Jump to content

Need help removing a redirect selfrelocating virus


Recommended Posts

Hey, I was wondering if you guys could help me remove this virus so I wont have to wait a couple weeks for someone else to do it. Being a CET major I would rather do this myself anyway, but I cant seem to get it to work. I have a virus that initially was just simply redirecting any page i tried in firefox to either a yahoo page to look up the url, or some other fake web search that I forgot the name of. For some reason internet explorer wasnt affected. I looked online for help for this and followed the steps (http://malwaretips.com/blogs/remove-browser-redirect-virus/) but it would still reappear after restarting my laptop or even right after i scanned and removed it with malwarebytes. Right now I can use firefox but I am having problems with my addons and extensions not working right and I would like to know that my passwords are safe. The problem I have with my addons is that I cant remove any of them or add others like adblocker and runescape toolbar. Even going into the profile folder that firefox uses and deleting all the extensions and addon files it still loads the same ones every time.

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
ShortcutCleaner
 
Please download this file to your desktop and run it: http://www.bleepingcomputer.com/download/shortcut-cleaner/
It will open up a log when finished - please post that up here.
 
 
 
Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply
 
 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

sc cleaner:

Shortcut Cleaner 1.2.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 http://www.bleepingcomputer.com/download/shortcut-cleaner/

Windows Version: Windows 7 Home Premium Service Pack 1
Program started at: 10/17/2013 09:56:48 AM.

Scanning for registry hijacks:

 * No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

Searching C:\Users\Mom\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

Searching C:\Users\Public\Desktop\

Searching C:\Users\Mom\Desktop


0 bad shortcuts found.

Program finished at: 10/17/2013 09:56:49 AM
Execution time: 0 hours(s), 0 minute(s), and 0 seconds(s)
 

dds.txt:

DS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.45.2
Run by Mom at 9:36:30 on 2013-10-17
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7863.5555 [GMT -4:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
C:\windows\system32\Dwm.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\windows\Explorer.EXE
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\ConceptDraw Office 2\Solution Browser\CDSBupd.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\ConceptDraw Office 2\Solution Browser\CDSBbln.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\AVG\AVG2014\avgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.


mWinlogon: Userinit = userinit.exe,
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [superAdBlocker] C:\Program Files (x86)\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [LiveSupport] "C:\Program Files (x86)\LiveSupport\LiveSupport.exe" /noshow /log
uRunOnce: [Report] \AdwCleaner\AdwCleaner[s1].txt
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [OOTag] C:\Program Files (x86)\Gateway\OOBEOffer\OOTag.exe
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
dRunOnce: [sPReview] "C:\windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\Users\Mom\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RCADET~1.LNK - C:\Users\Mom\Documents\RCA Detective\RCADetective.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -




TCP: NameServer = 10.60.20.20 10.60.20.19 10.60.20.0
TCP: Interfaces\{8B8CBAD5-B1C0-4ACE-B587-AB83AF36F199} : DHCPNameServer = 192.168.10.1
TCP: Interfaces\{95C7B04E-8E83-46E9-96A7-ED3C0FE32226} : DHCPNameServer = 10.60.20.20 10.60.20.19 10.60.20.0
TCP: Interfaces\{95C7B04E-8E83-46E9-96A7-ED3C0FE32226}\24162747C6569784F6D656 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{95C7B04E-8E83-46E9-96A7-ED3C0FE32226}\34C61627B6 : DHCPNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [ETDWare] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [Acer ePower Management] C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
x64-Run: [OOTag] C:\Program Files (x86)\Gateway\OOBEOffer\ootag.exe
x64-Run: [igfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\
FF - prefs.js: browser.search.selectedEngine - Bing

FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
FF - plugin: C:\windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-09-29 21:28; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\windows\System32\drivers\avgidsha.sys [2013-9-2 192824]
R0 Avgloga;AVG Logging Driver;C:\windows\System32\drivers\avgloga.sys [2013-9-2 294712]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\System32\drivers\avgmfx64.sys [2013-8-20 123704]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\System32\drivers\avgrkx64.sys [2013-9-8 31544]
R1 Avgdiska;AVG Disk Driver;C:\windows\System32\drivers\avgdiska.sys [2013-9-25 148792]
R1 AVGIDSDriver;AVGIDSDriver;C:\windows\System32\drivers\avgidsdrivera.sys [2013-9-2 241464]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\System32\drivers\avgldx64.sys [2013-9-2 212280]
R1 Avgtdia;AVG TDI Driver;C:\windows\System32\drivers\avgtdia.sys [2013-8-1 251192]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2013-10-3 3538480]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2013-9-25 301152]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-7-23 321104]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-12-30 868896]
R2 GREGService;GREGService;C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe [2010-1-8 23584]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-7-23 13336]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-9-22 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-9-22 701512]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-5-24 255744]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-10-9 3275136]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-7-23 2320920]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2010-7-23 243232]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\System32\drivers\HECIx64.sys [2010-7-23 56344]
R3 Impcd;Impcd;C:\windows\System32\drivers\Impcd.sys [2010-7-23 158976]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2010-7-23 271872]
R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\windows\System32\drivers\k57nd60a.sys [2010-5-15 384040]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2013-9-22 25928]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2013-10-1 2746704]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 ETD;ELAN PS/2 Port Input Device;C:\windows\System32\drivers\ETD.sys [2010-7-23 135560]
S3 mbamchameleon;mbamchameleon;C:\windows\System32\drivers\mbamchameleon.sys [2013-10-16 91352]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2013-10-2 19456]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2010-7-23 246304]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\System32\drivers\rtl8192se.sys [2010-7-23 1108000]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2013-10-2 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-11-9 1255736]
.
=============== Created Last 30 ================
.
2013-10-16 20:17:49    91352    ----a-w-    C:\windows\System32\drivers\mbamchameleon.sys
2013-10-16 20:11:41    96168    ----a-w-    C:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-09 20:01:42    --------    d-----w-    C:\ProgramData\LogMeIn
2013-10-09 14:58:02    4879744    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-09 14:58:02    4879744    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-02 22:18:05    --------    d-----w-    C:\windows\System32\MRT
2013-10-02 22:03:34    785512    ----a-w-    C:\windows\System32\drivers\Wdf01000.sys
2013-10-02 22:03:34    54376    ----a-w-    C:\windows\System32\drivers\WdfLdr.sys
2013-10-02 22:03:34    2560    ----a-w-    C:\windows\System32\drivers\en-US\wdf01000.sys.mui
2013-10-02 22:03:33    9728    ----a-w-    C:\windows\System32\Wdfres.dll
2013-10-02 21:49:24    9728    ---ha-w-    C:\windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-10-02 21:43:55    3072    ----a-w-    C:\windows\System32\drivers\en-US\tsusbflt.sys.mui
2013-10-02 21:16:44    46080    ----a-w-    C:\windows\System32\atmlib.dll
2013-10-02 21:16:44    34304    ----a-w-    C:\windows\SysWow64\atmlib.dll
2013-10-02 21:16:43    367616    ----a-w-    C:\windows\System32\atmfd.dll
2013-10-02 21:16:43    295424    ----a-w-    C:\windows\SysWow64\atmfd.dll
2013-10-02 21:15:18    87040    ----a-w-    C:\windows\System32\drivers\WUDFPf.sys
2013-10-02 21:15:18    84992    ----a-w-    C:\windows\System32\WUDFSvc.dll
2013-10-02 21:15:18    198656    ----a-w-    C:\windows\System32\drivers\WUDFRd.sys
2013-10-02 21:15:18    194048    ----a-w-    C:\windows\System32\WUDFPlatform.dll
2013-10-02 21:15:17    45056    ----a-w-    C:\windows\System32\WUDFCoinstaller.dll
2013-10-02 21:15:16    744448    ----a-w-    C:\windows\System32\WUDFx.dll
2013-10-02 21:15:16    229888    ----a-w-    C:\windows\System32\WUDFHost.exe
2013-10-02 20:50:00    2048    ----a-w-    C:\windows\SysWow64\tzres.dll
2013-10-02 20:50:00    2048    ----a-w-    C:\windows\System32\tzres.dll
2013-10-02 20:48:29    1930752    ----a-w-    C:\windows\System32\authui.dll
2013-10-02 20:47:59    96768    ----a-w-    C:\windows\SysWow64\sspicli.dll
2013-10-02 20:46:50    55296    ----a-w-    C:\windows\System32\dhcpcsvc6.dll
2013-10-02 20:45:28    1732608    ----a-w-    C:\Program Files\Windows Journal\NBDoc.DLL
2013-10-02 20:45:28    1393152    ----a-w-    C:\Program Files\Windows Journal\JNTFiltr.dll
2013-10-02 20:45:28    1367040    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2013-10-02 20:45:27    936448    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-10-02 20:45:27    1402880    ----a-w-    C:\Program Files\Windows Journal\JNWDRV.dll
2013-10-02 20:45:22    1656680    ----a-w-    C:\windows\System32\drivers\ntfs.sys
2013-10-02 20:45:13    2002432    ----a-w-    C:\windows\System32\msxml6.dll
2013-10-02 20:45:13    1882624    ----a-w-    C:\windows\System32\msxml3.dll
2013-10-02 20:45:12    983400    ----a-w-    C:\windows\System32\drivers\dxgkrnl.sys
2013-10-02 20:45:12    265064    ----a-w-    C:\windows\System32\drivers\dxgmms1.sys
2013-10-02 20:45:12    144384    ----a-w-    C:\windows\System32\cdd.dll
2013-10-02 20:45:12    1389568    ----a-w-    C:\windows\SysWow64\msxml6.dll
2013-10-02 20:45:12    1236992    ----a-w-    C:\windows\SysWow64\msxml3.dll
2013-10-02 20:38:31    1887232    ----a-w-    C:\windows\System32\d3d11.dll
2013-10-02 20:38:31    1505280    ----a-w-    C:\windows\SysWow64\d3d11.dll
2013-10-02 20:16:33    --------    d-----w-    C:\Program Files (x86)\LogMeIn Hamachi
2013-10-01 21:18:58    --------    d-----w-    C:\Users\Mom\AppData\Roaming\SearchProtect
2013-10-01 00:48:04    --------    d-----w-    C:\Program Files (x86)\ESET
2013-10-01 00:34:38    12872    ----a-w-    C:\windows\System32\bootdelete.exe
2013-09-30 18:39:32    5402832    ----a-w-    C:\ProgramData\pclunst.exe
2013-09-30 18:39:31    --------    d-----w-    C:\ProgramData\PC1Data
2013-09-30 18:39:31    --------    d-----w-    C:\ProgramData\PC Cleaners
2013-09-26 01:07:30    148792    ----a-w-    C:\windows\System32\drivers\avgdiska.sys
2013-09-23 21:21:44    --------    d-s---w-    C:\windows\SysWow64\Microsoft
2013-09-23 20:17:28    --------    d-----w-    C:\AdwCleaner
2013-09-23 19:58:50    --------    d-----w-    C:\ProgramData\HitmanPro
2013-09-23 19:27:43    --------    d-----w-    C:\Program Files (x86)\Free Download Manager
2013-09-22 22:19:40    --------    d-----w-    C:\Program Files\AVAST Software
2013-09-22 22:18:18    --------    d-----w-    C:\ProgramData\AVAST Software
2013-09-22 18:56:01    --------    d-----w-    C:\Users\Mom\AppData\Local\Programs
2013-09-22 18:55:20    --------    d-----w-    C:\Users\Mom\AppData\Roaming\Malwarebytes
2013-09-22 18:55:09    41272    ----a-w-    C:\windows\SysWow64\drivers\mbamswissarmy.sys
2013-09-22 18:55:08    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-09-22 18:55:05    25928    ----a-w-    C:\windows\System32\drivers\mbam.sys
2013-09-22 18:55:04    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-21 12:24:25    --------    d-----w-    C:\Program Files\Adblock Plus for IE
2013-09-21 12:11:16    --------    d-----w-    C:\ProgramData\Oracle
2013-09-20 20:56:29    --------    d-----w-    C:\Users\Mom\AppData\Roaming\AVG2014
2013-09-20 20:46:50    --------    d-----w-    C:\ProgramData\AVG2014
2013-09-20 20:13:06    --------    d-----w-    C:\Users\Mom\AppData\Local\Avg2014
.
==================== Find3M  ====================
.
2013-10-08 18:02:21    71048    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-08 18:02:21    692616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2013-10-02 21:50:59    27648    ----a-w-    C:\windows\System32\licmgr10.dll
2013-10-02 21:49:24    5632    ---ha-w-    C:\windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-09-09 02:11:42    31544    ----a-w-    C:\windows\System32\drivers\avgrkx64.sys
2013-09-02 14:59:14    212280    ----a-w-    C:\windows\System32\drivers\avgldx64.sys
2013-09-02 14:29:18    294712    ----a-w-    C:\windows\System32\drivers\avgloga.sys
2013-09-02 14:26:50    192824    ----a-w-    C:\windows\System32\drivers\avgidsha.sys
2013-09-02 14:26:42    241464    ----a-w-    C:\windows\System32\drivers\avgidsdrivera.sys
2013-08-21 02:53:58    123704    ----a-w-    C:\windows\System32\drivers\avgmfx64.sys
2013-08-08 01:20:43    3155456    ----a-w-    C:\windows\System32\win32k.sys
2013-08-05 20:18:48    972712    ----a-w-    C:\windows\System32\deployJava1.dll
2013-08-05 20:18:48    1093032    ----a-w-    C:\windows\System32\npdeployJava1.dll
2013-08-05 20:18:48    108968    ----a-w-    C:\windows\System32\WindowsAccessBridge-64.dll
2013-08-05 02:25:45    155584    ----a-w-    C:\windows\System32\drivers\ataport.sys
2013-08-02 02:23:53    5550528    ----a-w-    C:\windows\System32\ntoskrnl.exe
2013-08-02 02:15:44    1732032    ----a-w-    C:\windows\System32\ntdll.dll
2013-08-02 02:15:03    362496    ----a-w-    C:\windows\System32\wow64win.dll
2013-08-02 02:15:03    243712    ----a-w-    C:\windows\System32\wow64.dll
2013-08-02 02:15:03    13312    ----a-w-    C:\windows\System32\wow64cpu.dll
2013-08-02 02:14:57    215040    ----a-w-    C:\windows\System32\winsrv.dll
2013-08-02 02:14:11    16384    ----a-w-    C:\windows\System32\ntvdm64.dll
2013-08-02 02:13:34    424448    ----a-w-    C:\windows\System32\KernelBase.dll
2013-08-02 01:59:30    3968960    ----a-w-    C:\windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30    3913664    ----a-w-    C:\windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23    1292192    ----a-w-    C:\windows\SysWow64\ntdll.dll
2013-08-02 01:50:42    5120    ----a-w-    C:\windows\SysWow64\wow32.dll
2013-08-02 01:50:42    274944    ----a-w-    C:\windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17    338432    ----a-w-    C:\windows\System32\conhost.exe
2013-08-02 00:59:09    112640    ----a-w-    C:\windows\System32\smss.exe
2013-08-02 00:45:37    25600    ----a-w-    C:\windows\SysWow64\setup16.exe
2013-08-02 00:45:36    14336    ----a-w-    C:\windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35    7680    ----a-w-    C:\windows\SysWow64\instnm.exe
2013-08-02 00:45:34    2048    ----a-w-    C:\windows\SysWow64\user.exe
2013-08-02 00:43:05    6144    ---ha-w-    C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05    4608    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05    3584    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05    3072    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-08-01 20:07:06    251192    ----a-w-    C:\windows\System32\drivers\avgtdia.sys
2013-07-25 09:25:54    1888768    ----a-w-    C:\windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27    1620992    ----a-w-    C:\windows\SysWow64\WMVDECOD.DLL
.
============= FINISH:  9:37:02.71 ===============
 

ark.txt:

