Jump to content

just_apparently_stupid

Members
  • Posts

    38
  • Joined

  • Last visited

Reputation

0 Neutral
  1. About a month ago I started getting a Mircosoft certificate error on my Facebook page.. I just clicked on show content without thinking about it (dumb).. Then a week ago I got a pop up saying they needed to check if the name I use there is valid. I clicked "ask again". Tonight it did. And I am shocked at what they are asking for. This must be a hack and scam but I've not found anything on the net. I ran Malbyte and it did remove one Trojan. I restarted but am still getting the same pop up. Here is what it looks like. Anyone know if this is legit or can help me? Thank You. **** Submit Your Documents We ask everyone on Facebook to use the name they go by in everyday life so friends know who they're connecting with. Please provide identification that displays the name you'd like to confirm and use publicly on Facebook. Keep in mind that if you confirm a name other than the one currently on your profile, the name on your profile may be automatically updated with the name you confirm. Learn more about why we require ID verification and the different types of ID we accept below. What types of ID does Facebook accept?. You can confirm your identity in 1 of 3 ways. When submitting documentation, please cover up any personal information we don't need to verify your identity (ex: credit card number, Social Security number). We encrypt people’s connections to Facebook by default, including IDs you send to us. We delete your ID information after verification is complete. Option 1 We will accept any government-issued ID that contains your name and date of birth. Examples include: ■ Birth certificate ■ Driver’s license ■ Passport ■ Marriage certificate ■ Official name change paperwork ■ Personal or vehicle insurance card ■ Non-driver's government ID (ex: disability, SNAP card, national ID card) ■ Green card, residence permit or immigration papers ■ Tribal identification or status card ■ Voter ID card Option 2 You can provide two different forms of ID from the following list (ex: a bank statement and a library card, but not two bank statements). The names on your IDs must match each other, and one of the IDs must include a photo or date of birth that matches the information on your profile. Below are some examples of IDs we'll accept: ■ Bank statement ■ Bus card ■ Check ■ Credit card ■ Employment verification ■ Library card ■ Mail ■ Magazine subscription stub ■ Medical record ■ Membership ID (ex: pension card, union membership, work ID, professional ID) ■ Paycheck stub ■ Permit ■ School card ■ School record ■ Social Security card ■ Utility bill ■ Yearbook photo (actual scan or photograph of the page in your yearbook) Option 3 If you don’t have an ID that shows your authentic name as well as your photo or date of birth, you can provide two forms of ID from Option 2 above, and then provide a government ID that includes a date of birth or photo that matches the information on your profile. We won't add the name or other information from the government ID to your account. Last edited about 2 months ago **** Thanks again for help!
  2. I deleted the programs I did not want in the "Safe Zone". The SecurityCheck program seemed to run fine. No abort message. Here is the report. ******** Results of screen317's Security Check version 0.99.73 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 9 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! AVG AntiVirus Free Edition 2013 Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Java 6 Update 22 Java SE Runtime Environment 6 Update 1 Java 6 Update 3 Java 6 Update 7 Java version out of Date! Adobe Flash Player 11.6.602.171 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox 19.0 Firefox out of Date! Google Chrome 29.0.1547.57 Google Chrome 29.0.1547.62 ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe AVG avgwdsvc.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0 % ````````````````````End of Log``````````````````````
