every 4-6 hours of various photos.  Sometimes its little puppies, sometimes its a girl in a bikini or something like that.  If I click on the X to close the window, its spawns 2 web links, one of which usually sends me somewhere saying that my Adobe is out of date and then another is typically some random porn site or site that has some sort of phishing content with a crazy URL.  I have run Kapersky, MalwareBytes, Spybot, and have a corporate Norton System Endpoint Protection forcefully installed by my company.

 

They've found some things and cleaned them but this one window issue keeps coming up every day, seemingly at random.  I am pasting my Hijack this log below.  Any insight would be appreciated if anyone has any ideas on how to kill this thing.

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 12:30:39 AM, on 2/7/2016
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.18123)
 
FIREFOX: 22.0 (en-US)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
C:\Windows\CCM\SCNotification.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
C:\Users\mqc874\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\mqc874\AppData\Local\ATT Connect\Participant\pull.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe
C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe
C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
C:\Program Files (x86)\Microsoft Office\Office15\lync.exe
C:\Program Files (x86)\Samsung\Kies\Kies.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\PROGRA~2\WebEx\PRODUC~1\ptSrv.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\BlueStacks\HD-Agent.exe
C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Microsoft Office\Office15\UcMapi.exe
C:\Users\mqc874\Downloads\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft..../?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mot.com;access.motorola.com;*.mot-mobility.com;<local>;192.168.*.*;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: 144.189.28.14 secnet.access.motorola.com
O1 - Hosts: 144.187.33.12 emea-blue.access.motorola.com
O2 - BHO: Skype for Business Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Cisco WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
O2 - BHO: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office15\URLREDIR.DLL
O2 - BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O3 - Toolbar: Cisco WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
O4 - HKLM\..\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
O4 - HKLM\..\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [Dolby Home Theater v4] "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart
O4 - HKLM\..\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [YouCam Mirage] "C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe"
O4 - HKLM\..\Run: [YouCam Tray] "C:\Program Files (x86)\CyberLink\YouCam\YouCam.exe" /s
O4 - HKLM\..\Run: [Fitbit Connect] "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
O4 - HKLM\..\Run: [BlueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\mqc874\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Push Client] "C:\Users\mqc874\AppData\Local\ATT Connect\Participant\pull.exe"
O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
O4 - HKCU\..\Run: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
O4 - HKCU\..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 - HKCU\..\Run: [GenieFloater] C:\Program Files (x86)\Genie Soft\Genie Cleaner\GenieFloater.exe
O4 - HKCU\..\Run: [PTOneClick] "C:\Program Files (x86)\WebEx\Productivity Tools\ptoneclk.exe" /AutoRun
O4 - HKCU\..\Run: [SpybotPostWindows10UpgradeReInstall] "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
O4 - HKCU\..\Run: [Fitbit Connect] "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
O4 - HKCU\..\Run: [Lync] "C:\Program Files (x86)\Microsoft Office\Office15\lync.exe" /fromrunkey
O4 - HKCU\..\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Verizon Wireless Software Utility Application for Android – Samsung.lnk.disabled
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Install LastPass IE RunOnce.lnk = C:\Program Files (x86)\Common Files\lpuninstall.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office15\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Users\mqc874\AppData\LocalLow\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\mqc874\AppData\LocalLow\LastPass\context.html?cmd=fillforms
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office15\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra button: Skype for Business Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O9 - Extra 'Tools' menuitem: Skype for Business Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://horizon.arrisi.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/...SetupClient.cab
O16 - DPF: {F6962361-AD4A-4897-A356-3E10A15A102C} (GpcContainer Class) - https://webxadmin-vm...ex/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ARRS.ARRISI.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ARRS.ARRISI.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = arrs.arrisi.com,arrisi.com,am.mot.com,dsa.mot-mobility.com,mot-mobility.com,corp.mot.com,ea.mot.com,ap.mot.com,mot.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ARRS.ARRISI.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = arrs.arrisi.com,arrisi.com,am.mot.com,dsa.mot-mobility.com,mot-mobility.com,corp.mot.com,ea.mot.com,ap.mot.com,mot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = arrs.arrisi.com,arrisi.com,am.mot.com,dsa.mot-mobility.com,mot-mobility.com,corp.mot.com,ea.mot.com,ap.mot.com,mot.com
O18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDevice.exe
O23 - Service: Apple Mobile Device Service - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Absolute Time Corrector Service (atccorrector) - FlexibleSoft Co. - C:\Program Files (x86)\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BlueStacks Android Service (BstHdAndroidSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-Service.exe
O23 - Service: BlueStacks Log Rotator Service (BstHdLogRotatorSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
O23 - Service: BlueStacks Updater Service (BstHdUpdaterSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
O23 - Service: CAM Service (CAMService) - Intel® Corporation - C:\Program Files\Intel\CAM\bin\CAMService.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: DisplayLinkManager (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Fitbit Connect Service (Fitbit Connect) - Fitbit, Inc. - C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
O23 - Service: GenieWifiService - Oppoos.com - C:\Program Files (x86)\Genie Soft\Genie Wifi\GenieWifiService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HyperW7 Service (HyperW7Svc) - Lenovo Group Limited - C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\Windows\system32\ibmpmsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: Intel® Capability Licensing Service Interface - Intel® Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: Intel® PROSet Monitoring Service - Unknown owner - C:\Windows\system32\IProsetMonitor.exe (file missing)
O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Lenovo Keyboard Noise Reduction (LENOVO.TPKNRSVC) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
O23 - Service: ThinkVantage Virtual Camera Controller (LENOVO.TVTVCAM) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe
O23 - Service: Lenovo Auto Scroll (Lenovo.VIRTSCRLSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: LpsSearchSvc - Lenel Systems International, Inc. - C:\Program Files (x86)\Common Files\Lenel\LpsSearchSvc.exe
O23 - Service: LS Client Update - Lenel Systems International, Inc. - C:\Program Files (x86)\OnGuard\Lnl.OG.AutoUpgrade.Client.exe
O23 - Service: LS Config Download Service - Lenel Systems International, Inc. - C:\Program Files (x86)\OnGuard\LnlConfigDownloadService.exe
O23 - Service: LS Linkage Server - Lenel Systems International, Inc. - C:\Program Files (x86)\OnGuard\LSLServer.exe
O23 - Service: LS PTZ Tour Server - Lenel Systems International, Inc. - C:\Program Files (x86)\OnGuard\LnlPTZTourServer.exe
O23 - Service: Motorola Device Manager Service (Motorola Device Manager) - Motorola Mobility LLC - C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Aventail VPN Client (NgVpnMgr) - Unknown owner - C:\Windows\system32\ngvpnmgr.exe (file missing)
O23 - Service: PanGPS - Palo Alto Networks - C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: PST Service - Motorola - C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
O23 - Service: Quest Migration Manager RUM Agent Service (QsRUMAgent) - Quest Software - C:\Windows\Quest Resource Updating Agent\QsResourceUpdatingAgent.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Riverbed Technology, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: ConfigMgr Task Sequence Agent (smstsmgr) - Unknown owner - C:\Windows\CCM\TSManager.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe
O23 - Service: SAMSUNG Mobile Connectivity Service (ss_conn_service) - DEVGURU Co., LTD. - C:\Program Files (x86)\Samsung\USB Drivers\25_escape\conn\ss_conn_service.exe
O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe
O23 - Service: Lenovo Hotkey Client Loader (TPHKLOAD) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: Watsvc - TODO: <???> - C:\Program Files (x86)\Blazers\Watsvc.exe
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Zero Configuration Service (ZeroConfigService) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
 
--
End of file - 24140 bytes

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi this sounds like a scheduled task running.. So lets have a look. Hijackthis is no longer relevant for modern infections

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach both logs generated.

  • 0

#3
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Ok will do so right now.  Thanks.


  • 0

#4
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Ok, here are my Farbar attachments from the scan.   Nice quick scan tool.  Hope it helps find the [bleep] thing.  When the window pops up, the header bar of it says "Your music life".  Today it happened twice already and it had an image of kittens.

Attached File  FRST.txt   178.46KB   126 downloads

Attached File  Addition.txt   67.87KB   152 downloads


  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK let me know if this stops the little blighter

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.103\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.103\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.103\gcswf32.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
S4 DHCPServer; "C:\Users\mqc874\AppData\Local\Temp\Temp1_dhcpsrv2.5.1.zip\dhcpsrv.exe" [X]
S3 mrgpmem; \??\c:\windows\temp\tmp7tfm4q.sys [X]
S3 pmem; \??\c:\windows\temp\tmp_q2wk3.sys [X]
ProxyServer: [S-1-5-21-1830819319-1975652134-394877016-74296] => wwwgate0.mot.com:1080
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter2\FirefoxAddOns\[email protected] => not found
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1830819319-1975652134-394877016-74296_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\mqc874\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {426E3E91-06E9-4E2B-901A-0CA80A5E6052} - System32\Tasks\{CDB47E39-60D3-4ED8-8B32-94D257EA54CA} => pcalua.exe -a C:\Users\mqc874\Downloads\HPDesignjetT770andT1200PrinterSeriesPS3.exe -d C:\Users\mqc874\Downloads
Task: {45FAE5DD-CA99-439B-9104-6D59066B438C} - System32\Tasks\{550AE9AC-EB04-4F47-BBDE-59EE68A650C8} => pcalua.exe -a C:\Users\mqc874\Downloads\sbwsetup.exe -d C:\Users\mqc874\Downloads
Task: {D2D4DDE5-0146-451D-81E7-25BEDB594936} - System32\Tasks\{2B3F1867-FBE4-456E-9A30-6F409587AC4B} => pcalua.exe -a C:\Users\mqc874\Downloads\ntptool20.exe -d C:\Users\mqc874\Downloads
C:\Users\mqc874\AppData\Local\iLivid
C:\Program Files (x86)\Mobogenie3
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

  • 0

#6
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Ok, thanks, I will try this is in the morning.  Just seeing this now before I'm going to bed.  Appreciate you looking into it.


  • 0

#7
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Ok, I ran the fixlist.txt and here is the fix log. Now I'm going to run the cleaner you recommended....Attached File  Fixlog.txt   11.03KB   115 downloads


  • 0

#8
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Ok, I ran the ADWCleaner.  I see it didn't delete some folders related to Mobogenie and Systweak.  Should I use some agressive file deletion to tool to try to kill those folders off manually?

 

See log contents below....Just ran it.

 

# AdwCleaner v5.033 - Logfile created 09/02/2016 at 14:48:11
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : jthompson - LP-JT
# Running from : C:\Users\mqc874\Downloads\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Program Files (x86)\Applian Technologies
[-] Folder Deleted : C:\Program Files (x86)\myfree codec
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Applian Technologies
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\myfree codec
[-] Folder Deleted : C:\Users\mqc874\mobogenieP2sp
[!] Folder Not Deleted : C:\Users\mqc874\mobogenieP2sp
[!] Folder Not Deleted : C:\Users\mqc874\mobogenieP2sp
[-] Folder Deleted : C:\Users\mqc874\AppData\Local\Mobogenie
[!] Folder Not Deleted : C:\Users\mqc874\AppData\Local\Mobogenie
[!] Folder Not Deleted : C:\Users\mqc874\AppData\Local\Mobogenie
[-] Folder Deleted : C:\Users\mqc874\AppData\Roaming\Mobogenie
[-] Folder Deleted : C:\Users\mqc874\AppData\Roaming\Systweak
[!] Folder Not Deleted : C:\Users\mqc874\AppData\Roaming\Mobogenie
[!] Folder Not Deleted : C:\Users\mqc874\AppData\Roaming\Systweak
[!] Folder Not Deleted : C:\Users\mqc874\AppData\Roaming\Mobogenie
[!] Folder Not Deleted : C:\Users\mqc874\AppData\Roaming\Systweak
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\Documents\Mobogenie
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5C3B5DAA-0AFF-4808-90FB-0F2F2D760E36}
[-] Key Deleted : HKCU\Software\Myfree Codec
[-] Key Deleted : HKCU\Software\OB
[-] Key Deleted : HKLM\SOFTWARE\Myfree Codec
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec
[-] Key Deleted : HKU\.DEFAULT\Software\Mobogenie
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\webmailworld.dl.tb.ask.com
[-] Key Deleted : HKLM\SOFTWARE\Classes\AndyAPK
 
***** [ Web browsers ] *****
 
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : stubhub.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : wayfair.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : disneystore.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : pricegrabber.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : stubhub.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : wayfair.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : disneystore.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : pricegrabber.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : stubhub.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : wayfair.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : disneystore.com
[-] [C:\Users\mqc874\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : pricegrabber.com
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4618 bytes] ##########

  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm I need the author to look at this ... Meanwhile to save you searching

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint:
C:\Users\mqc874\AppData\Local\Mobogenie
C:\Users\mqc874\mobogenieP2sp
C:\Users\mqc874\AppData\Roaming\Mobogenie
C:\Users\mqc874\AppData\Roaming\Systweak
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0

Advertisements


#11
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

User returned.


  • 0

#12
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

yml virus pic.jpg Ok, thank you for unlocking the thread.  I still have the "your music life pop up" coming up.  Here is the results of the fixlog.txt after running the ADWCleaner and applying the FRST with the latest round of recommendations.  I also ran SuperAntiSpyware after this in safe mode and it still didn't find anything and the popup persists.  I also attache an image of the popup via a screenshot capture.  Once I click on it in any way, even to close it using the X button it launches 2 browser windows taking me to various sites that are triggering alerts in my company firewall when connected at work, but they also occur when I'm at home on my home network not connected to work in any way.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-02-2016
Ran by jthompson (2016-02-15 11:44:58) Run:2
Running from C:\Users\mqc874\Desktop
Loaded Profiles: jthompson (Available Profiles: jthompson & FirstUser & Batwings)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
C:\Users\mqc874\AppData\Local\Mobogenie
C:\Users\mqc874\mobogenieP2sp
C:\Users\mqc874\AppData\Roaming\Mobogenie
C:\Users\mqc874\AppData\Roaming\Systweak
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************
 
Restore point was successfully created.
"C:\Users\mqc874\AppData\Local\Mobogenie" => not found.
"C:\Users\mqc874\mobogenieP2sp" => not found.
"C:\Users\mqc874\AppData\Roaming\Mobogenie" => not found.
"C:\Users\mqc874\AppData\Roaming\Systweak" => not found.
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1830819319-1975652134-394877016-74296\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1830819319-1975652134-394877016-74296\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
EmptyTemp: => 221.3 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 11:45:11 ====

  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK Could you run a fresh FRST scan for me please after running this programme

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here NSIS_extraction.png
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

    3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


    Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

  • 0

#14
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Ok, will install it now and get it going.  Thank you for the help!


 


  • 0

#15
jtemail

jtemail

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

The program has been running for about 90 minutes now.  Sitting there at "Completed Stage_4".  I will let it keep going but I don't think its hung because when I click on the windows, it doesn't say "not responding" and pev.3XE is running at 25% of my CPU in the task manager which I can only assume is this Combofix program still running so I will let it go another hour or 2, but eventually I will not to shut this PC down this afternoon.  The warning says it may take 10 minutes or may easily double on badly infected machines, but I am way beyond double time right now.  Should I abort it and restart it or just let it go for awhile longer?


  • 0






Similar Topics


Also tagged with one or more of these keywords: adobe

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP