Jump to content

Recommended Posts

My computer has become infected with a bitcoin miner which goes under the name of "postgres". It randomly opens up and uses all of my memory and makes my pc slow. I have tried to delete it and used scanning software but still it somehow manages to reinstall itself on my computer. Im getting really worried now, anyone know how I can remove it from my computer permanently?

Link to post
Share on other sites

Hello Leebo404 and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Please follow the instructions here and then post your log files in a new reply in this thread:


Link to post
Share on other sites

attach - 


DDS (Ver_2012-11-20.01)
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 07/02/2012 18:31:07
System Uptime: 19/12/2013 18:25:48 (1 hours ago)
Motherboard: Gigabyte Technology Co., Ltd. |  | Z68AP-D3
Processor: Intel® Core i7-2600K CPU @ 3.40GHz | Socket 1155 | 3701/100mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 4.753 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 932 GiB total, 453.225 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 06/02/2012 23:35:51 - Installed ASUS nVidia Driver
RP2: 06/02/2012 23:42:56 - Installed Realtek Ethernet Controller Driver
RP3: 06/02/2012 23:44:55 - Installed Etron USB3.0 Host Controller
==== Hosts File Hijack ======================
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
==== Installed Programs ======================
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.8)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ARMA 2: British Armed Forces
ARMA 2: British Armed Forces - Data cache removal
ARMA 2: Operation Arrowhead
ASUS nVidia Driver
BattlEye for Iron Front Uninstall
BattlEye for OA Uninstall
Bloodline Champions
Borderlands 2
Bundled software uninstaller
Cheat Engine 6.1
ChiliCoupon™ by chilicoupon.com
Core Temp 1.0 RC3
Corsair M60 Gaming Mouse Driver V1.0
Counter-Strike: Global Offensive
Counter-Strike: Source
Creation Kit
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Deus Ex: Human Revolution
Dota 2
Dragon Age: Origins - Ultimate Edition
Easy Tune 6 B11.0823.1
Empire: Total War
Etron USB3.0 Host Controller
Europa Universalis III
Facebook Video Calling
FIFA 12 © EA version 1
FM Genie Scout 13 version 1.0 13.3.3
Football Manager 2013 Editor
Football Manager 2014
Freecorder 5
FTL: Faster Than Light
Garry's Mod
Google Chrome
Google Earth
Google Update Helper
Grand Theft Auto IV
Gyazo 2.0.1
Hearts of Iron III
Hex Workshop v6.6
Hi-Rez Studios Authenticate and Update Service
Hitman: Absolution
Hitman: Sniper Challenge
IL Shared Libraries
Intel® Control Center
Intel® Management Engine Components
Intel® Processor Graphics
InterActual Player
Iron Front : Liberation 1944
iVMS 4200(v1.0)
Java 7 Update 45
Java Auto Updater
Java 6 Update 31
Java 6 Update 31 (64-bit)
Java 7 Update 4 (64-bit)
JavaFX 2.1.1
League of Legends
Left 4 Dead 2
LogMeIn Hamachi
Magic ISO Maker v5.5 (build 0281)
Magical Jelly Bean KeyFinder
Malwarebytes Anti-Malware version
March of the Eagles
McAfee Security Scan Plus
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Flight Simulator X
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610
Microsoft WSE 3.0 Runtime
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Mount&Blade Warband
MountMusket Battalion
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Napoleon: Total War
NARUTO SHIPPUDEN: Ultimate Ninja STORM 3 Full Burst
Nexus Mod Manager
NVIDIA 3D Vision Controller Driver 306.97
NVIDIA 3D Vision Driver 311.06
NVIDIA Control Panel 311.06
NVIDIA Graphics Driver 311.06
NVIDIA HD Audio Driver
NVIDIA Install Application
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.11.3
NVIDIA Update Components
ON_OFF Charge B11.0110.1
Pando Media Booster
Path of Exile
PAYDAY: The Heist
PC Control Pad
PlanetSide 2
Prism Video File Converter
Realm of the Mad God
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Rome - Total War
Saints Row: The Third
Search Protection
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2837597) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Skype™ 6.11
Sleeping Dogs™
Smart 6 B11.0824.1
Spiral Knights
Splashtop Connect for Firefox
Splashtop Connect IE
Star Wars - Battlefront II
Star Wars: Knights of the Old Republic II
Superpower 2
System Requirements Lab CYRI
Team Fortress 2
TeamViewer 7
The Elder Scrolls V: Skyrim
The Peloponnesian War 0.5
The Sims™ 3
Total War: ROME II
Total War: SHOGUN 2
Tribes Ascend Closed Beta
Tropico 4
Ubisoft Game Launcher
Unity Web Player
Unreal Development Kit: 2012-03
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2836939v3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition
Victoria II
Windows Live ID Sign-in Assistant
WinRAR 4.10 (64-bit)
XCOM: Enemy Unknown
Yontoo 1.10.02
==== Event Viewer Messages From Past Week ========
19/12/2013 18:28:07, Error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
19/12/2013 18:28:07, Error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