  3. Here are the two reports from AdwCleaner....I did run clean.. there was just one process discovered and the first scan took less than a minute... more to follow after the report posts.... ***** # AdwCleaner v3.001 - Report created 28/08/2013 at 19:29:57 # Updated 24/08/2013 by Xplode # Operating System : Windows Vista Home Basic Service Pack 2 (32 bits) # Username : od - OD-PC # Running from : C:\Users\od\Desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** Service Found : RadioRage_4jService ***** [ Files / Folders ] ***** File Found : C:\END File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\plugin@yontoo.com.xpi File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\searchplugins\Conduit.xml File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\user.js File Found : C:\Windows\system32\roboot.exe Folder Found : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla Folder Found : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol Folder Found : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol Folder Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\{5373a31d-9410-45e2-b299-4f61428f0be4} Folder Found C:\Program Files\Conduit Folder Found C:\Program Files\MyPC Backup Folder Found C:\Program Files\MyPC Backup Folder Found C:\Program Files\Yontoo Layers Runtime Folder Found C:\ProgramData\Tarma Installer Folder Found C:\Users\Jim\AppData\LocalLow\AVG Secure Search Folder Found C:\Users\Jim\AppData\LocalLow\AVG Security Toolbar Folder Found C:\Users\od\AppData\Local\Conduit Folder Found C:\Users\od\AppData\Local\cre Folder Found C:\Users\od\AppData\Local\visi_coupon Folder Found C:\Users\od\AppData\LocalLow\Conduit Folder Found C:\Users\od\AppData\LocalLow\PriceGong Folder Found C:\Users\od\AppData\Roaming\file scout Folder Found C:\Users\od\AppData\Roaming\iWin Folder Found C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games Folder Found C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\CT3279415 Folder Found C:\Users\od\AppData\Roaming\PerformerSoft Folder Found C:\Users\od\AppData\Roaming\SpeedAnalysis2 ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\AppDataLow\Software\Conduit Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Found : HKCU\Software\AppDataLow\Software\PriceGong Key Found : HKCU\Software\AppDataLow\Software\RadioRage_4j Key Found : HKCU\Software\AppDataLow\Software\SmartBar Key Found : HKCU\Software\Conduit Key Found : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKCU\Software\InstallCore Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Found : HKCU\Software\YahooPartnerToolbar Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0} Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Found : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4} Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93} Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5} Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Found : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} Key Found : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE} Key Found : HKLM\Software\Classes\popcaploader.popcaploaderctrl2 Key Found : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1 Key Found : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1 Key Found : HKLM\Software\Conduit Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44DB423D-A0DB-4664-9477-CCDCEB7CD666} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{53855564-CF81-410C-9C1C-321C7E067816} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A25AA6E2-1CDE-4D0F-A5D4-4898D7FB3C86} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5C9CB1C-1C0A-45A2-81CC-1DD342D0A478} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A661D4DC-4BD8-48FC-964B-A24AB8157DE6} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B5731AB1-8566-4441-AEFB-9AFB2EEA63D9} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{434FA5E9-253E-4BD0-ADB6-7CE4CEA114CA} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{581C7D7D-F809-4E03-A631-74C069D5F04A} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{68122F44-3A4A-4EDB-B28F-0C0E07F89BD0} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F706E19B-6C14-4272-BA98-2F16636A898D} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} Key Found : HKLM\SOFTWARE\MozillaPlugins\@RadioRage_4j.com/Plugin Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [4jffxtbr@RadioRage_4j.com] ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16502 -\\ Mozilla Firefox v19.0 (en-US) [ File : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\prefs.js ] Line Found : user_pref("CT3279415.FF19Solved", "true"); Line Found : user_pref("CT3279415.UserID", "UN19129399441273304"); Line Found : user_pref("CT3279415.addressUrlXPETakeover", "true"); Line Found : user_pref("CT3279415.autoDisableScopes", 0); Line Found : user_pref("CT3279415.browser.search.defaultthis.engineName", "true"); Line Found : user_pref("CT3279415.defaultSearchXPETakeover", "true"); Line Found : user_pref("CT3279415.fullUserID", "UN19129399441273304.IN.2013063031324"); Line Found : user_pref("CT3279415.installDate", "30/06/2013 3:13:23"); Line Found : user_pref("CT3279415.installSessionId", "{BDA88354-ECF8-4E88-A782-3B43812DE4A7}"); Line Found : user_pref("CT3279415.installSp", "TRUE"); Line Found : user_pref("CT3279415.installerVersion", "1.5.4.1"); Line Found : user_pref("CT3279415.keyword", "true"); Line Found : user_pref("CT3279415.originalHomepage", "about:home"); Line Found : user_pref("CT3279415.originalSearchAddressUrl", ""); Line Found : user_pref("CT3279415.originalSearchEngine", ""); Line Found : user_pref("CT3279415.searchRevert", "false"); Line Found : user_pref("CT3279415.searchUserMode", "2"); Line Found : user_pref("CT3279415.smartbar.homepage", "true"); Line Found : user_pref("CT3279415.startPageXPETakeover", "true"); Line Found : user_pref("CT3279415.versionFromInstaller", "10.16.4.19"); Line Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", ""); Line Found : user_pref("browser.search.defaultthis.engineName", "appbario16 Customized Web Search"); Line Found : user_pref("browser.search.selectedEngine", "appbario16 Customized Web Search"); Line Found : user_pref("extentions.y2layers.defaultEnableAppsList", "PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,"); Line Found : user_pref("extentions.y2layers.installId", "ebdc91c5-079c-4400-a0af-2db967a641b1"); Line Found : user_pref("extentions.y2layers.lastDnsTest", 370955); Line Found : user_pref("smartbar.addressBarOwnerCTID", "CT3279415"); Line Found : user_pref("smartbar.defaultSearchOwnerCTID", "CT3279415"); Line Found : user_pref("smartbar.homePageOwnerCTID", "CT3279415"); Line Found : user_pref("smartbar.machineId", "G0D2Z+61BXF3N1INIK1X6GFI44S5NAGGGEELVCC+DHLCNZWRQQSCZ9MPVONVBPN0BJXBBBDBP7EA+GR5OFUZSW"); -\\ Google Chrome v29.0.1547.62 [ File : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\preferences ] Found : homepage Found : icon_url Found : search_url Found : suggest_url Found : keyword Found : urls_to_restore_on_startup Found : homepage Found : icon_url Found : search_url Found : suggest_url Found : keyword Found : urls_to_restore_on_startup Found : homepage Found : icon_url Found : search_url Found : suggest_url Found : keyword Found : urls_to_restore_on_startup [ File : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\preferences ] [ File : C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [12641 octets] - [28/08/2013 19:29:57] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [12702 octets] ########## SECOND REPORT AFTER CLEANING... ****** # AdwCleaner v3.001 - Report created 29/08/2013 at 22:43:58 # Updated 24/08/2013 by Xplode # Operating System : Windows Vista Home Basic Service Pack 2 (32 bits) # Username : od - OD-PC # Running from : C:\Users\od\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** [#] Service Deleted : RadioRage_4jService ***** [ Files / Folders ] ***** Folder Deleted : C:\ProgramData\Tarma Installer Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Program Files\MyPC Backup Folder Deleted : C:\Program Files\Yontoo Layers Runtime Folder Deleted : C:\Users\od\AppData\Local\Conduit Folder Deleted : C:\Users\od\AppData\Local\cre Folder Deleted : C:\Users\od\AppData\Local\visi_coupon Folder Deleted : C:\Users\od\AppData\LocalLow\Conduit Folder Deleted : C:\Users\od\AppData\LocalLow\PriceGong Folder Deleted : C:\Users\od\AppData\Roaming\file scout Folder Deleted : C:\Users\od\AppData\Roaming\iWin Folder Deleted : C:\Users\od\AppData\Roaming\PerformerSoft Folder Deleted : C:\Users\od\AppData\Roaming\SpeedAnalysis2 Folder Deleted : C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games Folder Deleted : C:\Users\Jim\AppData\LocalLow\AVG Secure Search Folder Deleted : C:\Users\Jim\AppData\LocalLow\AVG Security Toolbar Folder Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\CT3279415 Folder Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\{5373a31d-9410-45e2-b299-4f61428f0be4} Folder Deleted : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla Folder Deleted : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol [!] Folder Deleted : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\plugin@yontoo.com.xpi File Deleted : C:\END File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk File Deleted : C:\Windows\system32\roboot.exe File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\searchplugins\Conduit.xml File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\user.js ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [4jffxtbr@RadioRage_4j.com] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc Key Deleted : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2 Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1 Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1 Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@RadioRage_4j.com/Plugin Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{434FA5E9-253E-4BD0-ADB6-7CE4CEA114CA} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{581C7D7D-F809-4E03-A631-74C069D5F04A} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{68122F44-3A4A-4EDB-B28F-0C0E07F89BD0} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F706E19B-6C14-4272-BA98-2F16636A898D} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44DB423D-A0DB-4664-9477-CCDCEB7CD666} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{53855564-CF81-410C-9C1C-321C7E067816} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A25AA6E2-1CDE-4D0F-A5D4-4898D7FB3C86} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5C9CB1C-1C0A-45A2-81CC-1DD342D0A478} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A661D4DC-4BD8-48FC-964B-A24AB8157DE6} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B5731AB1-8566-4441-AEFB-9AFB2EEA63D9} Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\InstallCore Key Deleted : HKCU\Software\YahooPartnerToolbar Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong Key Deleted : HKCU\Software\AppDataLow\Software\RadioRage_4j Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16502 -\\ Mozilla Firefox v19.0 (en-US) [ File : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\prefs.js ] Line Deleted : user_pref("CT3279415.FF19Solved", "true"); Line Deleted : user_pref("CT3279415.UserID", "UN19129399441273304"); Line Deleted : user_pref("CT3279415.addressUrlXPETakeover", "true"); Line Deleted : user_pref("CT3279415.autoDisableScopes", 0); Line Deleted : user_pref("CT3279415.browser.search.defaultthis.engineName", "true"); Line Deleted : user_pref("CT3279415.defaultSearchXPETakeover", "true"); Line Deleted : user_pref("CT3279415.fullUserID", "UN19129399441273304.IN.2013063031324"); Line Deleted : user_pref("CT3279415.installDate", "30/06/2013 3:13:23"); Line Deleted : user_pref("CT3279415.installSessionId", "{BDA88354-ECF8-4E88-A782-3B43812DE4A7}"); Line Deleted : user_pref("CT3279415.installSp", "TRUE"); Line Deleted : user_pref("CT3279415.installerVersion", "1.5.4.1"); Line Deleted : user_pref("CT3279415.keyword", "true"); Line Deleted : user_pref("CT3279415.originalHomepage", "about:home"); Line Deleted : user_pref("CT3279415.originalSearchAddressUrl", ""); Line Deleted : user_pref("CT3279415.originalSearchEngine", ""); Line Deleted : user_pref("CT3279415.searchRevert", "false"); Line Deleted : user_pref("CT3279415.searchUserMode", "2"); Line Deleted : user_pref("CT3279415.smartbar.homepage", "true"); Line Deleted : user_pref("CT3279415.startPageXPETakeover", "true"); Line Deleted : user_pref("CT3279415.versionFromInstaller", "10.16.4.19"); Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", ""); Line Deleted : user_pref("browser.search.defaultthis.engineName", "appbario16 Customized Web Search"); Line Deleted : user_pref("browser.search.selectedEngine", "appbario16 Customized Web Search"); Line Deleted : user_pref("extentions.y2layers.defaultEnableAppsList", "PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,"); Line Deleted : user_pref("extentions.y2layers.installId", "ebdc91c5-079c-4400-a0af-2db967a641b1"); Line Deleted : user_pref("extentions.y2layers.lastDnsTest", 370955); Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3279415"); Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3279415"); Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3279415"); Line Deleted : user_pref("smartbar.machineId", "G0D2Z+61BXF3N1INIK1X6GFI44S5NAGGGEELVCC+DHLCNZWRQQSCZ9MPVONVBPN0BJXBBBDBP7EA+GR5OFUZSW"); -\\ Google Chrome v29.0.1547.62 [ File : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\preferences ] Deleted : homepage Deleted : icon_url [ File : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\preferences ] [ File : C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [12783 octets] - [28/08/2013 19:29:57] AdwCleaner[R1].txt - [12844 octets] - [29/08/2013 22:42:47] AdwCleaner[s0].txt - [12501 octets] - [29/08/2013 22:43:58] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [12562 octets] ########## Now for the continuation of my comments..... I am able to log on to OD in a normal fashion without the dos screen popping up. There is one thing though that I noticed in the report on COMBOFIX under supplement scan in trusted zone .... Trusted Zone: chatropolis.com\cs12 Trusted Zone: chatrpolis.com\cs10 ... these should not be in trusted zone.. how do I fix that? Thank you again for all of your help!
