Flygon

Here's the RogueKiller log. ESET has not found anything. But I'm even more suspicious of this weird program called "BoxSync", along with an associated "BoxSyncMonitor" that was installed on the date of the infection, not by the owner of the RAY-PC computer, has been added to the startup menu, and runs continuously in the background. Is it possible for it to hide components of malware that could be loaded into main memory? RogueKiller V10.0.4.0 [Oct 29 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Ameritrust [Administrator] Mode : Scan -- Date : 10/30/2014 20:31:34 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 6 ¤¤¤ [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3476807574-2247071187-784828177-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.umbc.edu/ -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3476807574-2247071187-784828177-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.umbc.edu/ -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 0 [Too big!] ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: SAMSUNG HM321HI +++++ --- User --- [MBR] 04626e5a4a55686353628c4b29400d10 [bSP] 8bfb4520fb3f9214ab25e8241c69417e : Windows Vista/7/8 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 15000 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30926848 | Size: 290143 MB User = LL1 ... OK User = LL2 ... OK

Sorry for the delay... it's been a tough work week so far also. Here are the results of the second computer: Fixlog.txt: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-10-2014 Ran by Ameritrust at 2014-10-28 12:26:24 Run:1 Running from C:\Users\Ameritrust\Downloads Loaded Profile: Ameritrust (Available profiles: Ameritrust) Boot Mode: Normal ============================================== Content of fixlist: ***************** SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_mdaffmarmar_14_40_ie&cd=2XzuyEtN2Y1L1Qzu0CtD0Fzz0D0A0E0AzyyB0E0EzzyC0DyEtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyEzzzy0Bzy0CtB0EtGtD0AtC0DtG0CtD0ByCtGyCtDtCyDtGtA0F0E0CzyyEyEyDtCyEyB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB0Fzz0FtA0C0DtDtG0BtByBzztGyEyB0ByEtGzzyBtDtCtGyB0C0F0CyBzz0FtBtB0D0ByC2Q&cr=377971227&ir= SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_mdaffmarmar_14_40_ie&cd=2XzuyEtN2Y1L1Qzu0CtD0Fzz0D0A0E0AzyyB0E0EzzyC0DyEtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyEzzzy0Bzy0CtB0EtGtD0AtC0DtG0CtD0ByCtGyCtDtCyDtGtA0F0E0CzyyEyEyDtCyEyB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB0Fzz0FtA0C0DtDtG0BtByBzztGyEyB0ByEtGzzyBtDtCtGyB0C0F0CyBzz0FtBtB0D0ByC2Q&cr=377971227&ir= S2 70e6ca8c; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll",ENT C:\Users\Ameritrust\AppData\Local\Temp\ose00000.exe Task: {54C8B545-CDA9-47EB-B51A-052D5DE5265A} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION Task: {F34CE79E-15A8-4CA7-B3B9-72DEE62D8631} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe <==== ATTENTION CustomCLSID: HKU\S-1-5-21-3476807574-2247071187-784828177-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Ameritrust\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3476807574-2247071187-784828177-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Ameritrust\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3476807574-2247071187-784828177-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Ameritrust\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File c:\Program Files (x86)\Optimizer Pro CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_mdaffmarmar_14_40_ie&cd= CHR StartupUrls: Default -> "hxxp://astromenda.com/?f=7&a=ast_mdaffmarmar_14_40_ie&cd= CHR DefaultSearchKeyword: Default -> astromenda.com CHR DefaultSearchURL: Default -> http://astromenda.com/results.php?f=4&q={searchTerms} ***************** HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully. "HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found. 70e6ca8c => Service deleted successfully. C:\Users\Ameritrust\AppData\Local\Temp\ose00000.exe => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{54C8B545-CDA9-47EB-B51A-052D5DE5265A}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{54C8B545-CDA9-47EB-B51A-052D5DE5265A}" => Key deleted successfully. C:\Windows\System32\Tasks\LaunchSignup => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchSignup" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F34CE79E-15A8-4CA7-B3B9-72DEE62D8631}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F34CE79E-15A8-4CA7-B3B9-72DEE62D8631}" => Key deleted successfully. C:\Windows\System32\Tasks\Optimizer Pro Schedule => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimizer Pro Schedule" => Key deleted successfully. "HKU\S-1-5-21-3476807574-2247071187-784828177-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully. "HKU\S-1-5-21-3476807574-2247071187-784828177-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully. "HKU\S-1-5-21-3476807574-2247071187-784828177-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully. "c:\Program Files (x86)\Optimizer Pro" => File/Directory not found. Chrome HomePage deleted successfully. Chrome StartupUrls deleted successfully. Chrome DefaultSearchKeyword deleted successfully. Chrome DefaultSearchURL deleted successfully. ==== End of Fixlog ==== AdwCleaner[s0].txt # AdwCleaner v4.002 - Report created 28/10/2014 at 12:33:18 # DB v # Updated 27/10/2014 by Xplode # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : Ameritrust - RAY-PC # Running from : C:\Users\Ameritrust\Downloads\adwcleaner_4.002.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\addthis.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\adobe.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\betrad.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\blackboard.umbc.edu Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bleepingcomputer.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\c.betrad.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ct1.addthis.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dailypuppy.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\doubleclick.net Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\egnyte.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.wikipedia.org Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\espn.go.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\facebook.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\get3.adobe.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\go.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\google.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\googleads.g.doubleclick.net Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\imrworldwide.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mail.google.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\malwarebytes.org Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\microsoft.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\msn.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\plus.google.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\secure-us.imrworldwide.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\serving-sys.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\support.microsoft.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\theblow.us Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\umbc.edu Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\wikipedia.org Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www-avl.egnyte.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.bleepingcomputer.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.dailypuppy.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.facebook.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.msn.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.your-story.org Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.youtube.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\yimg.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\your-story.org Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\youtube.com ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17344 -\\ Mozilla Firefox v30.0 (en-US) [wjflio6g.default] - Line Deleted : # Mozilla User Preferences [wjflio6g.default] - Line Deleted : [wjflio6g.default] - Line Deleted : /* Do not edit this file. [wjflio6g.default] - Line Deleted : * [wjflio6g.default] - Line Deleted : * If you make changes to this file while the application is running, [wjflio6g.default] - Line Deleted : * the changes will be overwritten when the application exits. [wjflio6g.default] - Line Deleted : * [wjflio6g.default] - Line Deleted : * To make a manual change to preferences, you can visit the URL about:config [wjflio6g.default] - Line Deleted : */ [wjflio6g.default] - Line Deleted : [wjflio6g.default] - Line Deleted : user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1413765162); [wjflio6g.default] - Line Deleted : user_pref("app.update.lastUpdateTime.background-update-timer", 1413808722); [wjflio6g.default] - Line Deleted : user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1414246589); [wjflio6g.default] - Line Deleted : user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1414246469); [wjflio6g.default] - Line Deleted : user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1413830202); [wjflio6g.default] - Line Deleted : user_pref("app.update.migrated.updateDir", true); [wjflio6g.default] - Line Deleted : user_pref("browser.anchor_color", "#0000FF"); [wjflio6g.default] - Line Deleted : user_pref("browser.bookmarks.restore_default_bookmarks", false); [wjflio6g.default] - Line Deleted : user_pref("browser.cache.disk.capacity", 358400); [wjflio6g.default] - Line Deleted : user_pref("browser.cache.disk.smart_size.first_run", false); [wjflio6g.default] - Line Deleted : user_pref("browser.cache.disk.smart_size.use_old_max", false); [wjflio6g.default] - Line Deleted : user_pref("browser.cache.disk.smart_size_cached_value", 358400); [wjflio6g.default] - Line Deleted : user_pref("browser.display.background_color", "#C0C0C0"); [wjflio6g.default] - Line Deleted : user_pref("browser.display.use_system_colors", true); [wjflio6g.default] - Line Deleted : user_pref("browser.download.importedFromSqlite", true); [wjflio6g.default] - Line Deleted : user_pref("browser.download.panel.shown", true); [wjflio6g.default] - Line Deleted : user_pref("browser.migration.version", 22); [wjflio6g.default] - Line Deleted : user_pref("browser.newtabpage.enabled", false); [wjflio6g.default] - Line Deleted : user_pref("browser.newtabpage.storageVersion", 1); [wjflio6g.default] - Line Deleted : user_pref("browser.pagethumbnails.storage_version", 3); [wjflio6g.default] - Line Deleted : user_pref("browser.places.smartBookmarksVersion", 7); [wjflio6g.default] - Line Deleted : user_pref("browser.preferences.advanced.selectedTabIndex", 1); [wjflio6g.default] - Line Deleted : user_pref("browser.rights.3.shown", true); [wjflio6g.default] - Line Deleted : user_pref("browser.sessionstore.upgradeBackup.latestBuildID", "20140605174243"); [wjflio6g.default] - Line Deleted : user_pref("browser.slowStartup.averageTime", 3425); [wjflio6g.default] - Line Deleted : user_pref("browser.slowStartup.samples", 2); [wjflio6g.default] - Line Deleted : user_pref("browser.startup.homepage_override.buildID", "20140605174243"); [wjflio6g.default] - Line Deleted : user_pref("browser.startup.homepage_override.mstone", "30.0"); [wjflio6g.default] - Line Deleted : user_pref("browser.taskbar.lastgroupid", "E7CF176E110C211B"); [wjflio6g.default] - Line Deleted : user_pref("browser.visited_color", "#800080"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.healthreport.lastDataSubmissionRequestedTime", "1414246469245"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.healthreport.lastDataSubmissionSuccessfulTime", "1414246493167"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.healthreport.nextDataSubmissionTime", "1414332893167"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.healthreport.service.firstRun", true); [wjflio6g.default] - Line Deleted : user_pref("datareporting.policy.dataSubmissionPolicyAccepted", true); [wjflio6g.default] - Line Deleted : user_pref("datareporting.policy.dataSubmissionPolicyAcceptedVersion", 1); [wjflio6g.default] - Line Deleted : user_pref("datareporting.policy.dataSubmissionPolicyNotifiedTime", "1389033473583"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.policy.dataSubmissionPolicyResponseTime", "1389034909528"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.policy.dataSubmissionPolicyResponseType", "accepted-info-bar-button-pressed"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.policy.firstRunTime", "1387740583355"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.current.activeTicks", 19); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.current.clean", true); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.current.firstPaint", 3210); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.current.main", 811); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.current.sessionRestored", 3477); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.current.startTime", "1413764799637"); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.current.totalTime", 481847); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.currentIndex", 17); [wjflio6g.default] - Line Deleted : user_pref("datareporting.sessions.prunedIndex", 16); [wjflio6g.default] - Line Deleted : user_pref("dom.mozApps.used", true); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.AL", 2); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.aflt", "ast_mdaffmarmar_14_40_ie"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.appId", "{9CB2CD61-FFA0-406C-9D2D-8FDE6F4A4D8A}"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.cd", "2XzuyEtN2Y1L1Qzu0CtD0Fzz0D0A0E0AzyyB0E0EzzyC0DyEtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyEzzzy0Bzy0CtB0EtGtD0AtC0Dt[...] [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.cr", "377971227"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.dfltLng", ""); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.dfltSrch", true); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.dnsErr", true); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.excTlbr", false); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.hmpg", true); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.hmpgUrl", "hxxp://astromenda.com/?f=1&a=ast_mdaffmarmar_14_40_ie&cd=2XzuyEtN2Y1L1Qzu0CtD0Fzz0D0A0E0AzyyB0E0EzzyC0DyEtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1CzutCy[...] [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.id", "C0F8DAEA97EE86D4"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.instlDay", "16348"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.instlRef", "142905_b"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.newTabUrl", "hxxp://astromenda.com/?f=2&a=ast_mdaffmarmar_14_40_ie&cd=2XzuyEtN2Y1L1Qzu0CtD0Fzz0D0A0E0AzyyB0E0EzzyC0DyEtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1Czut[...] [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.prdct", "astrmndasr"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.prtnrId", "WSE_Astromenda"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.srchPrvdr", "Astromenda"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.tlbrId", ""); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.tlbrSrchUrl", "hxxp://astromenda.com/?f=3&a=ast_mdaffmarmar_14_40_ie&cd=2XzuyEtN2Y1L1Qzu0CtD0Fzz0D0A0E0AzyyB0E0EzzyC0DyEtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1Cz[...] [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.vrsn", ""); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr.vrsni", ""); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr_i.newTab", true); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr_i.smplGrp", "none"); [wjflio6g.default] - Line Deleted : user_pref("extensions.astrmndasr_i.vrsnTs", "12:58:37"); [wjflio6g.default] - Line Deleted : user_pref("extensions.blocklist.pingCountTotal", 58); [wjflio6g.default] - Line Deleted : user_pref("extensions.blocklist.pingCountVersion", 3); [wjflio6g.default] - Line Deleted : user_pref("extensions.databaseSchema", 16); [wjflio6g.default] - Line Deleted : user_pref("extensions.enabledAddons", "%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:30.0"); [wjflio6g.default] - Line Deleted : user_pref("extensions.getAddons.databaseSchema", 5); [wjflio6g.default] - Line Deleted : user_pref("extensions.hotfix.lastVersion", "20140527.01.3"); [wjflio6g.default] - Line Deleted : user_pref("extensions.lastAppVersion", "30.0"); [wjflio6g.default] - Line Deleted : user_pref("extensions.lastPlatformVersion", "30.0"); [wjflio6g.default] - Line Deleted : user_pref("extensions.pendingOperations", false); [wjflio6g.default] - Line Deleted : user_pref("extensions.shownSelectionUI", true); [wjflio6g.default] - Line Deleted : user_pref("gecko.buildID", "20140605174243"); [wjflio6g.default] - Line Deleted : user_pref("gecko.mstone", "30.0"); [wjflio6g.default] - Line Deleted : user_pref("gfx.direct3d.checkDX10", false); [wjflio6g.default] - Line Deleted : user_pref("idle.lastDailyNotification", 1413807368); [wjflio6g.default] - Line Deleted : user_pref("intl.charsetmenu.browser.cache", "x-windows-949, windows-1252, ISO-8859-1, UTF-8"); [wjflio6g.default] - Line Deleted : user_pref("network.cookie.prefsMigrated", true); [wjflio6g.default] - Line Deleted : user_pref("network.proxy.type", 0); [wjflio6g.default] - Line Deleted : user_pref("pdfjs.database", "{\"files\":[{\"fingerprint\":\"f2a3deb22b665a7ed59eb14f714842\",\"exists\":true,\"page\":24,\"zoom\":\"auto\",\"scrollLeft\":0,\"scrollTop\":729},{\"fingerprint\":\"a25314[...] [wjflio6g.default] - Line Deleted : user_pref("pdfjs.migrationVersion", 1); [wjflio6g.default] - Line Deleted : user_pref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); [wjflio6g.default] - Line Deleted : user_pref("pdfjs.previousHandler.preferredAction", 4); [wjflio6g.default] - Line Deleted : user_pref("places.database.lastMaintenance", 1414246490); [wjflio6g.default] - Line Deleted : user_pref("places.history.expiration.transient_current_max_pages", 76931); [wjflio6g.default] - Line Deleted : user_pref("plugin.disable_full_page_plugin_for_types", "application/pdf"); [wjflio6g.default] - Line Deleted : user_pref("plugin.importedState", true); [wjflio6g.default] - Line Deleted : user_pref("print_printer", "Canon Inkjet i80"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_bgcolor", false); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_bgimages", false); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_colorspace", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_command", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_downloadfonts", false); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_edge_bottom", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_edge_left", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_edge_right", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_edge_top", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_evenpages", true); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_footercenter", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_footerleft", "&PT"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_footerright", "&D"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_headercenter", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_headerleft", "&T"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_headerright", "&U"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_in_color", true); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_margin_bottom", "0.5"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_margin_left", "0.5"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_margin_right", "0.5"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_margin_top", "0.5"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_oddpages", true); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_orientation", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_page_delay", 50); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_paper_data", 1); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_paper_height", " 11.00"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_paper_name", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_paper_size_type", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_paper_size_unit", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_paper_width", " 8.50"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_plex_name", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_resolution_name", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_reversed", false); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_scaling", " 1.00"); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_shrink_to_fit", true); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_to_file", false); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_to_filename", ""); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_unwriteable_margin_bottom", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_unwriteable_margin_left", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_unwriteable_margin_right", 0); [wjflio6g.default] - Line Deleted : user_pref("printer_Canon_Inkjet_i80.print_unwriteable_margin_top", 0); [wjflio6g.default] - Line Deleted : user_pref("privacy.sanitize.migrateFx3Prefs", true); [wjflio6g.default] - Line Deleted : user_pref("security.warn_viewing_mixed", false); [wjflio6g.default] - Line Deleted : user_pref("services.sync.clients.lastSync", "0"); [wjflio6g.default] - Line Deleted : user_pref("services.sync.clients.lastSyncLocal", "0"); [wjflio6g.default] - Line Deleted : user_pref("services.sync.migrated", true); [wjflio6g.default] - Line Deleted : user_pref("services.sync.tabs.lastSync", "0"); [wjflio6g.default] - Line Deleted : user_pref("services.sync.tabs.lastSyncLocal", "0"); [wjflio6g.default] - Line Deleted : user_pref("signon.rememberSignons", false); [wjflio6g.default] - Line Deleted : user_pref("storage.vacuum.last.index", 0); [wjflio6g.default] - Line Deleted : user_pref("storage.vacuum.last.places.sqlite", 1413807369); [wjflio6g.default] - Line Deleted : user_pref("toolkit.startup.last_success", 1413764800); [wjflio6g.default] - Line Deleted : user_pref("toolkit.telemetry.previousBuildID", "20140605174243"); [wjflio6g.default] - Line Deleted : user_pref("toolkit.telemetry.prompted", 2); [wjflio6g.default] - Line Deleted : user_pref("toolkit.telemetry.rejected", true); [wjflio6g.default] - Line Deleted : user_pref("urlclassifier.keyupdatetime.hxxps://sb-ssl.google.com/safebrowsing/newkey", 1395710166); [wjflio6g.default] - Line Deleted : user_pref("xpinstall.whitelist.add", ""); [wjflio6g.default] - Line Deleted : user_pref("xpinstall.whitelist.add.180", ""); [wjflio6g.default] - Line Deleted : user_pref("xpinstall.whitelist.add.36", ""); -\\ Google Chrome v ************************* AdwCleaner[R0].txt - [20976 octets] - [28/10/2014 12:31:25] AdwCleaner[s0].txt - [21309 octets] - [28/10/2014 12:33:18] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [21370 octets] ########## JRT.txt: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.3.3 (10.21.2014:1) OS: Windows 7 Home Premium x64 Ran by Ameritrust on Tue 10/28/2014 at 12:42:55.87 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files Successfully deleted: [File] "C:\Windows\wininit.ini" ~~~ Folders ~~~ FireFox Successfully deleted: [File] C:\Users\Ameritrust\AppData\Roaming\mozilla\firefox\profiles\wjflio6g.default\user.js Emptied folder: C:\Users\Ameritrust\AppData\Roaming\mozilla\firefox\profiles\wjflio6g.default\minidumps [5 files] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 10/28/2014 at 12:45:53.58 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Some worrying programs still around that may or may not have been connected/used by the attacker: BoxSync.exe SearchIndexer.exe SearchProtocolHost.exe SearchFilterHost.exe UdaterUI.exe LogonUI.exe dsNcService.exe Still seeing "COM Surrogate" dllhost.exe pop up occasionally & periodic network spikes when offline.

This computer refused to even let me copy the details without uploading. It seems very busted atm FRST.txt Addition.txt

I was suspecting that my computer was not the source of the issue, and now I think I solved the question of how the virus got on my computer in the first place. When checking the list of network accesses, I realized that about the time of the infection, another computer on my home network had made an unusually large number of connections. Not only that, it looked like it was trying to happen again. I think the only way to solve this for good is to repair this second computer. It had been infected with some kind of Astromenda at the very least and while we thought it had been repaired, it is clear to me that it wasn't. I shut down my main computer, and I am running malwarebytes and will run FRST as soon as it's finished on this second computer. I'll reply when it's finished with the logs.

Results of screen317's Security Check version 0.99.89 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` SpywareBlaster 5.0 Spybot - Search & Destroy Java 7 Update 67 Adobe Flash Player 15.0.0.152 Adobe Reader 10.1.12 Adobe Reader out of Date! Google Chrome 38.0.2125.101 Google Chrome 38.0.2125.104 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log``````````````````````

Done, and thanks! JRT.txtAdwCleanerS0.txt Malwarebytes did not pick up anything in its scan by the way.

Thanks for your help so far. Here are the requested log files: Fixlog.txt ComboFix.txt

I was recently (suspected to be 10/18/2014) infected with what appears to be a version of the Poweliks virus. FRST seems to have confirmed this. Can you please help me in removing this pest from my system? FRST.txt Addition.txt