ICE virus w/ Maleware and Hitman expired HELP!

[MrCharlie]

See if you can do this:

 

Step 2: Type the word "explorer" in black screen > enter
Step 3: Then Navigate to:
 

Win Vista/Seven: C:\windows\system32\rstrui.exe 

 

That's system restore.

 

Let me know....MrC

[just_apparently_stupid]

okay, will try.. have spent the day doing round about ways of backing up files incase this restore just does not work and I crash. So, am trying it now. If you don't hear from me for a while you'll know I'm have troubles.

[just_apparently_stupid]

okay.. when I typed explorer and hit enter the od screen came up all seemed normal.. with the message that my previous IE session was interrupted and did I want to continue... I said "no". I'll just shut this login down until I hear back from you, MrC. Should I do the rstrui in the dos box when i enter again or should I try to run RogueKiller from this login? thank you again! I can at least copy my emails now!

[MrCharlie]

Run RogueKiller...MrC

[just_apparently_stupid]

Here is the report.

 

***

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : od [Admin rights]
Mode : Scan -- Date : 08/25/2013 20:52:01
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++
--- User ---
[MBR] 28f6c2f2d417a54f50a656fbe901e9e8
[bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08252013_205201.txt >>
RKreport[0]_D_08232013_161223.txt;RKreport[0]_D_08232013_191518.txt;RKreport[0]_S_08222013_185930.txt
RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt;RKreport[0]_S_08222013_194408.txt
RKreport[0]_S_08232013_160229.txt;RKreport[0]_S_08232013_162959.txt;RKreport[0]_S_08232013_185313.txt
RKreport[0]_S_08232013_191427.txt;RKreport[0]_S_08252013_004805.txt

[MrCharlie]

That looks OK, sounds like explorer isn't running.

See if you can run ComboFix.....

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[just_apparently_stupid]

Thank you, MrC. I will try this. Sorry I didn't respond within a reasonable amout of time. Real life issues prevented me from getting to my computer. I will do my best to shut all down and reboot. Will let you know what happened as soon as possible.

[just_apparently_stupid]

Ran the combofix.. here is the log... did not have the warning sign... I do need to browse on what I think are safe sites to get some local info, so I am turning back on the antivirus/ AVG security. 

 

******

 

ComboFix 13-08-28.02 - od 08/27/2013  23:16:44.1.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.1918.983 [GMT -7:00]
Running from: c:\users\od\Downloads\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\RadioRage_4j
c:\program files\RadioRage_4j\bar\1.bin\4jbarsvc.exe
c:\program files\RadioRage_4j\bar\1.bin\4jbrmon.exe
c:\program files\RadioRage_4j\bar\1.bin\4jSrchMn.exe
c:\program files\RadioRage_4j\bar\1.bin\BOOTSTRAP.JS
c:\program files\RadioRage_4j\bar\1.bin\CHROME.MANIFEST
c:\program files\RadioRage_4j\bar\1.bin\INSTALL.RDF
c:\program files\RadioRage_4j\bar\1.bin\LOGO.BMP
c:\program files\RadioRage_4j\bar\1.bin\T8RES.DLL
c:\users\Test\FRST.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\5142874a43f06635.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\7df74c042f504fad.fb
c:\windows\system32\Cache\a4c5e725589b342d.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\aa3e8c0b95e00f5a.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\add035168815d9eb.fb
c:\windows\system32\Cache\b62ff061e7da00f5.fb
c:\windows\system32\Cache\beb06e9fa40e2201.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\e1ebcc1892aa776d.fb
c:\windows\system32\Cache\eb6556dbbaf6672c.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-28 to 2013-08-28  )))))))))))))))))))))))))))))))
.
.
2013-08-20 23:30 . 2013-08-22 20:54 -------- d-----w- C:\FRST
2013-08-20 10:42 . 2013-08-20 10:42 -------- d-----w- c:\users\Test\AppData\Local\WinZip
2013-08-20 09:44 . 2013-08-28 05:51 -------- d-----w- c:\program files\MyPC Backup
2013-08-20 09:43 . 2013-08-25 08:01 -------- d-----w- c:\program files\SearchProtect
2013-08-14 03:38 . 2013-07-10 09:47 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 03:38 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 03:38 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-08-14 03:38 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 03:38 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 03:38 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-14 03:38 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 03:38 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 03:37 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 03:37 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 03:37 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 03:37 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-20 08:51 . 2013-07-20 08:51 246072 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-07-20 08:50 . 2013-07-20 08:50 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-07-20 08:50 . 2013-07-20 08:50 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-20 08:50 . 2013-07-20 08:50 171320 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-07-10 08:32 . 2013-07-10 08:32 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-07-10 05:01 . 2012-04-30 00:16 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-10 05:01 . 2011-05-27 22:42 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-01 08:45 . 2013-07-01 08:45 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2013-06-04 01:50 . 2013-07-10 04:10 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-01 04:06 . 2013-07-10 04:10 505344 ----a-w- c:\windows\system32\qedit.dll
2013-02-27 10:15 . 2013-02-27 10:15 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-06-19 11:43 . 2013-02-27 10:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn11\yt.dll" [2013-08-07 1561880]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]
"SansaDispatch"="c:\users\od\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-01-02 79872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2008-06-12 90112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-19 30192]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-07-01 4411440]
.
c:\users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe main [2010-10-13 2392064]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe -det [2008-6-3 413696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-11 984352]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-1-15 685936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4064688261-3020506512-3484179790-1000]
"EnableNotificationsRef"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MBAMSwissArmy
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-22 15:37 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:00]
.
2013-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:00]
.
2013-08-24 c:\windows\Tasks\HPCeeScheduleForJim.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-08-28 03:03]
.
2013-08-18 c:\windows\Tasks\HPCeeScheduleForod.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-08-28 03:03]
.
.
------- Supplementary Scan -------
.


Trusted Zone: chatropolis.com\cs12
Trusted Zone: chatrpolis.com\cs10
Trusted Zone: intuit.com\accounts
Trusted Zone: intuit.com\ttlc
Trusted Zone: microsoft.com\www.update
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
TCP: DhcpNameServer = 24.113.32.29 24.113.32.30 24.113.0.30
FF - ProfilePath - c:\users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\

FF - prefs.js: browser.search.selectedEngine - appbario16 Customized Web Search


FF - ExtSQL: !HIDDEN! 2009-09-02 03:01; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2010-03-12 04:19; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, ebdc91c5-079c-4400-a0af-2db967a641b1
FF - user.js: extentions.y2layers.defaultEnableAppsList - PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-hpqSRMon - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-WinZip Packages - c:\users\od\AppData\Roaming\0T1F0D1F2W1G1I1F1T1Q\WinZip Packages\uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-27 23:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  SansaDispatch = c:\users\od\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe?on%2fSansaDispatch_1_011.txt&certificate-url=https%3a%2f%2ff?ible-me
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-08-27  23:28:28
ComboFix-quarantined-files.txt  2013-08-28 06:28
.
Pre-Run: 156,167,000,064 bytes free
Post-Run: 156,155,584,512 bytes free
.
- - End Of File - - EA5AB09859F19CA9C68CBBB685552600
81CD5EC01DB0CE57EDD853F82462EF27

[MrCharlie]

Lets clean out any adware while you're here:

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.

  Vista/Windows 7/8 users right-click and select Run As Administrator

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

If you agree with everything listed to be removed in the folders section...........

Double click on AdwCleaner.exe to run the tool again.

• Click on the Scan button.
• AdwCleaner will begin to scan your computer like it did before.
• After the scan has finished...
• This time click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[just_apparently_stupid]

Here are the two reports from AdwCleaner....I did run clean.. there was just one process discovered and the first scan took less than a minute... more to follow after the report posts....

 

*****

 

# AdwCleaner v3.001 - Report created 28/08/2013 at 19:29:57
# Updated 24/08/2013 by Xplode
# Operating System : Windows Vista Home Basic Service Pack 2 (32 bits)
# Username : od - OD-PC
# Running from : C:\Users\od\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : RadioRage_4jService

***** [ Files / Folders ] *****

File Found : C:\END
File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\plugin@yontoo.com.xpi
File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\searchplugins\Conduit.xml
File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\user.js
File Found : C:\Windows\system32\roboot.exe
Folder Found : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Found : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol
Folder Found : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol
Folder Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\{5373a31d-9410-45e2-b299-4f61428f0be4}
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\MyPC Backup
Folder Found C:\Program Files\MyPC Backup
Folder Found C:\Program Files\Yontoo Layers Runtime
Folder Found C:\ProgramData\Tarma Installer
Folder Found C:\Users\Jim\AppData\LocalLow\AVG Secure Search
Folder Found C:\Users\Jim\AppData\LocalLow\AVG Security Toolbar
Folder Found C:\Users\od\AppData\Local\Conduit
Folder Found C:\Users\od\AppData\Local\cre
Folder Found C:\Users\od\AppData\Local\visi_coupon
Folder Found C:\Users\od\AppData\LocalLow\Conduit
Folder Found C:\Users\od\AppData\LocalLow\PriceGong
Folder Found C:\Users\od\AppData\Roaming\file scout
Folder Found C:\Users\od\AppData\Roaming\iWin
Folder Found C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games
Folder Found C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\CT3279415
Folder Found C:\Users\od\AppData\Roaming\PerformerSoft
Folder Found C:\Users\od\AppData\Roaming\SpeedAnalysis2

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\RadioRage_4j
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol
Key Found : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9638B7D6-11F5-4406-B387-327642A11FFB}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}
Key Found : HKLM\Software\Classes\popcaploader.popcaploaderctrl2
Key Found : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44DB423D-A0DB-4664-9477-CCDCEB7CD666}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{53855564-CF81-410C-9C1C-321C7E067816}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A25AA6E2-1CDE-4D0F-A5D4-4898D7FB3C86}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5C9CB1C-1C0A-45A2-81CC-1DD342D0A478}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A661D4DC-4BD8-48FC-964B-A24AB8157DE6}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B5731AB1-8566-4441-AEFB-9AFB2EEA63D9}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{434FA5E9-253E-4BD0-ADB6-7CE4CEA114CA}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{581C7D7D-F809-4E03-A631-74C069D5F04A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{68122F44-3A4A-4EDB-B28F-0C0E07F89BD0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9638B7D6-11F5-4406-B387-327642A11FFB}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F706E19B-6C14-4272-BA98-2F16636A898D}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Found : HKLM\SOFTWARE\MozillaPlugins\@RadioRage_4j.com/Plugin
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [4jffxtbr@RadioRage_4j.com]

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

-\\ Mozilla Firefox v19.0 (en-US)

[ File : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\prefs.js ]

Line Found : user_pref("CT3279415.FF19Solved", "true");
Line Found : user_pref("CT3279415.UserID", "UN19129399441273304");
Line Found : user_pref("CT3279415.addressUrlXPETakeover", "true");
Line Found : user_pref("CT3279415.autoDisableScopes", 0);
Line Found : user_pref("CT3279415.browser.search.defaultthis.engineName", "true");
Line Found : user_pref("CT3279415.defaultSearchXPETakeover", "true");
Line Found : user_pref("CT3279415.fullUserID", "UN19129399441273304.IN.2013063031324");
Line Found : user_pref("CT3279415.installDate", "30/06/2013 3:13:23");
Line Found : user_pref("CT3279415.installSessionId", "{BDA88354-ECF8-4E88-A782-3B43812DE4A7}");
Line Found : user_pref("CT3279415.installSp", "TRUE");
Line Found : user_pref("CT3279415.installerVersion", "1.5.4.1");
Line Found : user_pref("CT3279415.keyword", "true");
Line Found : user_pref("CT3279415.originalHomepage", "about:home");
Line Found : user_pref("CT3279415.originalSearchAddressUrl", "");
Line Found : user_pref("CT3279415.originalSearchEngine", "");
Line Found : user_pref("CT3279415.searchRevert", "false");
Line Found : user_pref("CT3279415.searchUserMode", "2");
Line Found : user_pref("CT3279415.smartbar.homepage", "true");
Line Found : user_pref("CT3279415.startPageXPETakeover", "true");
Line Found : user_pref("CT3279415.versionFromInstaller", "10.16.4.19");
Line Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Found : user_pref("browser.search.defaultthis.engineName", "appbario16 Customized Web Search");

Line Found : user_pref("browser.search.selectedEngine", "appbario16 Customized Web Search");

Line Found : user_pref("extentions.y2layers.defaultEnableAppsList", "PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,");
Line Found : user_pref("extentions.y2layers.installId", "ebdc91c5-079c-4400-a0af-2db967a641b1");
Line Found : user_pref("extentions.y2layers.lastDnsTest", 370955);

Line Found : user_pref("smartbar.addressBarOwnerCTID", "CT3279415");


Line Found : user_pref("smartbar.defaultSearchOwnerCTID", "CT3279415");
Line Found : user_pref("smartbar.homePageOwnerCTID", "CT3279415");
Line Found : user_pref("smartbar.machineId", "G0D2Z+61BXF3N1INIK1X6GFI44S5NAGGGEELVCC+DHLCNZWRQQSCZ9MPVONVBPN0BJXBBBDBP7EA+GR5OFUZSW");

-\\ Google Chrome v29.0.1547.62

[ File : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found : homepage
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup
Found : homepage
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup
Found : homepage
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup

[ File : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [12641 octets] - [28/08/2013 19:29:57]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [12702 octets] ##########

 

SECOND REPORT AFTER CLEANING...

 

******

# AdwCleaner v3.001 - Report created 29/08/2013 at 22:43:58
# Updated 24/08/2013 by Xplode
# Operating System : Windows Vista Home Basic Service Pack 2 (32 bits)
# Username : od - OD-PC
# Running from : C:\Users\od\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : RadioRage_4jService

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\MyPC Backup
Folder Deleted : C:\Program Files\Yontoo Layers Runtime
Folder Deleted : C:\Users\od\AppData\Local\Conduit
Folder Deleted : C:\Users\od\AppData\Local\cre
Folder Deleted : C:\Users\od\AppData\Local\visi_coupon
Folder Deleted : C:\Users\od\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\od\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\od\AppData\Roaming\file scout
Folder Deleted : C:\Users\od\AppData\Roaming\iWin
Folder Deleted : C:\Users\od\AppData\Roaming\PerformerSoft
Folder Deleted : C:\Users\od\AppData\Roaming\SpeedAnalysis2
Folder Deleted : C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games
Folder Deleted : C:\Users\Jim\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Jim\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\CT3279415
Folder Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\{5373a31d-9410-45e2-b299-4f61428f0be4}
Folder Deleted : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Deleted : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol
[!] Folder Deleted : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol
File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\plugin@yontoo.com.xpi
File Deleted : C:\END
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Windows\system32\roboot.exe
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\searchplugins\Conduit.xml
File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\user.js

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [4jffxtbr@RadioRage_4j.com]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2
Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@RadioRage_4j.com/Plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9638B7D6-11F5-4406-B387-327642A11FFB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{434FA5E9-253E-4BD0-ADB6-7CE4CEA114CA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{581C7D7D-F809-4E03-A631-74C069D5F04A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{68122F44-3A4A-4EDB-B28F-0C0E07F89BD0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9638B7D6-11F5-4406-B387-327642A11FFB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F706E19B-6C14-4272-BA98-2F16636A898D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44DB423D-A0DB-4664-9477-CCDCEB7CD666}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{53855564-CF81-410C-9C1C-321C7E067816}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A25AA6E2-1CDE-4D0F-A5D4-4898D7FB3C86}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5C9CB1C-1C0A-45A2-81CC-1DD342D0A478}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A661D4DC-4BD8-48FC-964B-A24AB8157DE6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B5731AB1-8566-4441-AEFB-9AFB2EEA63D9}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\RadioRage_4j
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

-\\ Mozilla Firefox v19.0 (en-US)

[ File : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\prefs.js ]

Line Deleted : user_pref("CT3279415.FF19Solved", "true");
Line Deleted : user_pref("CT3279415.UserID", "UN19129399441273304");
Line Deleted : user_pref("CT3279415.addressUrlXPETakeover", "true");
Line Deleted : user_pref("CT3279415.autoDisableScopes", 0);
Line Deleted : user_pref("CT3279415.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3279415.defaultSearchXPETakeover", "true");
Line Deleted : user_pref("CT3279415.fullUserID", "UN19129399441273304.IN.2013063031324");
Line Deleted : user_pref("CT3279415.installDate", "30/06/2013 3:13:23");
Line Deleted : user_pref("CT3279415.installSessionId", "{BDA88354-ECF8-4E88-A782-3B43812DE4A7}");
Line Deleted : user_pref("CT3279415.installSp", "TRUE");
Line Deleted : user_pref("CT3279415.installerVersion", "1.5.4.1");
Line Deleted : user_pref("CT3279415.keyword", "true");
Line Deleted : user_pref("CT3279415.originalHomepage", "about:home");
Line Deleted : user_pref("CT3279415.originalSearchAddressUrl", "");
Line Deleted : user_pref("CT3279415.originalSearchEngine", "");
Line Deleted : user_pref("CT3279415.searchRevert", "false");
Line Deleted : user_pref("CT3279415.searchUserMode", "2");
Line Deleted : user_pref("CT3279415.smartbar.homepage", "true");
Line Deleted : user_pref("CT3279415.startPageXPETakeover", "true");
Line Deleted : user_pref("CT3279415.versionFromInstaller", "10.16.4.19");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "appbario16 Customized Web Search");

Line Deleted : user_pref("browser.search.selectedEngine", "appbario16 Customized Web Search");

Line Deleted : user_pref("extentions.y2layers.defaultEnableAppsList", "PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,");
Line Deleted : user_pref("extentions.y2layers.installId", "ebdc91c5-079c-4400-a0af-2db967a641b1");
Line Deleted : user_pref("extentions.y2layers.lastDnsTest", 370955);

Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3279415");


Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3279415");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3279415");
Line Deleted : user_pref("smartbar.machineId", "G0D2Z+61BXF3N1INIK1X6GFI44S5NAGGGEELVCC+DHLCNZWRQQSCZ9MPVONVBPN0BJXBBBDBP7EA+GR5OFUZSW");

-\\ Google Chrome v29.0.1547.62

[ File : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : icon_url

[ File : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [12783 octets] - [28/08/2013 19:29:57]
AdwCleaner[R1].txt - [12844 octets] - [29/08/2013 22:42:47]
AdwCleaner[s0].txt - [12501 octets] - [29/08/2013 22:43:58]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [12562 octets] ##########

 

Now for the continuation of my comments.....

 

I am able to log on to OD in a normal fashion without the dos screen popping up. There is one thing though that I noticed in the report on COMBOFIX under supplement scan in trusted zone ....

Trusted Zone: chatropolis.com\cs12
Trusted Zone: chatrpolis.com\cs10

... these should not be in trusted zone.. how do I fix that?

 

Thank you again for all of your help!

[MrCharlie]

Trusted sites:

http://www.dummies.com/how-to/content/how-to-add-a-website-to-your-internet-explorer-tru.navId-397910.html

----------------------------

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[just_apparently_stupid]

I deleted the programs I did not want in the "Safe Zone". The SecurityCheck program seemed to run fine. No abort message. Here is the report.

 

********

 

Results of screen317's Security Check version 0.99.73 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
AVG AntiVirus Free Edition 2013  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Java 6 Update 22 
 Java SE Runtime Environment 6 Update 1
 Java 6 Update 3 
 Java 6 Update 7 
 Java version out of Date!
 Adobe Flash Player  11.6.602.171 
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox 19.0 Firefox out of Date! 
 Google Chrome 29.0.1547.57 
 Google Chrome 29.0.1547.62 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 AVG avgwdsvc.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
 

[MrCharlie]

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please uninstall these and any other Java listed in your add/remove programs:

Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 3
Java™ 6 Update 7

Java version out of Date! <-------Download and install the latest version (Java™ 7 Update 25) from Here. Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

--------------------------------------------------------

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

Mozilla Firefox 19.0 Firefox out of Date! <-----please check for an update if available

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:
Download the fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
That will delete the quarantine folder created by FRST.

-----------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.