system
November 4, 2014, 6:27am
1
http://postimg.org/image/ewz3zitff
http://postimg.org/image/ngihxa1rv
Pops up as often as every few seconds, or as little as every few hours throughout the day, randomly. Pops up 10-15 times all at once on system startup.
Logs attached.
Edit: Not sure why images aren’t working… but ok then…
Links to images:
Threat Popup
Details(or lack thereof…)
Did you set the proxy in Firefox ? Could you let me know if the alerts cease after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 - DefaultScope {72186076-69CD-47DD-B644-BF519B48121E} URL =
SearchScopes: HKCU - DefaultScope {72186076-69CD-47DD-B644-BF519B48121E} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3309758&CUI=UN34891558232132210&UM=2
SearchScopes: HKCU - {72186076-69CD-47DD-B644-BF519B48121E} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3309758&CUI=UN34891558232132210&UM=2
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
CHR StartupUrls: Default -> "hxxp://www.google.com/", "hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch", "hxxp://search.conduit.com/?ctid=CT3282812&SearchSource=48&CUI=UN15389328351854218&UM=2", "hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23", "hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2", "hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=15.4.0.5&pid=safeguard&sg=0&sap=hp", "hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp", "hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp", "hxxp://www.google.com/|hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch|hxxp://search.conduit.com/?ctid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&SearchSource=48&CUI=UN15389328351854218&UM=2|hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23|hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=17.1.3.3&pid=safeguard&sg=70&sap=hp|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp", "hxxp://www.google.com/|hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch|hxxp://search.conduit.com/?ctid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&SearchSource=48&CUI=UN15389328351854218&UM=2|hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23|hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=17.1.3.3&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp|hxxp://www.google.com/|hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch|hxxp://search.conduit.com/?ctid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&SearchSource=48&CUI=UN15389328351854218&UM=2|hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23|hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=17.1.3.3&pid=safeguard&sg=70&sap=hp|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
C:\Users\Kyle\IP_Log_Data.js
C:\Users\Kyle\jagex_cl_oldschool_LIVE.dat
C:\Users\Kyle\jagex_cl_runescape_LIVE.dat
C:\Users\Kyle\Network_Meter_Data.js
C:\Users\Kyle\random.dat
Task: {6688F0F8-9995-45C7-9E20-D1026CC30204} - System32\Tasks\Express FilesUpdate => C:\Program Files (x86)\ExpressFiles\EFUpdater.exe <==== ATTENTION
C:\Program Files (x86)\ExpressFiles
Task: {A2E140B4-670A-4492-AD7E-5928BDC960B2} - \Updater23986.exe No Task File <==== ATTENTION
Task: {E8F0412E-8428-4224-AFAF-F100A0864D05} - System32\Tasks\Dexpot\2 => F:\Program Files (x86)\Dexpot\autodex.exe [2013-07-05] (Dexpot GbR) <==== ATTENTION
F:\Program Files (x86)\Dexpot
Task: {FA6B977B-A077-41B6-A6E9-72E1D707972C} - \YourFile DownloaderUpdate No Task File <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
November 4, 2014, 8:27pm
3
I’ve run both, & it’s looking good so far. The 10-15 warnings I got on startup went away after the first tool was run.
AdwCleaner created “S0” instead of “S1” but I’m assuming it’s the right file since it’s what came up on restart.
Both logs attached, Thanks for your help.