How to get ride of Positive Finds Malware and Buzzdock ads?

Dell Vostro 260 mini-tower desktop (3.3...
January 30, 2015 at 15:17:53
Specs: windows 7, Core2duo
I keep getting pop ups and adverts in google chrome by Positive Finds and Buzzdock ads. I am an intermediate computer user and I have tried the following to no avail;
Google Chrome - Settings - Extensions - Boo.... You have no extensions.....
AVG 2015 - Full computer scan - No threat detected
AdwCleaner - No threats found
In my add/remove programs list I have only trusted applications installed.

Any other things I can try.

I have also tried Malwarebytes to no avail


See More: How to get ride of Positive Finds Malware and Buzzdock ads?

Report •


#1
January 30, 2015 at 15:33:10
Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.

Report •

#2
January 31, 2015 at 06:24:51
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Enterprise x86
Ran by Win7ENT2 on 31/01/2015 at 14:17:46.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2947710821-2675120002-303020009-1000\Software\Microsoft\Internet Explorer\Main\\Start Page

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

~~~ Files

Successfully deleted: [File] "C:\Users\Win7ENT2\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage"
Successfully deleted: [File] "C:\Users\Win7ENT2\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage-journal"
Successfully deleted: [File] "C:\Windows\wininit.ini"

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 31/01/2015 at 14:23:12.72
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

thank you for your assistance


Report •

#3
January 31, 2015 at 14:55:24
Ok, shall now dismantle the malware bit by bit.

Best you print or write the instructions & check the steps off as you do them.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "Delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

Related Solutions

#4
February 1, 2015 at 09:08:56
RogueKiller V10.2.0.0 [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Win7ENT2 [Administrator]
Mode : Delete -- Date : 02/01/2015 17:08:36

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 28 ¤¤¤
[PUP] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet001\Services\vToolbarUpdater18.2.0 -> Deleted
[PUP] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet002\Services\vToolbarUpdater18.2.0 -> Deleted
[PUM.Proxy] HKEY_USERS\RK_M A Wigg_ON_E_1F53\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=;ftp=;https=; -> Deleted
[PUM.HomePage] HKEY_USERS\RK_M A Wigg_ON_E_1F53\Software\Microsoft\Internet Explorer\Main | Start Page : https://uk.search.yahoo.com/?type=4... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2CE632D0-7471-4695-9861-11BA8AFF3A12} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8B374944-A0A4-4979-A6FC-C7F739EE5D36} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AEA961F7-B444-4EE8-BA42-4FB4AED79384} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C119436E-9910-4F02-98B5-4A4A63BA7918} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet001\Services\Tcpip\Parameters\Interfaces\{CC4453F1-5A5D-48FE-8F17-4697F6455478} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E1C3E462-D8A2-4B70-B53A-B762F838711F} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2CE632D0-7471-4695-9861-11BA8AFF3A12} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8B374944-A0A4-4979-A6FC-C7F739EE5D36} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet002\Services\Tcpip\Parameters\Interfaces\{AEA961F7-B444-4EE8-BA42-4FB4AED79384} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C119436E-9910-4F02-98B5-4A4A63BA7918} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet002\Services\Tcpip\Parameters\Interfaces\{CC4453F1-5A5D-48FE-8F17-4697F6455478} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_E_BDC1\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E1C3E462-D8A2-4B70-B53A-B762F838711F} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2CE632D0-7471-4695-9861-11BA8AFF3A12} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8B374944-A0A4-4979-A6FC-C7F739EE5D36} | NameServer : 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 -> Replaced ()
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2947710821-2675120002-303020009-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_9D2E\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_9D2E\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320620AS ATA Device +++++
--- User ---
[MBR] 01ff9c8b69d5c63b5fadceb960799da4
[BSP] b7f733ae6209a3ca65ff9d10514949a0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST380215AS ATA Device +++++
--- User ---
[MBR] 81c9626fae4952ab1fb742c9f1d8dfa3
[BSP] fbd168570630c11dd4867a06d042b61c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 76217 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_02012015_164522.log - RKreport_DEL_02012015_164557.log - RKreport_SCN_02012015_170734.log


Report •

#5
February 1, 2015 at 14:22:16
Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

#6
February 2, 2015 at 08:02:18
ComboFix 15-02-02.01 - Win7ENT2 02/02/2015 4:01.1.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.3071.1522 [GMT 0:00]
Running from: c:\users\Win7ENT2\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {4D41356F-32AD-7C42-C820-63775EE4F413}
SP: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {F620D48B-1497-73CC-F290-58052563BEAE}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
E:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2015-01-02 to 2015-02-02 )))))))))))))))))))))))))))))))
.
.
2015-02-01 23:36 . 2015-02-01 23:36 -------- d-----w- c:\windows\system32\Wat
2015-02-01 23:09 . 2015-02-01 23:09 -------- d-----w- c:\programdata\Microsoft Toolkit
2015-02-01 18:30 . 2015-02-01 18:30 -------- d-----w- c:\program files\Microsoft Synchronization Services
2015-02-01 18:29 . 2015-02-01 18:29 -------- d-----w- c:\windows\PCHEALTH
2015-02-01 18:29 . 2015-02-01 18:29 -------- d-----w- c:\program files\Microsoft Sync Framework
2015-02-01 18:29 . 2015-02-01 18:29 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2015-02-01 18:24 . 2015-02-01 18:24 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2015-02-01 18:19 . 2015-02-01 18:19 -------- d-----w- c:\program files\Microsoft Analysis Services
2015-02-01 18:17 . 2015-02-01 18:17 -------- d-----w- c:\users\Win7ENT2\AppData\Local\Microsoft Help
2015-02-01 18:17 . 2015-02-01 23:13 -------- d-----w- c:\programdata\Microsoft Help
2015-02-01 18:16 . 2015-02-01 18:16 -------- d-----r- C:\MSOCache
2015-02-01 18:14 . 2015-02-01 23:29 -------- d-----w- c:\users\Win7ENT2\AppData\Roaming\WinMount
2015-02-01 18:14 . 2015-02-01 18:14 -------- d-----w- c:\program files\WinMount
2015-02-01 18:14 . 2015-02-01 18:14 46176 ----a-w- c:\windows\system32\drivers\WMDrive.sys
2015-02-01 17:55 . 2015-02-01 17:56 -------- d-----w- c:\program files\BitLord
2015-02-01 16:23 . 2015-02-01 16:23 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-02-01 16:23 . 2015-02-01 16:23 -------- d-----w- c:\programdata\RogueKiller
2015-01-31 14:21 . 2014-12-02 11:01 9054624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC197940-B459-4A7A-913E-F770FDE252C7}\mpengine.dll
2015-01-31 14:17 . 2015-01-31 14:17 -------- d-----w- c:\windows\ERUNT
2015-01-30 20:30 . 2015-01-30 23:15 -------- d-----w- C:\AdwCleaner
2015-01-30 20:16 . 2015-01-30 20:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2015-01-30 20:16 . 2015-01-30 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2015-01-30 01:19 . 2015-01-30 01:19 -------- d-----w- c:\programdata\Malwarebytes
2015-01-29 17:32 . 2015-01-29 17:32 -------- d-----w- C:\SUPERDelete
2015-01-29 16:51 . 2015-01-29 16:51 -------- d-----w- c:\users\Win7ENT2\AppData\Local\SlimWare Utilities Inc
2015-01-29 16:50 . 2015-01-29 16:51 -------- d-----w- c:\program files\SlimCleaner
2015-01-25 22:48 . 2015-01-25 22:49 -------- d-----w- c:\users\Win7ENT2\sitebuilder
2015-01-25 22:46 . 2015-01-25 22:46 -------- d-----w- c:\program files\Common Files\Java
2015-01-25 22:46 . 2015-01-25 22:46 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2015-01-25 22:46 . 2015-01-25 22:47 -------- d-----w- c:\programdata\Oracle
2015-01-25 22:46 . 2015-01-25 22:46 -------- d-----w- c:\program files\Java
2015-01-25 21:18 . 2015-01-29 16:53 -------- d-----w- c:\program files\AVG Web TuneUp
2015-01-24 16:10 . 2015-01-24 16:10 -------- d-----w- c:\users\Win7ENT2\AppData\Roaming\AVG2015
2015-01-24 16:09 . 2015-01-24 16:09 -------- d-----w- c:\users\Win7ENT2\AppData\Roaming\TuneUp Software
2015-01-24 16:08 . 2015-01-24 16:09 -------- d-----w- c:\programdata\AVG2015
2015-01-24 16:08 . 2015-01-24 16:08 -------- d-----w- C:\$AVG
2015-01-24 16:07 . 2015-01-24 16:07 -------- d-----w- c:\program files\AVG
2015-01-24 13:33 . 2015-01-24 13:33 -------- d-----w- c:\users\Win7ENT2\AppData\Local\BitLord
2015-01-24 13:33 . 2015-01-24 14:29 -------- d-----w- c:\users\Win7ENT2\AppData\Roaming\BitLord
2015-01-24 13:30 . 2015-01-24 16:19 -------- d-----w- c:\users\Win7ENT2\AppData\Local\Avg2015
2015-01-24 13:30 . 2015-01-24 13:30 -------- d--h--w- c:\programdata\Common Files
2015-01-24 13:30 . 2015-01-24 13:30 -------- d-----w- c:\users\Win7ENT2\AppData\Local\MFAData
2015-01-24 13:30 . 2015-02-01 23:23 -------- d-----w- c:\programdata\MFAData
2015-01-24 13:29 . 2015-01-24 13:29 -------- d-----w- c:\program files\AppName
2015-01-23 20:40 . 2005-05-26 15:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2015-01-23 20:37 . 2015-01-23 20:37 -------- d-----w- c:\users\Win7ENT2\AppData\Local\Logitech
2015-01-23 20:37 . 2015-01-23 20:37 -------- d-----w- c:\program files\Logitech
2015-01-23 20:37 . 2015-01-23 20:37 -------- d-----w- c:\program files\Common Files\Logitech
2015-01-23 19:51 . 2015-01-26 14:03 -------- d-----w- c:\program files\Common Files\Steam
2015-01-23 19:51 . 2015-02-01 23:44 -------- d-----w- c:\program files\Steam
2015-01-23 19:10 . 2015-01-23 19:10 -------- d-----w- c:\users\Win7ENT2\AppData\Roaming\ATI
2015-01-23 19:10 . 2015-01-23 19:10 -------- d-----w- c:\users\Win7ENT2\AppData\Local\ATI
2015-01-23 19:10 . 2015-01-23 19:10 -------- d-----w- c:\programdata\ATI
2015-01-23 19:03 . 2015-01-23 19:03 -------- d-----w- c:\programdata\AMD
2015-01-23 19:03 . 2015-01-23 19:03 -------- d-----w- c:\program files\AMD AVT
2015-01-23 19:03 . 2015-01-23 19:03 -------- d-----w- c:\program files\AMD APP
2015-01-23 19:03 . 2015-01-23 19:03 -------- d-----w- c:\program files\Common Files\ATI Technologies
2015-01-23 19:02 . 2015-01-23 19:02 0 ----a-w- c:\windows\ativpsrm.bin
2015-01-23 18:47 . 2015-01-23 18:48 -------- d-----w- c:\program files\Google
2015-01-23 18:47 . 2015-01-23 18:48 -------- d-----w- c:\users\Win7ENT2\AppData\Local\Google
2015-01-23 18:47 . 2015-01-23 18:47 -------- d-----w- c:\users\Win7ENT2\AppData\Local\Deployment
2015-01-23 18:47 . 2015-01-23 18:47 -------- d-----w- c:\users\Win7ENT2\AppData\Local\Apps
2015-01-23 18:41 . 2015-01-23 18:41 -------- d-----w- c:\users\Win7ENT2\AppData\Local\ElevatedDiagnostics
2015-01-23 18:40 . 2012-08-17 14:31 1321568 ----a-w- c:\windows\system32\drivers\netr28u.sys
2015-01-23 18:40 . 2011-12-26 02:57 238944 ----a-w- c:\windows\system32\RaCoInst.dll
2015-01-23 18:40 . 2015-01-23 18:40 -------- d-----w- c:\program files\ASUS
2015-01-23 18:40 . 2015-01-23 18:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2015-01-23 18:40 . 2012-12-19 03:16 3356672 ----a-r- c:\windows\system32\AInst5090.exe
2015-01-23 16:22 . 2014-07-07 01:40 103424 ----a-w- c:\windows\system32\mfps.dll
2015-01-23 16:22 . 2014-07-07 01:39 23040 ----a-w- c:\windows\system32\mfpmp.exe
2015-01-23 16:22 . 2014-07-07 01:37 2048 ----a-w- c:\windows\system32\mferror.dll
2015-01-23 16:22 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\system32\mf.dll
2015-01-23 16:22 . 2014-07-07 01:39 50176 ----a-w- c:\windows\system32\rrinstaller.exe
2015-01-21 16:54 . 2014-12-13 03:33 115712 ----a-w- c:\windows\system32\ieUnatt.exe
2015-01-21 03:18 . 2015-01-21 03:18 -------- d-----w- c:\windows\system32\appraiser
2015-01-20 14:35 . 2015-01-20 14:35 -------- d-----w- c:\users\Win7ENT2\AppData\Local\Programs
2015-01-20 14:21 . 2015-01-20 14:21 -------- d-----w- c:\users\Win7ENT2\AppData\Roaming\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-01 23:37 . 2014-11-19 18:33 811520 ----a-w- c:\windows\system32\user32.dll
2015-02-01 23:37 . 2014-11-19 18:33 409088 ----a-w- c:\windows\system32\systemcpl.dll
2015-02-01 23:37 . 2014-11-19 18:33 13824 ----a-w- c:\windows\system32\slwga.dll
2015-01-08 09:55 . 2014-11-19 14:57 249488 ------w- c:\windows\system32\MpSigStub.exe
2014-12-08 21:25 . 2014-12-08 21:25 208152 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2014-11-20 17:08 . 2014-11-20 17:08 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-11-20 17:08 . 2014-11-20 17:08 645120 ----a-w- c:\windows\system32\jsIntl.dll
2014-11-20 17:08 . 2014-11-20 17:08 194048 ----a-w- c:\windows\system32\elshyph.dll
2014-11-20 17:08 . 2014-11-20 17:08 182272 ----a-w- c:\windows\system32\msls31.dll
2014-11-20 17:08 . 2014-11-20 17:08 62464 ----a-w- c:\windows\system32\tdc.ocx
2014-11-20 17:08 . 2014-11-20 17:08 337408 ----a-w- c:\windows\system32\html.iec
2014-11-20 17:08 . 2014-11-20 17:08 24576 ----a-w- c:\windows\system32\licmgr10.dll
2014-11-20 17:08 . 2014-11-20 17:08 151552 ----a-w- c:\windows\system32\iexpress.exe
2014-11-20 17:08 . 2014-11-20 17:08 139264 ----a-w- c:\windows\system32\wextract.exe
2014-11-20 17:08 . 2014-11-20 17:08 13312 ----a-w- c:\windows\system32\mshta.exe
2014-11-20 17:08 . 2014-11-20 17:08 86016 ----a-w- c:\windows\system32\iesysprep.dll
2014-11-20 17:08 . 2014-11-20 17:08 74240 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-11-20 17:08 . 2014-11-20 17:08 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-11-20 17:08 . 2014-11-20 17:08 36352 ----a-w- c:\windows\system32\imgutil.dll
2014-11-20 17:08 . 2014-11-20 17:08 111616 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-11-20 17:07 . 2014-11-20 17:07 640512 ----a-w- c:\windows\system32\advapi32.dll
2014-11-20 17:07 . 2014-11-20 17:07 69632 ----a-w- c:\windows\system32\smss.exe
2014-11-20 17:07 . 2014-11-20 17:07 619520 ----a-w- c:\windows\system32\tdh.dll
2014-11-20 17:07 . 2014-11-20 17:07 38912 ----a-w- c:\windows\system32\csrsrv.dll
2014-11-20 17:07 . 2014-11-20 17:07 1289096 ----a-w- c:\windows\system32\ntdll.dll
2014-11-20 17:07 . 2014-11-20 17:07 231424 ----a-w- c:\windows\system32\mswsock.dll
2014-11-20 17:07 . 2014-11-20 17:07 49152 ----a-w- c:\windows\system32\taskhost.exe
2014-11-20 17:05 . 2014-11-20 17:05 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 906240 ----a-w- c:\windows\system32\FntCache.dll
2014-11-20 17:05 . 2014-11-20 17:05 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2014-11-20 17:05 . 2014-11-20 17:05 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-11-20 17:05 . 2014-11-20 17:05 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 293376 ----a-w- c:\windows\system32\dxgi.dll
2014-11-20 17:05 . 2014-11-20 17:05 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-11-20 17:05 . 2014-11-20 17:05 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-11-20 17:05 . 2014-11-20 17:05 220160 ----a-w- c:\windows\system32\d3d10core.dll
2014-11-20 17:05 . 2014-11-20 17:05 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-11-20 17:05 . 2014-11-20 17:05 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2014-11-20 17:05 . 2014-11-20 17:05 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2014-11-20 17:05 . 2014-11-20 17:05 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2014-11-20 17:05 . 2014-11-20 17:05 1080832 ----a-w- c:\windows\system32\d3d10.dll
2014-11-20 17:05 . 2014-11-20 17:05 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-11-20 17:03 . 2014-11-20 17:03 1505280 ----a-w- c:\windows\system32\d3d11.dll
2014-11-19 18:51 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2014-11-18 21:41 . 2014-11-18 21:41 154904 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-11-11 02:44 . 2014-11-20 13:26 186880 ----a-w- c:\windows\system32\pku2u.dll
2014-11-11 02:44 . 2014-11-20 13:27 550912 ----a-w- c:\windows\system32\kerberos.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2015-02-01 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MountOverlayIcon]
@="{0F49CF41-FD97-4942-9F2A-35E8B489E7FB}"
[HKEY_CLASSES_ROOT\CLSID\{0F49CF41-FD97-4942-9F2A-35E8B489E7FB}]
2010-03-09 16:31 204800 ----a-w- c:\program files\WinMount\WinMTExt3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-04-26 774168]
"AVG_UI"="c:\program files\AVG\AVG2015\avgui.exe" [2015-01-06 3674576]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-11-19 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2015\avgidsagent.exe [2015-01-06 3440080]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-11-22 102912]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2015-02-01 1343400]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2014-11-18 154904]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2014-07-18 230680]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2014-06-18 27416]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2014-06-18 121624]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2014-12-08 208152]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2014-06-18 21272]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2014-08-28 192792]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2014-10-10 200984]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-09-28 217600]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2015\avgwdsvc.exe [2015-01-06 309232]
S2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [2015-02-01 46176]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-05-14 86656]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [2012-08-17 1321568]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-01-27 15:53 1086280 ----a-w- c:\program files\Google\Chrome\Application\40.0.2214.93\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-01-23 18:47]
.
2015-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-01-23 18:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-02-02 04:11:21
ComboFix-quarantined-files.txt 2015-02-02 04:11
.
Pre-Run: 31,621,890,048 bytes free
Post-Run: 31,653,007,360 bytes free
.
- - End Of File - - 77897A3DF80DE9C1A89FB5A640562157
A36C5E4F47E84449FF07ED3517B43A31

Report •

#7
February 2, 2015 at 14:59:34
Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

Report •


Ask Question