Page 3 of 3 FirstFirst 123
Results 21 to 27 of 27

Thread: "Unusual traffic from your computer network" - Google Chrome

  1. #21
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    ok thanks for the info. Still not convinced this is a malware issue but we will move on to combofix and see if it digs up anything and then go from there and start removing installed google products.

    There is a short guide and download link here:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    read through the guide and apply the directions on your own machine. Post the combofix log.

    A question; does the message just popup randomly while your using Chrome to browse. Do you notice a pattern or anything?
    How Can I Reduce My Risk?

  2. #22
    Junior Member
    Join Date
    Jul 2014
    Posts
    15

    Default

    Quote Originally Posted by shelf life View Post
    A question; does the message just popup randomly while your using Chrome to browse. Do you notice a pattern or anything?
    The message appears out of nowhere, though it's rarely happening too often right now. There's no pattern that I've noticed as far as I'm aware.

    Here is what ComboFix has found:

    ComboFix 14-07-29.01 - David 30/07/2014 23:12:49.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4083.1879 [GMT 10:00]
    Running from: c:\users\David\Desktop\ComboFix.exe
    AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-06-28 to 2014-07-30 )))))))))))))))))))))))))))))))
    .
    .
    2014-07-30 13:24 . 2014-07-30 13:24 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2014-07-30 13:24 . 2014-07-30 13:24 -------- d-----w- c:\users\TEMP\AppData\Local\temp
    2014-07-30 13:24 . 2014-07-30 13:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-07-30 02:23 . 2014-07-30 07:58 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AB0DE48-24FE-4A2A-8491-65DB33AFE02F}\offreg.dll
    2014-07-30 02:15 . 2014-07-13 18:12 10924376 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AB0DE48-24FE-4A2A-8491-65DB33AFE02F}\mpengine.dll
    2014-07-29 12:59 . 2014-07-29 13:00 -------- d-----w- c:\users\David\www.apowersoft.com
    2014-07-27 07:22 . 2014-07-27 07:26 -------- d-----w- C:\FRST
    2014-07-25 10:54 . 2014-07-25 10:58 -------- d-----w- C:\AdwCleaner
    2014-07-22 12:56 . 2014-07-22 12:56 -------- d-----w- c:\program files\HitmanPro
    2014-07-22 12:55 . 2014-07-22 13:21 -------- d-----w- c:\programdata\HitmanPro
    2014-07-22 06:05 . 2014-07-22 06:05 -------- d-----w- c:\windows\Sun
    2014-07-22 01:30 . 2014-07-22 01:30 -------- d-----w- c:\program files (x86)\ESET
    2014-07-21 04:54 . 2014-07-21 05:08 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2014-07-20 05:34 . 2010-08-29 22:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
    2014-07-20 00:19 . 2014-07-24 06:33 -------- d-----w- c:\windows\ERUNT
    2014-07-19 05:13 . 2014-07-19 05:13 -------- d-----w- c:\windows\system32\log
    2014-07-16 07:49 . 2014-07-16 07:49 -------- d-----w- c:\program files (x86)\Common Files\Java
    2014-07-16 07:49 . 2014-07-10 17:02 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2014-07-12 08:03 . 2014-07-12 08:03 5659136 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2014-07-09 14:53 . 2014-05-30 08:08 340992 ----a-w- c:\windows\system32\schannel.dll
    2014-07-09 14:53 . 2014-05-30 07:52 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
    2014-07-09 14:53 . 2014-05-30 08:08 728064 ----a-w- c:\windows\system32\kerberos.dll
    2014-07-09 14:53 . 2014-05-30 07:52 247808 ----a-w- c:\windows\SysWow64\schannel.dll
    2014-07-09 14:53 . 2014-05-30 08:08 210944 ----a-w- c:\windows\system32\wdigest.dll
    2014-07-09 14:53 . 2014-05-30 08:08 314880 ----a-w- c:\windows\system32\msv1_0.dll
    2014-07-09 14:53 . 2014-05-30 07:52 259584 ----a-w- c:\windows\SysWow64\msv1_0.dll
    2014-07-09 14:53 . 2014-05-30 08:08 86528 ----a-w- c:\windows\system32\TSpkg.dll
    2014-07-09 14:53 . 2014-05-30 08:08 307200 ----a-w- c:\windows\system32\ncrypt.dll
    2014-07-09 14:53 . 2014-05-30 07:52 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2014-07-09 14:53 . 2014-05-30 07:52 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
    2014-07-09 14:53 . 2014-05-30 07:52 65536 ----a-w- c:\windows\SysWow64\TSpkg.dll
    2014-07-09 14:52 . 2014-05-30 08:08 22016 ----a-w- c:\windows\system32\credssp.dll
    2014-07-09 14:52 . 2014-05-30 07:52 17408 ----a-w- c:\windows\SysWow64\credssp.dll
    2014-07-09 14:48 . 2014-06-05 14:45 1460736 ----a-w- c:\windows\system32\lsasrv.dll
    2014-07-09 14:48 . 2014-06-05 14:26 22016 ----a-w- c:\windows\SysWow64\secur32.dll
    2014-07-09 14:48 . 2014-06-05 14:25 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
    2014-07-09 14:34 . 2014-06-03 10:02 1719296 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
    2014-07-09 14:34 . 2014-06-03 10:02 1380864 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
    2014-07-09 14:34 . 2014-06-03 10:02 1389568 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
    2014-07-09 14:34 . 2014-06-03 10:02 1354240 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
    2014-07-09 14:34 . 2014-06-03 09:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
    2014-07-09 14:34 . 2014-06-30 02:09 519168 ----a-w- c:\windows\system32\aepdu.dll
    2014-07-09 14:34 . 2014-06-30 02:04 424448 ----a-w- c:\windows\system32\aeinv.dll
    2014-07-09 14:07 . 2014-07-09 14:07 110080 ----a-r- c:\users\David\AppData\Roaming\Microsoft\Installer\{ACF5FE1B-3772-4068-8B87-2D2A6EFD0A05}\IconF7A21AF7.exe
    2014-07-09 14:07 . 2014-07-09 14:07 110080 ----a-r- c:\users\David\AppData\Roaming\Microsoft\Installer\{ACF5FE1B-3772-4068-8B87-2D2A6EFD0A05}\IconD7F16134.exe
    2014-07-09 14:07 . 2014-07-09 14:07 110080 ----a-r- c:\users\David\AppData\Roaming\Microsoft\Installer\{ACF5FE1B-3772-4068-8B87-2D2A6EFD0A05}\Icon1226A4C5.exe
    2014-07-09 14:07 . 2014-07-09 14:07 -------- d-----w- C:\sh4ldr
    2014-07-09 14:07 . 2014-07-09 14:07 -------- d-----w- c:\program files\Enigma Software Group
    2014-07-09 13:55 . 2014-06-18 02:19 1247232 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tipskins.dll
    2014-07-09 13:55 . 2014-06-18 02:19 503296 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tiptsf.dll
    2014-07-09 13:55 . 2014-06-18 01:10 3157504 ----a-w- c:\windows\system32\win32k.sys
    2014-07-09 13:55 . 2014-06-18 02:19 449024 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tabskb.dll
    2014-07-09 13:55 . 2014-06-18 02:18 224768 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\TabTip.exe
    2014-07-09 13:55 . 2014-06-18 01:52 348672 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll
    2014-07-09 13:55 . 2014-06-18 01:51 646144 ----a-w- c:\windows\SysWow64\osk.exe
    2014-07-09 13:55 . 2014-06-18 02:18 692736 ----a-w- c:\windows\system32\osk.exe
    2014-07-09 13:55 . 2014-06-18 02:19 110592 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\TipBand.dll
    2014-07-09 13:55 . 2014-06-18 01:51 10240 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
    2014-07-09 13:55 . 2014-06-18 02:17 544768 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\TipRes.dll
    2014-07-09 13:48 . 2014-06-06 10:10 624128 ----a-w- c:\windows\system32\qedit.dll
    2014-07-09 13:48 . 2014-06-06 09:44 509440 ----a-w- c:\windows\SysWow64\qedit.dll
    2014-07-09 13:48 . 2014-05-30 06:45 497152 ----a-w- c:\windows\system32\drivers\afd.sys
    2014-07-09 12:18 . 2014-07-09 12:18 43152 ----a-w- c:\windows\avastSS.scr
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-07-30 08:41 . 2014-05-27 06:43 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-07-12 08:03 . 2012-08-12 04:53 699056 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-07-12 08:03 . 2011-08-15 19:13 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-07-10 09:38 . 2012-01-18 13:33 96441528 ----a-w- c:\windows\system32\MRT.exe
    2014-07-09 12:19 . 2014-02-15 03:14 427360 ----a-w- c:\windows\system32\drivers\aswsp.sys
    2014-07-09 12:18 . 2014-02-15 03:14 92008 ----a-w- c:\windows\system32\drivers\aswstm.sys
    2014-07-09 12:18 . 2014-02-15 03:14 224896 ----a-w- c:\windows\system32\drivers\aswVmm.sys
    2014-07-09 12:18 . 2014-02-15 03:14 1041168 ----a-w- c:\windows\system32\drivers\aswsnx.sys
    2014-07-09 12:18 . 2014-04-29 13:31 29208 ----a-w- c:\windows\system32\drivers\aswHwid.sys
    2014-07-09 12:18 . 2014-02-15 03:14 79184 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2014-07-09 12:18 . 2014-02-15 03:14 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
    2014-07-09 12:18 . 2014-02-15 03:14 307344 ----a-w- c:\windows\system32\aswBoot.exe
    2014-07-09 12:18 . 2014-02-15 03:14 93568 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2014-05-11 21:26 . 2014-05-27 06:42 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-05-11 21:26 . 2014-05-27 06:42 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-05-11 21:25 . 2013-01-12 13:14 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-05-08 09:32 . 2014-06-12 04:12 3178496 ----a-w- c:\windows\system32\rdpcorets.dll
    2014-05-08 09:32 . 2014-06-12 04:12 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2013-06-05 17:17 130736 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2013-06-05 17:17 130736 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2013-06-05 17:17 130736 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-11-13 3713032]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-7 324320]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-7-29 4554752]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableSecureUIAPath"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
    "HP Software Update"=c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
    .
    R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.3.132.0\BBSvc.exe;c:\program files (x86)\Microsoft\BingBar\7.3.132.0\BBSvc.exe [x]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
    R3 BRDriver64;BRDriver64;c:\programdata\bitraider\BRDriver64.sys;c:\programdata\bitraider\BRDriver64.sys [x]
    R3 BRSptSvc;BitRaider Mini-Support Service;c:\programdata\BitRaider\BRSptSvc.exe;c:\programdata\BitRaider\BRSptSvc.exe [x]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
    S0 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys;c:\windows\SYSNATIVE\drivers\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys;c:\windows\SYSNATIVE\drivers\amd_xata.sys [x]
    S0 aswRvrt;avast! Revert; [x]
    S0 aswVmm;avast! VM Monitor; [x]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
    S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
    S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
    S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
    S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe;c:\xampp\apache\bin\httpd.exe [x]
    S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
    S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [x]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [x]
    S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [x]
    S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [x]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
    S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe;c:\program files\HitmanPro\hmpsched.exe [x]
    S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
    S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe [x]
    S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
    S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
    S2 WDDMService;WD SmartWare Drive Manager Service;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [x]
    S2 WDFME;WD File Management Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [x]
    S2 WDSC;WD File Management Shadow Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [x]
    S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe;c:\program files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
    S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys;c:\windows\SYSNATIVE\drivers\usbfilter.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2014-07-18 03:07 1104200 ----a-w- c:\program files (x86)\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-07-30 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-12 08:03]
    .
    2014-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-08 15:45]
    .
    2014-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-08 15:45]
    .
    2014-07-28 c:\windows\Tasks\HPCeeScheduleForDavid.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-14 17:43]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2013-06-05 17:17 164016 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2013-06-05 17:17 164016 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2013-06-05 17:17 164016 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2013-06-05 17:17 164016 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-07-22 21720]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uLocal Page = c:\windows\system32\blank.htm
    mDefault_Page_URL = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mStart Page = about:blank
    TCP: DhcpNameServer = 10.0.0.138
    FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\u8pck2fc.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:blank
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-AvastUI.exe - c:\program files\AVAST Software\Avast\AvastUI.exe
    Notify-SDWinLogon - SDWinLogon.dll
    HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
    ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
    "ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.14"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-07-30 23:28:14
    ComboFix-quarantined-files.txt 2014-07-30 13:28
    .
    Pre-Run: 725,026,582,528 bytes free
    Post-Run: 724,606,332,928 bytes free
    .
    - - End Of File - - A4FB3FDFCAE0D79167D8F1F058D1299F
    A36C5E4F47E84449FF07ED3517B43A31

  3. #23
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    ok thanks for the info. Not much there to worried about. Dont see any malware that I recognize. We can work backwards. Looks like you have several chrome add ons installed. Please disable them all then restart chrome and browse around.

    https://support.google.com/chrome/answer/187443?hl=en
    How Can I Reduce My Risk?

  4. #24
    Junior Member
    Join Date
    Jul 2014
    Posts
    15

    Default

    Well, I only had three add-ons installed: AdBlock, Block site and Skype. I had disabled all three but the annoying message still appeared. >:(

    Maybe I should get to the Google forums to figure out what's going on?

  5. #25
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    You can try the Goggle forums if you want to.

    You dont see this as an extension in chrome?

    C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx
    If not you can navigate to C:\Programs File and delete the entire AVAST folder. May be a leftover only and not in use, looks like you had Avast at one time?

    Bring up AVG's interface and try disabling AVG's Online Shield, and or LinkScanner if its installed.

    You installed these two: Mysqld.exe (MySQL Server) and httpd.exe (Apache HTTP server file) Both are possible sources of tcp/ip traffic
    Last edited by shelf life; 2014-08-02 at 15:48.
    How Can I Reduce My Risk?

  6. #26
    Junior Member
    Join Date
    Jul 2014
    Posts
    15

    Default

    Sorry I haven't replied back, I've been ill lately.

    I got rid of a few AVAST folders that were left behind, the rest were already quarantined by AdwCleaner awhile ago. I've been using Chrome for two days and haven't gotten that message since. Hopefully that problem is over. Thanks a lot.

  7. #27
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    Ok no problem, thanks for the update. To remove the tools we used:

    You can remove combofix by clicking on the start "orb" and in the search field type: combofix /uninstall
    then click enter. Note the space after the x and before the /
    This will remove combofix.

    You can delete the FRST icon and associated files. There is also a FRST folder located at your root drive, usually C: that can be deleted. You can also delete the aswmbr icon. Start Adwcleaner and you will see a uninstall button.
    I thinks those are all the tools we used.

    Some prevention tips in link below. Happy safe surfing "out there."
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •