marc620

So far so good. Haven't seen any of the ads coming up yet. Thanks so much for all the help I will reply back if I see them again.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015 Ran by Cullari1 at 2015-03-20 12:49:16 Run:1 Running from C:\Users\Cullari1\Downloads\FRST Loaded Profiles: Cullari1 (Available profiles: Cullari1) Boot Mode: Normal ============================================== Content of fixlist: ***************** ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File S1 eeestogk; \??\C:\Windows\system32\drivers\eeestogk.sys [X] S1 fkquwbeb; \??\C:\Windows\system32\drivers\fkquwbeb.sys [X] S1 hdtawqtq; \??\C:\Windows\system32\drivers\hdtawqtq.sys [X] S1 ivknuxgo; \??\C:\Windows\system32\drivers\ivknuxgo.sys [X] U2 WZCSVC; No ImagePath C:\Windows\Tasks\AUSAMRFZ.job C:\Windows\System32\Tasks\AUSAMRFZ C:\Windows\System32\Tasks\CloudHIDEAWAY C:\Windows\system32\drivers\eeestogk.sys C:\Windows\system32\drivers\fkquwbeb.sys C:\Windows\system32\drivers\hdtawqtq.sys C:\Windows\system32\drivers\ivknuxgo.sys Task: {B009674C-7246-4161-B9AC-D5155ACDF467} - System32\Tasks\AUSAMRFZ => C:\Users\Cullari1\AppData\Roaming\AUSAMRFZ.exe Task: C:\Windows\Tasks\AUSAMRFZ.job => C:\Users\Cullari1\AppData\Roaming\AUSAMRFZ.exe < C:\Users\Cullari1\AppData\Roaming\AUSAMRFZ.exe Task: {007AA975-83E3-48D6-BD53-03F7673814C4} - System32\Tasks\CloudHIDEAWAY => C:\Program Files (x86)\CloudScout Parental Control\CloudHIDEAWAY.exe C:\Program Files (x86)\CloudScout Parental Control ***************** "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => Key deleted successfully. HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => Key not found. eeestogk => Service deleted successfully. fkquwbeb => Service deleted successfully. hdtawqtq => Service deleted successfully. ivknuxgo => Service deleted successfully. WZCSVC => Service deleted successfully. C:\Windows\Tasks\AUSAMRFZ.job => Moved successfully. C:\Windows\System32\Tasks\AUSAMRFZ => Moved successfully. "C:\Windows\System32\Tasks\CloudHIDEAWAY" => File/Directory not found. "C:\Windows\system32\drivers\eeestogk.sys" => File/Directory not found. "C:\Windows\system32\drivers\fkquwbeb.sys" => File/Directory not found. "C:\Windows\system32\drivers\hdtawqtq.sys" => File/Directory not found. "C:\Windows\system32\drivers\ivknuxgo.sys" => File/Directory not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B009674C-7246-4161-B9AC-D5155ACDF467}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B009674C-7246-4161-B9AC-D5155ACDF467}" => Key deleted successfully. C:\Windows\System32\Tasks\AUSAMRFZ not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AUSAMRFZ" => Key deleted successfully. C:\Windows\Tasks\AUSAMRFZ.job not found. "C:\Users\Cullari1\AppData\Roaming\AUSAMRFZ.exe" => File/Directory not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{007AA975-83E3-48D6-BD53-03F7673814C4}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{007AA975-83E3-48D6-BD53-03F7673814C4}" => Key deleted successfully. C:\Windows\System32\Tasks\CloudHIDEAWAY not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CloudHIDEAWAY" => Key deleted successfully. "C:\Program Files (x86)\CloudScout Parental Control" => File/Directory not found. ==== End of Fixlog 12:49:17 ====

CloudScout Parental Control is not in my programs list so I can't remove it. The folder also doesn't seem to exist. I have hidden files showing. I do not know what those files are that are in the SysWow folder. I actually don't see those in the folder either. Not sure if they were quarantined or not.

Thanks for the reply. MalwareBytes log is attached. Here is the log for RogueKiller: RogueKiller V10.5.5.0 (x64) [Mar 16 2015] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Cullari1 [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller.exe Mode : Scan -- Date : 03/20/2015 10:52:40 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 14 ¤¤¤ [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:8080 -> Found [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:8080 -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Found [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-969993141-2131226045-2370904864-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found ¤¤¤ Tasks : 2 ¤¤¤ [suspicious.Path] AUSAMRFZ.job -- C:\Users\Cullari1\AppData\Roaming\AUSAMRFZ.exe (/infocmdline=GU94QKy7PGytsTzhCt5NLpmXMuMbPxHMGDcAmlJcjNy5wl5xekrxwDeOIUzd6VNokWETfGhRFHmhX3JdbVBcJVCUcr+zLnGyQCtyiE8YKGuB7BfRwqysU2M2gmMmLjKalxGwSDpuNJGMaN0QnEq0tKuU9Ceq2FArj7Sk0t5qAJA7o9YzzAh6olR2rMV56Iav2dM5jhG2Wm04JnpKjJkWSwK6DCEwswoKTMIXoccuZQ+zMrv4R0kNi7iH9I+eEBULIaMinGq1VfkD3U8znhb1AJyRzhgL0GNL2AW1vUrjnmi0VnsFC4Pug95apNIokqfEFXTpm+6mxT0dIhlBPcCIW4CaQ4LJ3kygsZXDzobe36LeTBnRgt7qOYK6/aOkoaQ/uLq0tHXXsDT2CK97kvySElFNj/INFldqGbkoUI6LfJ9a1ZeRRzQbEHkrLDg70xqZsFfQAXNhJ7MYBej8veztKyi/zqJtCaD71muOD6FB0DKY+3VukBL8MAtoQjgqWjAOsZkLutK+wRg09MBTdV6esMVJAnVrHQ18v7KwLAnjHLQ6qygpZwcc4FRKmt288xLM80NNLghoNjL7A5LleUPNwEK91s0rHvKmd83SdnKb64/+DklNpVBvfiP1S7ufH9ZR3T06y0c1dfgiSyZsKto8dEXbr5D/fQu+D2xz3adWKyg=) -> Found [suspicious.Path] \\AUSAMRFZ -- C:\Users\Cullari1\AppData\Roaming\AUSAMRFZ.exe (/infocmdline=GU94QKy7PGytsTzhCt5NLpmXMuMbPxHMGDcAmlJcjNy5wl5xekrxwDeOIUzd6VNokWETfGhRFHmhX3JdbVBcJVCUcr+zLnGyQCtyiE8YKGuB7BfRwqysU2M2gmMmLjKalxGwSDpuNJGMaN0QnEq0tKuU9Ceq2FArj7Sk0t5qAJA7o9YzzAh6olR2rMV56Iav2dM5jhG2Wm04JnpKjJkWSwK6DCEwswoKTMIXoccuZQ+zMrv4R0kNi7iH9I+eEBULIaMinGq1VfkD3U8znhb1AJyRzhgL0GNL2AW1vUrjnmi0VnsFC4Pug95apNIokqfEFXTpm+6mxT0dIhlBPcCIW4CaQ4LJ3kygsZXDzobe36LeTBnRgt7qOYK6/aOkoaQ/uLq0tHXXsDT2CK97kvySElFNj/INFldqGbkoUI6LfJ9a1ZeRRzQbEHkrLDg70xqZsFfQAXNhJ7MYBej8veztKyi/zqJtCaD71muOD6FB0DKY+3VukBL8MAtoQjgqWjAOsZkLutK+wRg09MBTdV6esMVJAnVrHQ18v7KwLAnjHLQ6qygpZwcc4FRKmt288xLM80NNLghoNjL7A5LleUPNwEK91s0rHvKmd83SdnKb64/+DklNpVBvfiP1S7ufH9ZR3T06y0c1dfgiSyZsKto8dEXbr5D/fQu+D2xz3adWKyg=) -> Found ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 18 (Driver: Loaded) ¤¤¤ [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - LdrLoadDll : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b900c (jmp 0xfffffffff581cb2f) [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtFlushBuffersFile : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x60e3d181 (jmp 0xffffffffe9ebd1c5) [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtReadFile : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x60e3d1bb (jmp 0xffffffffe9ebd8cb) [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtWriteFile : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x60e3d5e5 (jmp 0xffffffffe9ebdcbd) [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtCreateFile : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x60e3d441 (jmp 0xffffffffe9ebd38d) [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtReadFileScatter : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x61223d7d (jmp 0xffffffffea2a4099) [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtWriteFileGather : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x61223dcd (jmp 0xffffffffea2a42c1) [iAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtQueryFullAttributesFile : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x60e3d2b9 (jmp 0xffffffffe9ebbf7d) [iAT:Inl(Hook.IEAT)] (firefox.exe) nss3.dll - PR_smprintf_free : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b39f0 (jmp dword near [0x692e23d0]) [iAT:Inl(Hook.IEAT)] (firefox.exe) nss3.dll - PR_Calloc : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b1730 (jmp dword near [0x692e23cc]) [iAT:Inl(Hook.IEAT)] (firefox.exe) nss3.dll - PR_Realloc : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b1a30 (jmp dword near [0x692e23d8]) [iAT:Inl(Hook.IEAT)] (firefox.exe) nss3.dll - PR_Malloc : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b25f0 (jmp dword near [0x692e23d4]) [iAT:Inl(Hook.IEAT)] (firefox.exe) mozalloc.dll - moz_free : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b39f0 (jmp dword near [0x6dff20a8]) [iAT:Inl(Hook.IEAT)] (firefox.exe) mozalloc.dll - moz_malloc : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b25f0 (jmp dword near [0x6dff20a0]) [iAT:Inl(Hook.IEAT)] (firefox.exe) mozalloc.dll - moz_realloc : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b1a30 (jmp dword near [0x6dff2094]) [iAT:Inl(Hook.IEAT)] (firefox.exe) mozalloc.dll - moz_calloc : P:\Program Files (x86)\Mozilla Firefox\mozglue.dll @ 0x6c7b1730 (jmp dword near [0x6dff20a4]) [iAT:Inl(Hook.IEAT)] (firefox.exe) icuuc52.dll - uprv_tzset_52 : P:\Program Files (x86)\Mozilla Firefox\MSVCR120.dll @ 0x6935f703 (jmp dword near [0x69018160]) [iAT:Inl(Hook.IEAT)] (firefox.exe) USER32.dll - GetWindowInfo : P:\Program Files (x86)\Mozilla Firefox\xul.dll @ 0x61cffa10 (jmp 0xffffffffebf7de51) ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD10EARS-00MVWB0 ATA Device +++++ --- User --- [MBR] 6a740bc863331ce7f91634bcb9687cb5 [bSP] fc09bd20ed958f641dc8d5ec2afb54c8 : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 253767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 519921664 | Size: 340000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1216241664 | Size: 360000 MB User = LL1 ... OK User = LL2 ... OK MalwareLog03-20-15.txt

Anyone? This is so frustrating.

I have been having trouble removing the Ad by CloudScout adware that a lot of people seem to be dealing with lately. I have run ADWCleaner, MalwareBytes and multiple other Malware/Adware scanners multiple times and still can not get it removed. I am attaching the FRST logs to this post. Addition.txt FRST.txt