theaerogeek

Done and done! Thanks a bunch for helping me out with this. Don't take this wrong way, but hopefully our paths don't cross in the future. That would mean I I'm stayin' clean! TheAeroGeek

Seems to be OK now. Thanks for you help! I believe I'm good to go now.

It looks like it didn't run properly??? Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-11-2014 03 Ran by MNCWarner at 2014-11-16 19:50:43 Run:4 Running from C:\Users\MNCWarner\Downloads Loaded Profile: MNCWarner (Available profiles: MNCWarner & DefaultAppPool) Boot Mode: Normal ============================================== Content of fixlist: ***************** cmd: copy c:\Qoobox\Quarantine\Registry_backups\SafeBoot-Symantec Antvirus.reg.dat c:\users\MNCWarner\Desktop\fix.reg ***************** ========= copy c:\Qoobox\Quarantine\Registry_backups\SafeBoot-Symantec Antvirus.reg.dat c:\users\MNCWarner\Desktop\fix.reg ========= The system cannot find the file specified. ========= End of CMD: ========= ==== End of Fixlog ====

OK - here it is. Thanks! Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-11-2014 03 Ran by MNCWarner at 2014-11-16 17:14:16 Run:3 Running from C:\Users\MNCWarner\Downloads Loaded Profile: MNCWarner (Available profiles: MNCWarner & DefaultAppPool) Boot Mode: Normal ============================================== Content of fixlist: ***************** Folder: c:\Qoobox\Quarantine\Registry_backups ***************** ========================= Folder: c:\Qoobox\Quarantine\Registry_backups ======================== 2014-11-13 19:14 - 2014-11-13 19:14 - 0000377 _____ () c:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat 2014-11-13 19:15 - 2014-11-13 19:15 - 0000080 _____ () c:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat 2014-11-13 19:14 - 2014-11-13 19:14 - 0000582 _____ () c:\Qoobox\Quarantine\Registry_backups\SafeBoot-Symantec Antvirus.reg.dat 2014-11-13 18:48 - 2014-11-13 19:25 - 0042398 _____ () c:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2014-11-13 19:13 - 2014-11-13 19:13 - 0000196 _____ () c:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-Adobe Reader Speed Launcher.reg.dat 2014-11-13 19:13 - 2014-11-13 19:13 - 0000314 _____ () c:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-Propel Accelerator Setup.reg.dat 2014-11-13 19:13 - 2014-11-13 19:13 - 0000314 _____ () c:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-Propel Accelerator.reg.dat ====== End of Folder: ====== ==== End of Fixlog ====

OK - there is a wee bit if weirdness going on. First, after my previous post, I noticed that Symantec did not start/auto run upon boot up. I had to manually start it up. I ran a full scan as instructed and it found about half a dozen "tracking cookies" and deleted them. I supposed that's OK? MBAM also made me aware of blocked incoming web traffic shown below: Detection, 11/16/2014 8:45:19 AM, SYSTEM, MNCWARNER-HP, Protection, Malicious Website Protection, IP, 60.173.11.143, 9064, Inbound, C:\Windows\System32\svchost.exe, Detection, 11/16/2014 8:45:19 AM, SYSTEM, MNCWARNER-HP, Protection, Malicious Website Protection, IP, 60.173.11.143, 9064, Inbound, C:\Windows\System32\svchost.exe, Detection, 11/16/2014 9:05:35 AM, SYSTEM, MNCWARNER-HP, Protection, Malicious Website Protection, IP, 60.173.11.245, 9064, Inbound, C:\Windows\System32\svchost.exe, Detection, 11/16/2014 9:05:35 AM, SYSTEM, MNCWARNER-HP, Protection, Malicious Website Protection, IP, 60.173.11.245, 9064, Inbound, C:\Windows\System32\svchost.exe, Detection, 11/16/2014 9:05:35 AM, SYSTEM, MNCWARNER-HP, Protection, Malicious Website Protection, IP, 60.173.11.245, 9064, Inbound, C:\Windows\System32\svchost.exe, Detection, 11/16/2014 9:05:35 AM, SYSTEM, MNCWARNER-HP, Protection, Malicious Website Protection, IP, 60.173.11.245, 9064, Inbound, C:\Windows\System32\svchost.exe, Detection, 11/16/2014 9:05:35 AM, SYSTEM, MNCWARNER-HP, Protection, Malicious Website Protection, IP, 60.173.11.245, 9064, Inbound, C:\Windows\System32\svchost.exe, Update, 11/16/2014 9:11:10 AM, SYSTEM, MNCWARNER-HP, Scheduler, Malware Database, 2014.11.15.9, 2014.11.16.2, I guess that is MBAM doing it job? Besides that, all seems OK. My only worry at this point is why Symantec didn't start upon boot up like it always has. Was something deleted with AdwCleaner? Thanks for the continued assistance!

Computer seems like has been good to go since the combofix run with fixlist. OK - Java is updated. Here is the AdwClearner log file: # AdwCleaner v4.101 - Report created 15/11/2014 at 07:53:21 # Updated 09/11/2014 by Xplode # Database : 2014-11-07.1 [Local] # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : MNCWarner - MNCWARNER-HP # Running from : C:\Users\MNCWarner\Downloads\AdwCleaner(1).exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** File Deleted : C:\Users\Public\Desktop\eBay.lnk ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.3 Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\yourtango.com ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16561 -\\ Mozilla Firefox v32.0.3 (x86 en-US) ************************* AdwCleaner[R0].txt - [2933 octets] - [14/11/2014 15:55:34] AdwCleaner[R1].txt - [2993 octets] - [15/11/2014 07:47:26] AdwCleaner[s0].txt - [2581 octets] - [15/11/2014 07:53:21] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2641 octets] ########## Because the original issue nearly caused me to go over my monthly data limit (I know - thats a whine and yes monthly data limits are so quaint) - does the ESET use a large amount of data? Seems like it would. Do you know? If so, I will need to find a different means to run that - but here's the AdwCleaner anyway for now. Thanks!

Here are the logs of AdwCleaner and MBAM. AdwCleaner: # AdwCleaner v4.101 - Report created 14/11/2014 at 15:55:34 # Updated 09/11/2014 by Xplode # Database : 2014-11-07.1 [Local] # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : MNCWarner - MNCWARNER-HP # Running from : C:\Users\MNCWarner\Downloads\AdwCleaner(1).exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** File Found : C:\Users\Public\Desktop\eBay.lnk ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\yourtango.com Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} Key Found : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.3 Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16561 -\\ Mozilla Firefox v32.0.3 (x86 en-US) ************************* AdwCleaner[R0].txt - [2749 octets] - [14/11/2014 15:55:34] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2809 octets] ########## And MBAM: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/14/2014 Scan Time: 4:19:04 PM Logfile: Administrator: Yes Version: 2.00.3.1025 Malware Database: v2014.11.14.08 Rootkit Database: v2014.11.12.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: MNCWarner Scan Type: Threat Scan Result: Completed Objects Scanned: 418855 Time Elapsed: 19 min, 34 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Thanks a bunch! AdwCleanerR0.txt mbam-log-2014-11-14 (16-19-04).txt

OK - ran combo fix and log file is attached. It was odd that when it was done, Symantec Antivirus and AntiSpyware was already turned on Proactive Threat was still off. I assume that is OK? Thanks for the continued help! ComboFix.txt

Run as instructed. It required a reboot after it ran and I did that. fixlog.txt attached. Thank you! Fixlog.txt

Having a similar problem as many of the rest. dllhost.exe *32 replicating, malwarebytes blocking 95.215.1.57, etc. Attached are FRST.txt and addition.txt. Thank You! Mike FRST.txt Addition.txt