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-10-17 09:54:42
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB3O 298.09GB
Running: 8el8l2c4.exe; Driver: C:\Users\Mom\AppData\Local\Temp\kxlcypow.sys


---- Registry - GMER 2.1 ----

Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000c78334bd9                                                    
Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000c78334bd9@10f96f44519d                                       0x08 0x9C 0x91 0xEA ...
Reg   HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters@DhcpNameServer                                                         10.60.20.20 10.60.20.19 10.60.20.0
Reg   HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters@DhcpDomain                                                             inetonly.asheville.cc.nc.us
Reg   HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44A1DA0C-659A-4A7C-B748-DB2C72063FD8}@LeaseObtainedTime    1382017511
Reg   HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44A1DA0C-659A-4A7C-B748-DB2C72063FD8}@T1                   1382017638
Reg   HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44A1DA0C-659A-4A7C-B748-DB2C72063FD8}@T2                   1382017734
Reg   HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44A1DA0C-659A-4A7C-B748-DB2C72063FD8}@LeaseTerminatesTime  1382017766
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000c78334bd9 (not active ControlSet)                                
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000c78334bd9@10f96f44519d                                           0x08 0x9C 0x91 0xEA ...

---- Disk sectors - GMER 2.1 ----

Disk  \Device\Harddisk0\DR0                                                                                                          unknown MBR code

---- EOF - GMER 2.1 ----
 

Attach.txt

Link to post
Share on other sites

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

combofix.txt:

ComboFix 13-10-16.02 - Mom 10/18/2013  12:29:06.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7863.5862 [GMT -4:00]
Running from: c:\users\Josh\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Josh\Documents\~WRL0904.tmp
c:\users\Josh\Documents\~WRL1635.tmp
c:\users\Josh\Documents\~WRL1709.tmp
c:\users\Josh\Documents\~WRL1837.tmp
c:\users\Josh\Documents\~WRL2501.tmp
c:\users\Josh\Documents\~WRL3472.tmp
c:\users\Josh\Documents\~WRL3869.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-18 to 2013-10-18  )))))))))))))))))))))))))))))))
.
.
2013-10-18 16:38 . 2013-10-18 16:38    --------    d-----w-    c:\users\Mom\AppData\Local\temp
2013-10-18 16:38 . 2013-10-18 16:38    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-10-16 20:17 . 2013-10-16 20:17    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-10-16 20:11 . 2013-10-08 11:50    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-09 20:01 . 2013-10-09 20:01    --------    d-----w-    c:\users\Josh\AppData\Local\LogMeIn
2013-10-09 20:01 . 2013-10-09 20:01    --------    d-----w-    c:\programdata\LogMeIn
2013-10-09 14:58 . 2013-10-09 14:58    4879744    ----a-w-    c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-09 14:58 . 2013-10-09 14:58    4879744    ----a-w-    c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-02 22:18 . 2013-10-02 22:22    --------    d-----w-    c:\windows\system32\MRT
2013-10-02 22:03 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-10-02 22:03 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-10-02 22:03 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-10-02 22:03 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-10-02 21:50 . 2013-10-02 21:50    97280    ----a-w-    c:\windows\system32\mshtmled.dll
2013-10-02 21:49 . 2013-10-02 21:49    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-10-02 21:43 . 2012-08-23 15:09    3072    ----a-w-    c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2013-10-02 21:16 . 2012-12-16 17:11    46080    ----a-w-    c:\windows\system32\atmlib.dll
2013-10-02 21:16 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2013-10-02 21:16 . 2012-12-16 14:45    367616    ----a-w-    c:\windows\system32\atmfd.dll
2013-10-02 21:16 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2013-10-02 21:15 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-10-02 21:15 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-10-02 21:15 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-10-02 21:15 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-10-02 21:15 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-10-02 21:15 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-10-02 21:15 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2013-10-02 20:50 . 2013-07-19 01:58    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-10-02 20:50 . 2013-07-19 01:41    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-10-02 20:48 . 2013-02-27 05:48    1930752    ----a-w-    c:\windows\system32\authui.dll
2013-10-02 20:47 . 2012-08-24 18:13    154480    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-10-02 20:46 . 2012-10-09 18:17    55296    ----a-w-    c:\windows\system32\dhcpcsvc6.dll
2013-10-02 20:45 . 2013-04-10 05:48    1732608    ----a-w-    c:\program files\Windows Journal\NBDoc.DLL
2013-10-02 20:45 . 2013-04-10 05:46    1393152    ----a-w-    c:\program files\Windows Journal\JNTFiltr.dll
2013-10-02 20:45 . 2013-04-10 05:46    1367040    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-10-02 20:45 . 2013-04-10 05:46    1402880    ----a-w-    c:\program files\Windows Journal\JNWDRV.dll
2013-10-02 20:45 . 2013-04-10 05:03    936448    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-10-02 20:45 . 2013-04-12 14:45    1656680    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-10-02 20:45 . 2012-11-01 05:43    2002432    ----a-w-    c:\windows\system32\msxml6.dll
2013-10-02 20:45 . 2012-11-01 05:43    1882624    ----a-w-    c:\windows\system32\msxml3.dll
2013-10-02 20:45 . 2013-04-10 06:01    265064    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-10-02 20:45 . 2013-04-10 06:01    983400    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-10-02 20:45 . 2012-11-01 04:47    1389568    ----a-w-    c:\windows\SysWow64\msxml6.dll
2013-10-02 20:45 . 2012-11-01 04:47    1236992    ----a-w-    c:\windows\SysWow64\msxml3.dll
2013-10-02 20:45 . 2011-02-03 11:25    144384    ----a-w-    c:\windows\system32\cdd.dll
2013-10-02 20:38 . 2013-04-25 23:30    1505280    ----a-w-    c:\windows\SysWow64\d3d11.dll
2013-10-02 20:38 . 2013-03-31 22:52    1887232    ----a-w-    c:\windows\system32\d3d11.dll
2013-10-02 20:16 . 2013-10-02 20:16    --------    d-----w-    c:\program files (x86)\LogMeIn Hamachi
2013-10-01 22:09 . 2013-10-01 22:09    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-10-01 22:09 . 2013-10-01 22:09    --------    d-----w-    c:\program files (x86)\Microsoft Silverlight
2013-10-01 21:18 . 2013-10-01 21:18    --------    d-----w-    c:\users\Mom\AppData\Roaming\SearchProtect
2013-10-01 01:43 . 2013-10-01 01:43    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-10-01 00:48 . 2013-10-01 00:48    --------    d-----w-    c:\program files (x86)\ESET
2013-10-01 00:34 . 2013-10-01 00:34    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2013-09-30 18:39 . 2013-09-30 18:38    5402832    ----a-w-    c:\programdata\pclunst.exe
2013-09-30 18:39 . 2013-10-14 23:43    --------    d-----w-    c:\programdata\PC Cleaners
2013-09-30 18:39 . 2013-09-30 18:39    --------    d-----w-    c:\programdata\PC1Data
2013-09-26 01:07 . 2013-09-26 01:07    148792    ----a-w-    c:\windows\system32\drivers\avgdiska.sys
2013-09-23 21:45 . 2013-09-23 21:45    --------    d-----w-    c:\program files (x86)\Common Files\Adobe
2013-09-23 21:21 . 2013-09-23 21:21    --------    d-s---w-    c:\windows\SysWow64\Microsoft
2013-09-23 21:01 . 2013-09-23 21:02    --------    d-----w-    c:\users\Josh\AppData\Roaming\Free Download Manager
2013-09-23 20:17 . 2013-10-01 00:39    --------    d-----w-    C:\AdwCleaner
2013-09-23 19:58 . 2013-09-23 20:09    --------    d-----w-    c:\programdata\HitmanPro
2013-09-23 19:27 . 2013-09-23 21:02    --------    d-----w-    c:\program files (x86)\Free Download Manager
2013-09-23 16:43 . 2013-09-23 16:43    --------    d-----w-    c:\users\Josh\AppData\Roaming\Malwarebytes
2013-09-22 22:21 . 2013-08-30 07:47    287840    ----a-w-    c:\windows\system32\aswBoot.exe
2013-09-22 22:19 . 2013-09-22 22:19    --------    d-----w-    c:\program files\AVAST Software
2013-09-22 22:18 . 2013-09-22 22:19    --------    d-----w-    c:\programdata\AVAST Software
2013-09-22 18:56 . 2013-09-22 18:56    --------    d-----w-    c:\users\Mom\AppData\Local\Programs
2013-09-22 18:55 . 2013-09-22 18:55    --------    d-----w-    c:\users\Mom\AppData\Roaming\Malwarebytes
2013-09-22 18:55 . 2011-07-06 23:52    41272    ----a-w-    c:\windows\SysWow64\drivers\mbamswissarmy.sys
2013-09-22 18:55 . 2013-09-22 18:55    --------    d-----w-    c:\programdata\Malwarebytes
2013-09-22 18:55 . 2013-04-04 18:50    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-09-22 18:55 . 2013-09-22 18:56    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-21 12:24 . 2013-09-21 12:24    --------    d-----w-    c:\program files\Adblock Plus for IE
2013-09-21 12:11 . 2013-10-16 20:11    --------    d-----w-    c:\programdata\Oracle
2013-09-20 20:56 . 2013-09-20 20:56    --------    d-----w-    c:\users\Josh\AppData\Roaming\AVG2014
2013-09-20 20:56 . 2013-09-20 22:04    --------    d-----w-    c:\users\Josh\AppData\Local\Avg2014
2013-09-20 20:56 . 2013-09-20 20:56    --------    d-----w-    c:\users\Mom\AppData\Roaming\AVG2014
2013-09-20 20:46 . 2013-09-20 20:53    --------    d-----w-    c:\programdata\AVG2014
2013-09-20 20:13 . 2013-09-20 20:56    --------    d-----w-    c:\users\Mom\AppData\Local\Avg2014
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-08 18:02 . 2012-06-10 21:30    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-10-08 18:02 . 2011-11-14 18:07    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-02 21:01 . 2013-08-20 19:04    1075424    ----a-w-    c:\programdata\Microsoft\WDExpress\11.0\1033\ResourceCache.dll
2013-09-09 02:11 . 2013-09-09 02:11    31544    ----a-w-    c:\windows\system32\drivers\avgrkx64.sys
2013-09-02 14:59 . 2013-09-02 14:59    212280    ----a-w-    c:\windows\system32\drivers\avgldx64.sys
2013-09-02 14:29 . 2013-09-02 14:29    294712    ----a-w-    c:\windows\system32\drivers\avgloga.sys
2013-09-02 14:26 . 2013-09-02 14:26    192824    ----a-w-    c:\windows\system32\drivers\avgidsha.sys
2013-09-02 14:26 . 2013-09-02 14:26    241464    ----a-w-    c:\windows\system32\drivers\avgidsdrivera.sys
2013-09-01 21:08 . 2011-11-09 16:06    79143768    ----a-w-    c:\windows\system32\MRT.exe
2013-08-21 02:53 . 2013-08-21 02:53    123704    ----a-w-    c:\windows\system32\drivers\avgmfx64.sys
2013-08-05 20:18 . 2013-08-05 20:19    312232    ----a-w-    c:\windows\system32\javaws.exe
2013-08-05 20:18 . 2013-08-05 20:18    189352    ----a-w-    c:\windows\system32\javaw.exe
2013-08-05 20:18 . 2013-08-05 20:18    188840    ----a-w-    c:\windows\system32\java.exe
2013-08-05 20:18 . 2013-08-05 20:18    108968    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2013-08-05 20:18 . 2013-01-18 00:52    972712    ----a-w-    c:\windows\system32\deployJava1.dll
2013-08-05 20:18 . 2013-01-18 00:52    1093032    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-08-02 01:48 . 2013-10-02 20:46    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2013-08-01 20:07 . 2013-08-01 20:07    251192    ----a-w-    c:\windows\system32\drivers\avgtdia.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-10-02 20472992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"OOTag"="c:\program files (x86)\Gateway\OOBEOffer\OOTag.exe" [2010-02-23 13856]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-06-22 968272]
"AVG_UI"="c:\program files (x86)\AVG\AVG2014\avgui.exe" [2013-10-07 4908592]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2013-10-01 2345296]
.
c:\users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\users\Mom\Documents\RCA Detective\RCADetective.exe [2012-5-18 804352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R1 lsnfd;lsnfd;c:\windows\system32\drivers\lsnfd.sys;c:\windows\SYSNATIVE\drivers\lsnfd.sys [x]
R1 SABKUTIL;SABKUTIL;c:\program files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys;c:\program files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S1 Avgdiska;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiska.sys;c:\windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KXLCYPOW
*Deregistered* - kxlcypow
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-16 22:22    1185744    ----a-w-    c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 18:02]
.
2013-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-05 21:28]
.
2013-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-05 21:28]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-22 10920552]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2010-06-11 861216]
"OOTag"="c:\program files (x86)\Gateway\OOBEOffer\ootag.exe" [2010-02-23 13856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 417560]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 10.60.20.20 10.60.20.19 10.60.20.0
FF - ProfilePath - c:\users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\
FF - prefs.js: browser.search.selectedEngine - Bing

FF - ExtSQL: 2013-09-29 21:28; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-SuperAdBlocker - c:\program files (x86)\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
Wow6432Node-HKCU-Run-LiveSupport - c:\program files (x86)\LiveSupport\LiveSupport.exe
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-ETDWare - c:\program files (x86)\Elantech\ETDCtrl.exe
AddRemove-IECT3289663 - c:\programdata\Conduit\IE\CT3289663\UninstallerUI.exe
AddRemove-sl-dlc - c:\program files (x86)\OApps\sl-dlc_uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-10-18  12:42:18
ComboFix-quarantined-files.txt  2013-10-18 16:42
.
Pre-Run: 169,391,435,776 bytes free
Post-Run: 171,032,506,368 bytes free
.
- - End Of File - - DDE288209EF65922706157A3ED6E5184
 

Link to post
Share on other sites

No, but I had some connection issues the last hours - sorry!

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

CFScript.txt

Link to post
Share on other sites

I've disabled all features of avg 2014 and started combofix by dragging the text file onto it but it wont do anything. I've let it run for a few hours and its still not done even with nothing else open. It gets to the point where it says its scanning the computer for infected files and says it'll take like 10 minutes but it doesn't continue. Am I missing something?

Link to post
Share on other sites

combofix log:

ComboFix 13-10-21.01 - Mom 10/22/2013  15:41:56.2.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7863.6461 [GMT -4:00]
Running from: c:\users\Josh\Desktop\ComboFix.exe
Command switches used :: c:\users\Josh\Desktop\CFScript.txt
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"c:\programdata\pclunst.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PC Cleaners
c:\programdata\PC Cleaners\fixed.htm
c:\programdata\PC Cleaners\image1.png
c:\programdata\PC Cleaners\image2.png
c:\programdata\PC Cleaners\PCCleaners.exe
c:\programdata\PC Cleaners\scanAV.htm
c:\programdata\PC1Data
c:\programdata\PC1Data\app.log
c:\programdata\PC1Data\av\d\acertdefs0.std
c:\programdata\PC1Data\av\d\adsrules.dat
c:\programdata\PC1Data\av\d\AdviceTx.vdx
c:\programdata\PC1Data\av\d\api0.std
c:\programdata\PC1Data\av\d\apincl.dat
c:\programdata\PC1Data\av\d\apprules.dat
c:\programdata\PC1Data\av\d\bhmem.vtd
c:\programdata\PC1Data\av\d\bhsl.vtd
c:\programdata\PC1Data\av\d\bmem.vtd
c:\programdata\PC1Data\av\d\CatDesc.vdx
c:\programdata\PC1Data\av\d\CatID.vdx
c:\programdata\PC1Data\av\d\cblk.vtd
c:\programdata\PC1Data\av\d\cmem.vtd
c:\programdata\PC1Data\av\d\cname.wtd
c:\programdata\PC1Data\av\d\comp0.std
c:\programdata\PC1Data\av\d\Cookies.vdx
c:\programdata\PC1Data\av\d\CoreVer.txt
c:\programdata\PC1Data\av\d\ctid.vtd
c:\programdata\PC1Data\av\d\defs0.std
c:\programdata\PC1Data\av\d\DefVer.txt
c:\programdata\PC1Data\av\d\dex_hash.dat
c:\programdata\PC1Data\av\d\dexmem.vtd
c:\programdata\PC1Data\av\d\dnrl.vdx
c:\programdata\PC1Data\av\d\elf_hash.dat
c:\programdata\PC1Data\av\d\EPSigs.vdx
c:\programdata\PC1Data\av\d\FastSigs.vdx
c:\programdata\PC1Data\av\d\FileDT.vdx
c:\programdata\PC1Data\av\d\FolderDT.vdx
c:\programdata\PC1Data\av\d\fsigs.vdx
c:\programdata\PC1Data\av\d\gfiark.dll
c:\programdata\PC1Data\av\d\gfiark32.sys
c:\programdata\PC1Data\av\d\gfiark64.sys
c:\programdata\PC1Data\av\d\gfiarkup.dll
c:\programdata\PC1Data\av\d\gfiutil.dll
c:\programdata\PC1Data\av\d\gfiutl32.sys
c:\programdata\PC1Data\av\d\gfiutl64.sys
c:\programdata\PC1Data\av\d\hcol.wtd
c:\programdata\PC1Data\av\d\heur0.std
c:\programdata\PC1Data\av\d\HistoryCleaner.xml
c:\programdata\PC1Data\av\d\hstn.vtd
c:\programdata\PC1Data\av\d\idsrules.dat
c:\programdata\PC1Data\av\d\ih.vdx
c:\programdata\PC1Data\av\d\IncompatiblePrograms.dll
c:\programdata\PC1Data\av\d\incompats.dat
c:\programdata\PC1Data\av\d\ip.vtd
c:\programdata\PC1Data\av\d\JSSigs.vdx
c:\programdata\PC1Data\av\d\kbu.dat
c:\programdata\PC1Data\av\d\kbu.dll
c:\programdata\PC1Data\av\d\lgpl.dll
c:\programdata\PC1Data\av\d\lib7zip.dll
c:\programdata\PC1Data\av\d\libBase64.dll
c:\programdata\PC1Data\av\d\libCHM.dll
c:\programdata\PC1Data\av\d\libEmail.dll
c:\programdata\PC1Data\av\d\libMachoUniv.dll
c:\programdata\PC1Data\av\d\libMsCab.dll
c:\programdata\PC1Data\av\d\libMsi.dll
c:\programdata\PC1Data\av\d\libNSIS.dll
c:\programdata\PC1Data\av\d\libOleA.dll
c:\programdata\PC1Data\av\d\libRar.dll
c:\programdata\PC1Data\av\d\libRTF.dll
c:\programdata\PC1Data\av\d\libtd.dll
c:\programdata\PC1Data\av\d\libVvs.dll
c:\programdata\PC1Data\av\d\libZip.dll
c:\programdata\PC1Data\av\d\macroptn.std
c:\programdata\PC1Data\av\d\MFastSigs.vdx
c:\programdata\PC1Data\av\d\mime0.std
c:\programdata\PC1Data\av\d\networkrules.dat
c:\programdata\PC1Data\av\d\pack0.std
c:\programdata\PC1Data\av\d\patchw32.dll
c:\programdata\PC1Data\av\d\qscnf.vdx
c:\programdata\PC1Data\av\d\qscnr.vdx
c:\programdata\PC1Data\av\d\RegDT.vdx
c:\programdata\PC1Data\av\d\rem0.std
c:\programdata\PC1Data\av\d\remediation.dll
c:\programdata\PC1Data\av\d\RootCA.wtd
c:\programdata\PC1Data\av\d\RTmem.vdx
c:\programdata\PC1Data\av\d\SBTS.dat
c:\programdata\PC1Data\av\d\script0.std
c:\programdata\PC1Data\av\d\sdll0.std
c:\programdata\PC1Data\av\d\sel.dat
c:\programdata\PC1Data\av\d\smim0.std
c:\programdata\PC1Data\av\d\ThreatCategoryGlossary.xml
c:\programdata\PC1Data\av\d\ThreatCategoryGlossary.xsd
c:\programdata\PC1Data\av\d\ThreatDT.vdx
c:\programdata\PC1Data\av\d\ThreatID.vdx
c:\programdata\PC1Data\av\d\TImem.vdx
c:\programdata\PC1Data\av\d\unpck0.std
c:\programdata\PC1Data\av\d\updater.dll
c:\programdata\PC1Data\av\d\vcore.dll
c:\programdata\PC1Data\av\d\VVSSigs.vdx
c:\programdata\PC1Data\av\d\WebFilterExceptions.dat
c:\programdata\PC1Data\av\d\white.wtd
c:\programdata\PC1Data\av\d\white0.std
c:\programdata\PC1Data\av\d\whsl.wtd
c:\programdata\PC1Data\av\SBTE.dll
c:\programdata\PC1Data\av\SpursDownload.dll
c:\programdata\PC1Data\av\unrar.dll
c:\programdata\PC1Data\av\vipre.dll
c:\programdata\PC1Data\phone\app3\phone.bmp
c:\programdata\PC1Data\phone\app3\phone.txt
c:\programdata\PC1Data\phone\app3\phone_i.txt
c:\programdata\PC1Data\phone\app3\tips.txt
c:\programdata\PC1Data\settings.txt
c:\programdata\pclunst.exe
c:\users\Mom\AppData\Roaming\SearchProtect
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-22 to 2013-10-22  )))))))))))))))))))))))))))))))
.
.
2013-10-22 19:50 . 2013-10-22 19:50    --------    d-----w-    c:\users\Mom\AppData\Local\temp
2013-10-22 19:50 . 2013-10-22 19:50    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-10-20 21:04 . 2013-10-20 21:04    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-10-20 21:04 . 2013-10-20 21:04    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-20 21:04 . 2013-10-20 21:04    --------    d-----w-    c:\program files (x86)\Java
2013-10-16 20:17 . 2013-10-16 20:17    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-10-09 20:01 . 2013-10-09 20:01    --------    d-----w-    c:\users\Josh\AppData\Local\LogMeIn
2013-10-09 20:01 . 2013-10-09 20:01    --------    d-----w-    c:\programdata\LogMeIn
2013-10-09 14:58 . 2013-10-09 14:58    4879744    ----a-w-    c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-09 14:58 . 2013-10-09 14:58    4879744    ----a-w-    c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-02 22:18 . 2013-10-02 22:22    --------    d-----w-    c:\windows\system32\MRT
2013-10-02 22:03 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-10-02 22:03 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-10-02 22:03 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-10-02 22:03 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-10-02 21:50 . 2013-10-02 21:50    97280    ----a-w-    c:\windows\system32\mshtmled.dll
2013-10-02 21:49 . 2013-10-02 21:49    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-10-02 21:43 . 2012-08-23 15:09    3072    ----a-w-    c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2013-10-02 21:16 . 2012-12-16 17:11    46080    ----a-w-    c:\windows\system32\atmlib.dll
2013-10-02 21:16 . 2012-12-16 14:13    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2013-10-02 21:16 . 2012-12-16 14:45    367616    ----a-w-    c:\windows\system32\atmfd.dll
2013-10-02 21:16 . 2012-12-16 14:13    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2013-10-02 21:15 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2013-10-02 21:15 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2013-10-02 21:15 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2013-10-02 21:15 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2013-10-02 21:15 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2013-10-02 21:15 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2013-10-02 21:15 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2013-10-02 20:50 . 2013-07-19 01:58    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-10-02 20:50 . 2013-07-19 01:41    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-10-02 20:48 . 2013-02-27 05:48    1930752    ----a-w-    c:\windows\system32\authui.dll
2013-10-02 20:47 . 2012-08-24 18:13    154480    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-10-02 20:46 . 2012-10-09 18:17    55296    ----a-w-    c:\windows\system32\dhcpcsvc6.dll
2013-10-02 20:45 . 2013-04-10 05:48    1732608    ----a-w-    c:\program files\Windows Journal\NBDoc.DLL
2013-10-02 20:45 . 2013-04-10 05:46    1393152    ----a-w-    c:\program files\Windows Journal\JNTFiltr.dll
2013-10-02 20:45 . 2013-04-10 05:46    1367040    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-10-02 20:45 . 2013-04-10 05:46    1402880    ----a-w-    c:\program files\Windows Journal\JNWDRV.dll
2013-10-02 20:45 . 2013-04-10 05:03    936448    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-10-02 20:45 . 2013-04-12 14:45    1656680    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-10-02 20:45 . 2012-11-01 05:43    2002432    ----a-w-    c:\windows\system32\msxml6.dll
2013-10-02 20:45 . 2012-11-01 05:43    1882624    ----a-w-    c:\windows\system32\msxml3.dll
2013-10-02 20:45 . 2013-04-10 06:01    265064    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-10-02 20:45 . 2013-04-10 06:01    983400    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-10-02 20:45 . 2012-11-01 04:47    1389568    ----a-w-    c:\windows\SysWow64\msxml6.dll
2013-10-02 20:45 . 2012-11-01 04:47    1236992    ----a-w-    c:\windows\SysWow64\msxml3.dll
2013-10-02 20:45 . 2011-02-03 11:25    144384    ----a-w-    c:\windows\system32\cdd.dll
2013-10-02 20:38 . 2013-04-25 23:30    1505280    ----a-w-    c:\windows\SysWow64\d3d11.dll
2013-10-02 20:38 . 2013-03-31 22:52    1887232    ----a-w-    c:\windows\system32\d3d11.dll
2013-10-02 20:16 . 2013-10-02 20:16    --------    d-----w-    c:\program files (x86)\LogMeIn Hamachi
2013-10-01 22:09 . 2013-10-01 22:09    --------    d-----w-    c:\program files\Microsoft Silverlight
2013-10-01 22:09 . 2013-10-01 22:09    --------    d-----w-    c:\program files (x86)\Microsoft Silverlight
2013-10-01 00:48 . 2013-10-01 00:48    --------    d-----w-    c:\program files (x86)\ESET
2013-10-01 00:34 . 2013-10-01 00:34    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2013-09-26 01:07 . 2013-09-26 01:07    148792    ----a-w-    c:\windows\system32\drivers\avgdiska.sys
2013-09-23 21:45 . 2013-09-23 21:45    --------    d-----w-    c:\program files (x86)\Common Files\Adobe
2013-09-23 21:21 . 2013-09-23 21:21    --------    d-s---w-    c:\windows\SysWow64\Microsoft
2013-09-23 21:01 . 2013-09-23 21:02    --------    d-----w-    c:\users\Josh\AppData\Roaming\Free Download Manager
2013-09-23 20:17 . 2013-10-01 00:39    --------    d-----w-    C:\AdwCleaner
2013-09-23 19:58 . 2013-09-23 20:09    --------    d-----w-    c:\programdata\HitmanPro
2013-09-23 19:27 . 2013-09-23 21:02    --------    d-----w-    c:\program files (x86)\Free Download Manager
2013-09-23 16:43 . 2013-09-23 16:43    --------    d-----w-    c:\users\Josh\AppData\Roaming\Malwarebytes
2013-09-22 22:21 . 2013-08-30 07:47    287840    ----a-w-    c:\windows\system32\aswBoot.exe
2013-09-22 22:19 . 2013-09-22 22:19    --------    d-----w-    c:\program files\AVAST Software
2013-09-22 22:18 . 2013-09-22 22:19    --------    d-----w-    c:\programdata\AVAST Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-20 20:51 . 2013-01-18 00:52    973736    ----a-w-    c:\windows\system32\deployJava1.dll
2013-10-20 20:51 . 2013-01-18 00:52    1095080    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-10-08 18:02 . 2012-06-10 21:30    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-10-08 18:02 . 2011-11-14 18:07    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-02 21:01 . 2013-08-20 19:04    1075424    ----a-w-    c:\programdata\Microsoft\WDExpress\11.0\1033\ResourceCache.dll
2013-09-09 02:11 . 2013-09-09 02:11    31544    ----a-w-    c:\windows\system32\drivers\avgrkx64.sys
2013-09-02 14:59 . 2013-09-02 14:59    212280    ----a-w-    c:\windows\system32\drivers\avgldx64.sys
2013-09-02 14:29 . 2013-09-02 14:29    294712    ----a-w-    c:\windows\system32\drivers\avgloga.sys
2013-09-02 14:26 . 2013-09-02 14:26    192824    ----a-w-    c:\windows\system32\drivers\avgidsha.sys
2013-09-02 14:26 . 2013-09-02 14:26    241464    ----a-w-    c:\windows\system32\drivers\avgidsdrivera.sys
2013-09-01 21:08 . 2011-11-09 16:06    79143768    ----a-w-    c:\windows\system32\MRT.exe
2013-08-21 02:53 . 2013-08-21 02:53    123704    ----a-w-    c:\windows\system32\drivers\avgmfx64.sys
2013-08-02 01:48 . 2013-10-02 20:46    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2013-08-01 20:07 . 2013-08-01 20:07    251192    ----a-w-    c:\windows\system32\drivers\avgtdia.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-10-02 20472992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"OOTag"="c:\program files (x86)\Gateway\OOBEOffer\OOTag.exe" [2010-02-23 13856]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-06-22 968272]
"AVG_UI"="c:\program files (x86)\AVG\AVG2014\avgui.exe" [2013-10-07 4908592]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2013-10-01 2345296]
.
c:\users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\users\Mom\Documents\RCA Detective\RCADetective.exe [2012-5-18 804352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R1 Avgdiska;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiska.sys;c:\windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
R1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
R1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
R1 lsnfd;lsnfd;c:\windows\system32\drivers\lsnfd.sys;c:\windows\SYSNATIVE\drivers\lsnfd.sys [x]
R1 SABKUTIL;SABKUTIL;c:\program files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys;c:\program files (x86)\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe [x]
R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
R2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
R2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
R2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-16 22:22    1185744    ----a-w-    c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 18:02]
.
2013-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-05 21:28]
.
2013-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-05 21:28]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-22 10920552]
"ETDWare"="c:\program files (x86)\Elantech\ETDCtrl.exe" [bU]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2010-06-11 861216]
"OOTag"="c:\program files (x86)\Gateway\OOBEOffer\ootag.exe" [2010-02-23 13856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 417560]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
FF - ProfilePath - c:\users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\

FF - prefs.js: browser.search.selectedEngine - RuneScape Customized Web Search


FF - ExtSQL: 2013-09-29 21:28; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-IECT3289663 - c:\programdata\Conduit\IE\CT3289663\UninstallerUI.exe
AddRemove-sl-dlc - c:\program files (x86)\OApps\sl-dlc_uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-10-22  15:53:21
ComboFix-quarantined-files.txt  2013-10-22 19:53
ComboFix2.txt  2013-10-18 16:42
.
Pre-Run: 168,795,168,768 bytes free
Post-Run: 169,246,515,200 bytes free
.
- - End Of File - - 7BC867550F6127D9E37391CAB05302C7
 

malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.05.03

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 10.0.9200.16686
Josh :: JOSHSCPU [limited]

10/22/2013 3:55:26 PM
mbam-log-2013-10-22 (15-55-26).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 429627
Time elapsed: 1 hour(s), 7 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKCR\AppID\{38495740-0035-4471-851E-F5BBB86AB085} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKCR\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKCR\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKCR\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2D33ED6-EBBD-467C-BF6F-F175D9B51363} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77} (PUP.Optional.DefaultTab.A) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 19
C:\AdwCleaner\Quarantine\C\Program Files (x86)\internethelper3.1\InternetHelper3.1ToolbarHelper.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\optimizer pro\OptProLauncher.exe.vir (PUP.Optional.OptimizePro.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\ChromeModule.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\cltmng.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\CltMngSvc.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\FirefoxModule.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\InternetExplorerModule.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPHook32.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPRunner.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\uninstall.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\chLogic.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\ctbe.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\ffLogic.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\ieLogic.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\spch.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\spff.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\statisticsStub.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Local\Temp\CT3289663\stub.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\Users\Josh\Downloads\tb_RuneScape_brff.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)
 

Link to post
Share on other sites

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

ESET log:

C:\AdwCleaner\Quarantine\C\Program Files (x86)\DefaultTab\DefaultTabSearch.exe.vir    a variant of Win32/Toolbar.DefaultTab.B application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\ChromeModule.dll.vir    a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\cltmng.exe.vir    a variant of Win32/Conduit.SearchProtect.B application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\CltMngSvc.exe.vir    Win32/Conduit.SearchProtect.E application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\FirefoxModule.dll.vir    a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\InternetExplorerModule.dll.vir    a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPHook32.dll.vir    probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPRunner.exe.vir    Win32/Conduit.SearchProtect.D application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\ffprotect\application.js.vir    Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\ffprotect\nsprotector.js.vir    Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll.vir    a variant of Win32/Toolbar.DefaultTab.B application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart.exe.vir    a variant of Win32/Toolbar.DefaultTab.B application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabWrap.dll.vir    a variant of Win32/Toolbar.DefaultTab.B application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe.vir    Win32/Toolbar.DefaultTab.A application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\bin\ChromeModule.dll.vir    a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\bin\cltmng.exe.vir    a variant of Win32/Conduit.SearchProtect.B application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\bin\CltMngSvc.exe.vir    Win32/Conduit.SearchProtect.E application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\bin\FirefoxModule.dll.vir    a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\bin\InternetExplorerModule.dll.vir    a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\bin\SPHook32.dll.vir    probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\bin\SPRunner.exe.vir    Win32/Conduit.SearchProtect.D application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\ffprotect\application.js.vir    Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Users\Mom\AppData\Roaming\Searchprotect\ffprotect\nsprotector.js.vir    Win32/Conduit.SearchProtect.A application
C:\Program Files (x86)\Mozilla Firefox\nsprotector.js    Win32/Conduit.SearchProtect.A application
C:\Program Files (x86)\Mozilla Firefox\browser\nsprotector.js    Win32/Conduit.SearchProtect.A application
C:\Qoobox\Quarantine\C\ProgramData\PC Cleaners\PCCleaners.exe.vir    probably a variant of Win32/PCCleaners application
C:\Users\Josh\Desktop\WinZip175.exe    a variant of Win32/OpenInstall application
C:\Users\Josh\Downloads\cbsidlm-tr1_9-Super_Ad_Blocker-SEO2-10295147.exe    multiple threats
C:\Users\Josh\Downloads\labview-windows-downloader.exe    Win32/Malavida.A application
C:\Users\Josh\Music\Zwinky.exe    a variant of Win32/AdInstaller application
C:\Users\Mom\Downloads\cbsidlm-tr1_15-Super_Ad_Blocker-SEO-10295147(1).exe    Win32/DownloadAdmin.G application
C:\Users\Mom\Downloads\cbsidlm-tr1_15-Super_Ad_Blocker-SEO-10295147.exe    Win32/DownloadAdmin.G application
C:\Users\Mom\Downloads\Setup.exe    a variant of Win32/Kryptik.BLXE trojan
 

Link to post
Share on other sites

C:\Users\Josh\Desktop\WinZip175.exe

C:\Users\Josh\Downloads\cbsidlm-tr1_9-Super_Ad_Blocker-SEO2-10295147.exe

C:\Users\Josh\Downloads\labview-windows-downloader.exe

C:\Users\Josh\Music\Zwinky.exe

C:\Users\Mom\Downloads\cbsidlm-tr1_15-Super_Ad_Blocker-SEO-10295147(1).exe

C:\Users\Mom\Downloads\cbsidlm-tr1_15-Super_Ad_Blocker-SEO-10295147.exe

C:\Users\Mom\Downloads\Setup.exe

 

 

Delete these files!

 

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner

Please download AdwCleaner to your desktop.

  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

adwCleaner[s2].txt (already had logs from following other online virus removal guides):

# AdwCleaner v3.010 - Report created 26/10/2013 at 11:28:20
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Mom - JOSHSCPU
# Running from : C:\Users\Josh\Downloads\adwcleaner(2).exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Mom\Documents\PC Health Kit
Folder Deleted : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\CT2680363
Folder Deleted : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\Extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}
File Deleted : C:\Program Files (x86)\Mozilla Firefox\nsprotector.js
File Deleted : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\searchplugins\bingp.xml
File Deleted : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\searchplugins\Conduit.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mypc backup
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\90ihfqtj.default-1380588328693\prefs.js ]


[ File : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\prefs.js ]

Line Deleted : user_pref("CT2680363.FF19Solved", "true");
Line Deleted : user_pref("CT2680363.UserID", "UN41868487111009826");
Line Deleted : user_pref("CT2680363.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT2680363.fullUserID", "UN41868487111009826.IN.20131020165756");
Line Deleted : user_pref("CT2680363.installDate", "20/10/2013 16:57:59");
Line Deleted : user_pref("CT2680363.installSessionId", "29BCECBA-6620-4F9B-A97C-39AE05E2DF54");
Line Deleted : user_pref("CT2680363.installSp", "true");
Line Deleted : user_pref("CT2680363.installerVersion", "1.7.1.4");
Line Deleted : user_pref("CT2680363.keyword", "true");
Line Deleted : user_pref("CT2680363.originalHomepage", "about:home");

Line Deleted : user_pref("CT2680363.originalSearchEngine", "Bing ");
Line Deleted : user_pref("CT2680363.originalSearchEngineName", "Bing ");
Line Deleted : user_pref("CT2680363.searchRevert", "true");
Line Deleted : user_pref("CT2680363.searchUserMode", "2");
Line Deleted : user_pref("CT2680363.smartbar.homepage", "true");
Line Deleted : user_pref("CT2680363.versionFromInstaller", "10.20.1.8");
Line Deleted : user_pref("CT2680363.xpeMode", "0");

Line Deleted : user_pref("browser.search.defaultenginename", "RuneScape Customized Web Search");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "RuneScape Customized Web Search");

Line Deleted : user_pref("browser.search.selectedEngine", "RuneScape Customized Web Search");


Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT2680363");


Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT2680363");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT2680363");

-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\Josh\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [42216 octets] - [23/09/2013 16:18:14]
AdwCleaner[R1].txt - [2165 octets] - [30/09/2013 20:38:02]
AdwCleaner[R2].txt - [6043 octets] - [26/10/2013 11:23:25]
AdwCleaner[s0].txt - [41131 octets] - [23/09/2013 16:19:59]
AdwCleaner[s1].txt - [2219 octets] - [30/09/2013 20:39:08]
AdwCleaner[s2].txt - [6023 octets] - [26/10/2013 11:28:20]

########## EOF - \AdwCleaner\AdwCleaner[s2].txt - [6083 octets] ##########
Checkup.txt:

 Results of screen317's Security Check version 0.99.74  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG AntiVirus Free Edition 2014   
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 45  
 Java version out of Date!
 Adobe Flash Player 11.9.900.117  
 Adobe Reader XI  
 Mozilla Firefox (24.0)
 Google Chrome 30.0.1599.101  
 Google Chrome 30.0.1599.69  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 AVG avgwdsvc.exe
 Josh Desktop antivirus stuff SecurityCheck.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Your system is clean now! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.


After the reboot

  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:

    [*] Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.

Link to post
Share on other sites

I removed all the antivirus stuff that I've used trying to get rid of this thing, but I scanned with malwarebytes just to make sure its gone and it came up with like 130 threats. I removed them, rebooted and scanned again and it came up with 96. I did it again and it came up with 57 threats. Do I have to go through this whole process again of using combofix and the other programs to get rid of it for good or just repeat the last step?

Link to post
Share on other sites

I cannot provide further steps without the MBAM logs.

 

You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.


  • The logs can be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Zip any and all of these logs and attach the file to your next reply.

Link to post
Share on other sites

Here they are. Luckily I didn't uninstall malwarebytes. I also recovered the previous logs from the recycle bin in case you want to look at those. "antivirus logs.zip" is the logs from all the programs i used that I recovered from the recycle bin. "mbam logs.zip" is just the malwarebytes logs that you asked me to upload. Sorry about this

antivirus logs.zip

mbam Logs.zip

Link to post
Share on other sites

What MBAM found is just adware and that doesn´t come from outer space. Did you install any tools since I declared the computer clean?

 

 

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


When they are complete let me have the two reports and let me know how things are running.
 

Link to post
Share on other sites

The only thing I installed was the runescape toolbar which didn't install right. That was what led me to scan again with malwarebytes to make sure the problem was gone. I had a feeling that that was at least part of the problem because I saw "search conduit" sometimes in the logs which I think is the name for the custom websearch page. I thought it was safe because I've downloaded it and used it before, but I guess something changed since they remade the install process. Here are the logs for adwCleaner and JRT

 

adwCleaner:

# AdwCleaner v3.010 - Report created 29/10/2013 at 11:42:36
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Mom - JOSHSCPU
# Running from : C:\Users\Josh\Desktop\AdwCleaner(2).exe
# Option : Clean

***** [ Services ] *****

Service Deleted : CltMngSvc

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Searchprotect
[!] Folder Deleted : C:\Users\Josh\AppData\Roaming\Searchprotect
Folder Deleted : C:\Users\Mom\AppData\Roaming\Searchprotect
Folder Deleted : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\CT2680363
Folder Deleted : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\Extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}
File Deleted : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\searchplugins\Conduit.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchProtect]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [searchProtectAll]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\90ihfqtj.default-1380588328693\prefs.js ]


[ File : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\fawgagbt.default\prefs.js ]

Line Deleted : user_pref("CT2680363.FF19Solved", "true");
Line Deleted : user_pref("CT2680363.UserID", "UN18451974488656217");
Line Deleted : user_pref("CT2680363.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT2680363.fullUserID", "UN18451974488656217.IN.20131028162238");
Line Deleted : user_pref("CT2680363.installDate", "28/10/2013 16:22:39");
Line Deleted : user_pref("CT2680363.installSessionId", "475638A9-8106-4FE3-9817-B73DFC485D0E");
Line Deleted : user_pref("CT2680363.installSp", "true");
Line Deleted : user_pref("CT2680363.installUsage", "28/10/2013 16:25:32");
Line Deleted : user_pref("CT2680363.installUsageEarly", "28/10/2013 16:25:32");
Line Deleted : user_pref("CT2680363.installerVersion", "1.8.0.14");
Line Deleted : user_pref("CT2680363.keyword", "true");
Line Deleted : user_pref("CT2680363.originalHomepage", "about:home");
Line Deleted : user_pref("CT2680363.originalSearchAddressUrl", "");
Line Deleted : user_pref("CT2680363.originalSearchEngine", "");
Line Deleted : user_pref("CT2680363.originalSearchEngineName", "");
Line Deleted : user_pref("CT2680363.searchRevert", "true");
Line Deleted : user_pref("CT2680363.searchUserMode", "2");
Line Deleted : user_pref("CT2680363.smartbar.homepage", "true");
Line Deleted : user_pref("CT2680363.toolbarInstallDate", "28-10-2013 16:22:39");
Line Deleted : user_pref("CT2680363.versionFromInstaller", "10.21.1.7");
Line Deleted : user_pref("CT2680363.xpeMode", "0");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("browser.search.defaultenginename", "RuneScape Customized Web Search");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "RuneScape Customized Web Search");

Line Deleted : user_pref("browser.search.selectedEngine", "RuneScape Customized Web Search");


Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT2680363");


Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT2680363");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT2680363");
Line Deleted : user_pref("smartbar.machineId", "VDL6WPV4QPJGRPGAAXGAQ0Z6O0M5AVN5V+VOXIJDDFS2E484ZPFOFDCILGSHZCHF5RHEQKDEGENF5PIDL53BNG");

-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\Josh\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [5077 octets] - [29/10/2013 11:41:42]
AdwCleaner[s0].txt - [5020 octets] - [29/10/2013 11:42:36]

########## EOF - \AdwCleaner\AdwCleaner[s0].txt - [5080 octets] ##########
 

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Windows 7 Home Premium x64
Ran by Mom on Tue 10/29/2013 at 11:48:14.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{38495740-0035-4471-851E-F5BBB86AB085}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\livesupport_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\livesupport_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\optimizerpro_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\optimizerpro_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\optprostart_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\optprostart_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F8676F6D-A84D-4D53-89FC-C259DA84FCC6}



~~~ Files



~~~ Folders



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Mom\appdata\local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\ippkomaaonokjnfjoikaemidanojkfmm



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 10/29/2013 at 11:55:01.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Link to post
Share on other sites

malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.05.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Josh :: JOSHSCPU [limited]

10/30/2013 12:22:21 PM
mbam-log-2013-10-30 (12-22-21).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 449125
Time elapsed: 3 hour(s), 34 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2D33ED6-EBBD-467C-BF6F-F175D9B51363} (PUP.Optional.DefaultTab.A) -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77} (PUP.Optional.DefaultTab.A) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\ChromeModule.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\cltmng.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\CltMngSvc.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\FirefoxModule.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\InternetExplorerModule.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPHook32.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPHook64.dll.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPRunner.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\SPTool64.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Searchprotect\bin\uninstall.exe.vir (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\AdwCleaner\Quarantine\C\Users\Josh\AppData\Roaming\Searchprotect\bin\ChromeModule.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Users\Josh\AppData\Roaming\Searchprotect\bin\cltmng.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Users\Josh\AppData\Roaming\Searchprotect\bin\FirefoxModule.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Users\Josh\AppData\Roaming\Searchprotect\bin\InternetExplorerModule.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)
 

Link to post
Share on other sites

That did the trick again...

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

Always have an eye on setup procedures - many tools will install unwanted third party software.

Also, don´t install any toolbars.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.