  4. Ran the combofix.. here is the log... did not have the warning sign... I do need to browse on what I think are safe sites to get some local info, so I am turning back on the antivirus/ AVG security. ****** ComboFix 13-08-28.02 - od 08/27/2013 23:16:44.1.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1918.983 [GMT -7:00] Running from: c:\users\od\Downloads\ComboFix.exe AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\RadioRage_4j c:\program files\RadioRage_4j\bar\1.bin\4jbarsvc.exe c:\program files\RadioRage_4j\bar\1.bin\4jbrmon.exe c:\program files\RadioRage_4j\bar\1.bin\4jSrchMn.exe c:\program files\RadioRage_4j\bar\1.bin\BOOTSTRAP.JS c:\program files\RadioRage_4j\bar\1.bin\CHROME.MANIFEST c:\program files\RadioRage_4j\bar\1.bin\INSTALL.RDF c:\program files\RadioRage_4j\bar\1.bin\LOGO.BMP c:\program files\RadioRage_4j\bar\1.bin\T8RES.DLL c:\users\Test\FRST.exe c:\windows\system32\Cache c:\windows\system32\Cache\272512937d9e61a4.fb c:\windows\system32\Cache\287204568329e189.fb c:\windows\system32\Cache\28bc8f716fd76a47.fb c:\windows\system32\Cache\2c53092c95605355.fb c:\windows\system32\Cache\31a0997e9a5b5eb3.fb c:\windows\system32\Cache\32c84fe32bb74d60.fb c:\windows\system32\Cache\3917078cb68ec657.fb c:\windows\system32\Cache\5142874a43f06635.fb c:\windows\system32\Cache\590ba23ce359fd0c.fb c:\windows\system32\Cache\610289e025a3ee9a.fb c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb c:\windows\system32\Cache\6d03dad1035885d3.fb c:\windows\system32\Cache\7df74c042f504fad.fb c:\windows\system32\Cache\a4c5e725589b342d.fb c:\windows\system32\Cache\a8556537add6dfc5.fb c:\windows\system32\Cache\aa3e8c0b95e00f5a.fb c:\windows\system32\Cache\ad10a52aff5e038d.fb c:\windows\system32\Cache\add035168815d9eb.fb c:\windows\system32\Cache\b62ff061e7da00f5.fb c:\windows\system32\Cache\beb06e9fa40e2201.fb c:\windows\system32\Cache\c1fa887b03019701.fb c:\windows\system32\Cache\c4d28dca2e7648be.fb c:\windows\system32\Cache\d201ef9910cd39de.fb c:\windows\system32\Cache\d2e94710a5708128.fb c:\windows\system32\Cache\d79b9dfe81484ec4.fb c:\windows\system32\Cache\e0de16f883bea794.fb c:\windows\system32\Cache\e1ebcc1892aa776d.fb c:\windows\system32\Cache\eb6556dbbaf6672c.fb c:\windows\system32\Cache\f998975c9cc711ee.fb . . ((((((((((((((((((((((((( Files Created from 2013-07-28 to 2013-08-28 ))))))))))))))))))))))))))))))) . . 2013-08-20 23:30 . 2013-08-22 20:54 -------- d-----w- C:\FRST 2013-08-20 10:42 . 2013-08-20 10:42 -------- d-----w- c:\users\Test\AppData\Local\WinZip 2013-08-20 09:44 . 2013-08-28 05:51 -------- d-----w- c:\program files\MyPC Backup 2013-08-20 09:43 . 2013-08-25 08:01 -------- d-----w- c:\program files\SearchProtect 2013-08-14 03:38 . 2013-07-10 09:47 783360 ----a-w- c:\windows\system32\rpcrt4.dll 2013-08-14 03:38 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll 2013-08-14 03:38 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll 2013-08-14 03:38 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys 2013-08-14 03:38 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-08-14 03:38 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll 2013-08-14 03:38 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-08-14 03:38 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-08-14 03:37 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll 2013-08-14 03:37 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll 2013-08-14 03:37 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll 2013-08-14 03:37 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-07-20 08:51 . 2013-07-20 08:51 246072 ----a-w- c:\windows\system32\drivers\avglogx.sys 2013-07-20 08:50 . 2013-07-20 08:50 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2013-07-20 08:50 . 2013-07-20 08:50 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys 2013-07-20 08:50 . 2013-07-20 08:50 171320 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2013-07-10 08:32 . 2013-07-10 08:32 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2013-07-10 05:01 . 2012-04-30 00:16 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-07-10 05:01 . 2011-05-27 22:42 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-07-01 08:45 . 2013-07-01 08:45 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2013-06-04 01:50 . 2013-07-10 04:10 2049024 ----a-w- c:\windows\system32\win32k.sys 2013-06-01 04:06 . 2013-07-10 04:10 505344 ----a-w- c:\windows\system32\qedit.dll 2013-02-27 10:15 . 2013-02-27 10:15 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2010-06-19 11:43 . 2013-02-27 10:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn11\yt.dll" [2013-08-07 1561880] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408] "SansaDispatch"="c:\users\od\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-01-02 79872] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704] "DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2008-06-12 90112] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-19 30192] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-07-01 4411440] . c:\users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe main [2010-10-13 2392064] PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe -det [2008-6-3 413696] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-11 984352] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-1-15 685936] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4064688261-3020506512-3484179790-1000] "EnableNotificationsRef"=dword:00000001 . --- Other Services/Drivers In Memory --- . *Deregistered* - MBAMSwissArmy *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-08-22 15:37 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:00] . 2013-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:00] . 2013-08-24 c:\windows\Tasks\HPCeeScheduleForJim.job - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-08-28 03:03] . 2013-08-18 c:\windows\Tasks\HPCeeScheduleForod.job - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-08-28 03:03] . . ------- Supplementary Scan ------- . Trusted Zone: chatropolis.com\cs12 Trusted Zone: chatrpolis.com\cs10 Trusted Zone: intuit.com\accounts Trusted Zone: intuit.com\ttlc Trusted Zone: microsoft.com\www.update Trusted Zone: real.com\rhap-app-4-0 Trusted Zone: real.com\rhapreg Trusted Zone: rhapsody.com\rhap-app-4-0 Trusted Zone: rhapsody.com\rhapreg TCP: DhcpNameServer = 24.113.32.29 24.113.32.30 24.113.0.30 FF - ProfilePath - c:\users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\ FF - prefs.js: browser.search.selectedEngine - appbario16 Customized Web Search FF - ExtSQL: !HIDDEN! 2009-09-02 03:01; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - ExtSQL: !HIDDEN! 2010-03-12 04:19; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, ebdc91c5-079c-4400-a0af-2db967a641b1 FF - user.js: extentions.y2layers.defaultEnableAppsList - PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal, . - - - - ORPHANS REMOVED - - - - . WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKLM-Run-hpqSRMon - (no file) SafeBoot-WudfPf SafeBoot-WudfRd AddRemove-WinZip Packages - c:\users\od\AppData\Roaming\0T1F0D1F2W1G1I1F1T1Q\WinZip Packages\uninstaller.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-08-27 23:26 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = c:\users\od\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe?on%2fSansaDispatch_1_011.txt&certificate-url=https%3a%2f%2ff?ible-me . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}] "ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2013-08-27 23:28:28 ComboFix-quarantined-files.txt 2013-08-28 06:28 . Pre-Run: 156,167,000,064 bytes free Post-Run: 156,155,584,512 bytes free . - - End Of File - - EA5AB09859F19CA9C68CBBB685552600 81CD5EC01DB0CE57EDD853F82462EF27
  5. Thank you, MrC. I will try this. Sorry I didn't respond within a reasonable amout of time. Real life issues prevented me from getting to my computer. I will do my best to shut all down and reboot. Will let you know what happened as soon as possible.
  6. Here is the report. *** RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : od [Admin rights] Mode : Scan -- Date : 08/25/2013 20:52:01 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] 28f6c2f2d417a54f50a656fbe901e9e8 [bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_S_08252013_205201.txt >> RKreport[0]_D_08232013_161223.txt;RKreport[0]_D_08232013_191518.txt;RKreport[0]_S_08222013_185930.txt RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt;RKreport[0]_S_08222013_194408.txt RKreport[0]_S_08232013_160229.txt;RKreport[0]_S_08232013_162959.txt;RKreport[0]_S_08232013_185313.txt RKreport[0]_S_08232013_191427.txt;RKreport[0]_S_08252013_004805.txt
  7. okay.. when I typed explorer and hit enter the od screen came up all seemed normal.. with the message that my previous IE session was interrupted and did I want to continue... I said "no". I'll just shut this login down until I hear back from you, MrC. Should I do the rstrui in the dos box when i enter again or should I try to run RogueKiller from this login? thank you again! I can at least copy my emails now!
  8. okay, will try.. have spent the day doing round about ways of backing up files incase this restore just does not work and I crash. So, am trying it now. If you don't hear from me for a while you'll know I'm have troubles.
  9. I ran it and rebooted. Still cannot access User OD. And I want to be clear.... I click on that login.. I get the welcome screen then a black full screen with a box about one third the size of the space of the screen. That box contains the dos prompt. Also, I'm still getting warnings that my Windows security center is turned off.
  10. I'm assessing the Jim login now.. I ran RogueKiller there. It seems to be the same results as when I cleared from the Test account. Here is the report incase I'm wrong. RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : od [Admin rights] Mode : Scan -- Date : 08/23/2013 18:53:13 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] 28f6c2f2d417a54f50a656fbe901e9e8 [bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] bfc2508142cb31e56488e57ad8f80c9c [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_S_08232013_185313.txt >> RKreport[0]_D_08232013_161223.txt;RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt RKreport[0]_S_08222013_193419.txt;RKreport[0]_S_08222013_194408.txt;RKreport[0]_S_08232013_160229.txt RKreport[0]_S_08232013_162959.txt
  11. I'm assuming you mean in the file description in the box to the right. I find no auto runs.
  12. No, I still cannot access that account. It takes me to the DOS prompt. There is no message, just the system32> prompt. If you can get me in there through typing iexplorer something something like i was able to before when I had this issue I can probably run it from there. Thank you.
  13. I did as you said and deleted the file (there was only one). I rebooted and reran RogueKiller and that file was gone. I'll attach the report I ran afterwards. It was odd, after I shutdown the test account I had to wait for RogueKiller to shut down.. so I went away from the computer and when I came back the user Jim account was up and running... This was the first account I went to when user OD got infected.. then it jumped to Jim so I switched to test user. So I can get into both of those but when I go to the OD account I get sent to the dos screen though there is no messages just the system32 prompt. Maybe I didn't correctly follow your instructions. Here is the log file I ran after the delete and reboot. ***** RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : od [Admin rights] Mode : Remove -- Date : 08/23/2013 16:12:23 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> NOT SELECTED [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED [AUTORUN] HKCU\[...]\Command Processor : AutoRun ("C:\Users\od\AppData\Local\Temp\nghynqbcqlsfogvga.exe") -> REPLACED () ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] 28f6c2f2d417a54f50a656fbe901e9e8 [bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] bfc2508142cb31e56488e57ad8f80c9c [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_D_08232013_161223.txt >> RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt RKreport[0]_S_08222013_194408.txt;RKreport[0]_S_08232013_160229.txt Thanks for all of the progress and time you are making and taking!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.