18/12/2013 17:59:40, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
16/12/2013 18:18:20, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.163.1990.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10100.0   Error code: 0x8024402c   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
==== End Of File ===========================
DDS - 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by elijah at 19:22:03 on 2013-12-19
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.8109.4999 [GMT 0:00]
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
E:\Program Files (x86)\Tribes Ascend\HiPatchService.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe
C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
E:\Program Files (x86)\Hamachi\hamachi-2.exe
E:\Program Files (x86)\Hamachi\LMIGuardianSvc.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
E:\Program Files (x86)\LOLReplay\LOLRecorder.exe
C:\Users\elijah\AppData\Roaming\Search Protection\SearchProtection.exe
C:\Program Files (x86)\Gyazo\GyStation.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
E:\Program Files (x86)\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe
E:\Program Files (x86)\iTunes\iTunesHelper.exe
E:\Program Files (x86)\Corsair\M60 Mouse\M60Hid.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
E:\Program Files (x86)\Corsair\M60 Mouse\CorsTra.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\AlarmClock.exe
E:\Program Files (x86)\Steam\Steam.exe
E:\Program Files (x86)\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe
E:\Program Files (x86)\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\\deploy\LoLLauncher.exe
E:\Program Files (x86)\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\\deploy\LolClient.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
============== Pseudo HJT Report ===============
uURLSearchHooks: Splashtop Connect SearchHook: {0F3DC9E0-C459-4a40-BCF8-747BD9322E10} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll
uURLSearchHooks: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: Splashtop Connect VisualBookmark: {0E5680D1-BF44-4929-94AF-FD30D784AD1D} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STC.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll
BHO: Complitly: {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Users\elijah\AppData\Roaming\Complitly\Complitly.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files (x86)\Office14\GROOVEEX.DLL
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - E:\Program Files (x86)\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
uRun: [RGSC] E:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
uRun: [Facebook Update] "C:\Users\elijah\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [LOLReplay Recorder] "E:\Program Files (x86)\LOLReplay\LOLRecorder.exe" -minimize
uRun: [searchProtection] "C:\Users\elijah\AppData\Roaming\Search Protection\SearchProtection.EXE" /autostart
uRun: [Gyazo] C:\Program Files (x86)\Gyazo\GyStation.exe
uRun: [svchost] "C:\ProgramData\svchost0\apijcajxv.exe"
uRun: [AdobeUpdate] wscript "C:\Users\elijah\AppData\Roaming\PTSx32\invis.vbs" "C:\Users\elijah\AppData\Roaming\PTSx32\bat.bat"
mRun: [sTCAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe"
mRun: [ZyngaGamesAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe"
mRun: [bCSSync] "E:\Program Files (x86)\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "E:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Corsair M60 Mouse] E:\Program Files (x86)\Corsair\M60 Mouse\M60Hid.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [LogMeIn Hamachi Ui] "E:\Program Files (x86)\Hamachi\hamachi-2-ui.exe" --auto-start
StartupFolder: C:\Users\elijah\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - E:\Program Files (x86)\Rainmeter.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - E:\PROGRA~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - E:\PROGRA~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - E:\Program Files (x86)\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - E:\Program Files (x86)\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: NameServer =
TCP: Interfaces\{D9F2038F-7C1F-475E-9D5A-ECA3586D6121} : DHCPNameServer =
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
AppInit_DLLs= C:\Windows\SysWOW64\nvinit.dll
SSODL: WebCheck - <orphaned>
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - E:\Program Files (x86)\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: rstrui.exe - jfoqk_.exe
x64-BHO: Complitly: {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Users\elijah\AppData\Roaming\Complitly\64\Complitly64.dll
x64-BHO: GBHO.BHO: {45d30484-7ded-43d9-957a-d2fd1f046511} - 
x64-BHO: Instant Savings App BHO: {6EB4A4C0-6036-4D2E-B010-20707C4B62E8} - 
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Smart Recovery 2: {1d09c093-f71e-43c3-b948-19316cbd695e} - 
x64-TB: Instant Savings App: {D629FDE2-1C75-40B2-9B20-CE72D3A430AF} - 
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll
x64-STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-IFEO: rstrui.exe - jfoqk_.exe
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Hosts: api.crashtastic.com 
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - C:\Users\elijah\AppData\Roaming\Mozilla\Firefox\Profiles\mqzevvme.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\elijah\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\elijah\AppData\Local\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Users\elijah\AppData\Roaming\Mozilla\Firefox\Profiles\mqzevvme.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
FF - plugin: E:\PROGRA~2\Office14\NPAUTHZ.DLL
FF - plugin: E:\PROGRA~2\Office14\NPSPWRAP.DLL
FF - plugin: E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
FF - user.js: extentions.y2layers.installId - 77202495-989f-4bd9-82eb-cc2aeececa52
FF - user.js: extentions.y2layers.defaultEnableAppsList - ezLooker,pagerage,buzzdock,toprelatedtopics,twittube
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113480&tt=050412_30b
FF - user.js: extensions.BabylonToolbar_i.babExt - 
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 7e81655f00000000000050e5494ff411
FF - user.js: extensions.BabylonToolbar_i.hardId - 7e81655f00000000000050e5494ff411
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15502
FF - user.js: extensions.BabylonToolbar_i.vrsn -
FF - user.js: extensions.BabylonToolbar_i.vrsni -
FF - user.js: extensions.BabylonToolbar_i.vrsnTs -
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
FF - user.js: extensions.autoDisableScopes - 0
FF - user.js: extensions.shownSelectionUI - true
============= SERVICES / DRIVERS ===============
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;E:\Program Files (x86)\Tribes Ascend\HiPatchService.exe [2012-2-19 8704]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2012-2-7 21104]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2012-2-11 21992]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;E:\Program Files (x86)\Hamachi\hamachi-2.exe [2013-11-29 2210640]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 134944]
R2 SCBackService;Splashtop Connect Service;C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe [2010-11-15 477000]
R2 Smart TimeLock;Smart TimeLock Service;C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe [2012-2-7 114688]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-2-8 3027840]
R2 WCUService_STC_FF;Splashtop Connect Firefox Software Updater Service;C:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe [2011-3-24 493384]
R2 WCUService_STC_IE;Splashtop Connect IE Software Updater Service;C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe [2011-3-22 497480]
R3 cbfs3;EldoS Callback File System driver v3;C:\Windows\System32\drivers\cbfs3.sys [2012-11-4 352144]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2011-7-29 56960]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2011-7-29 79104]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-2-7 317440]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-2-7 535656]
R3 WIMBLEMS;Corsair M60 Gaming Mouse;C:\Windows\System32\drivers\WIMBLEMS.sys [2012-4-12 25600]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;E:\Program Files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [2013-8-5 25832]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2012-2-7 30528]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-12-12 111616]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [2013-9-6 288776]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-2-9 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-2-10 1255736]
=============== Created Last 30 ================
2013-12-19 18:24:44 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DA1E03BB-8E46-4DA2-A888-01DEDE2041A0}\mpengine.dll
2013-12-18 17:59:30 10315576 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-17 19:56:26 -------- d-----w- C:\Windows\pss
2013-12-11 18:44:50 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-12-11 18:44:50 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-12-11 18:44:49 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-12-11 18:44:49 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-12-11 18:40:59 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-12-11 18:40:59 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-12-11 18:40:56 230400 ----a-w- C:\Windows\System32\drivers\portcls.sys
2013-12-11 18:40:56 116736 ----a-w- C:\Windows\System32\drivers\drmk.sys
2013-12-11 18:40:55 202752 ----a-w- C:\Windows\System32\scrrun.dll
2013-12-11 18:40:55 168960 ----a-w- C:\Windows\System32\wscript.exe
2013-12-11 18:40:55 163840 ----a-w- C:\Windows\SysWow64\scrrun.dll
2013-12-11 18:40:55 156160 ----a-w- C:\Windows\System32\cscript.exe
2013-12-11 18:40:55 150016 ----a-w- C:\Windows\System32\wshom.ocx
2013-12-11 18:40:55 141824 ----a-w- C:\Windows\SysWow64\wscript.exe
2013-12-11 18:40:55 121856 ----a-w- C:\Windows\SysWow64\wshom.ocx
2013-12-11 18:40:54 126976 ----a-w- C:\Windows\SysWow64\cscript.exe
2013-12-11 18:39:06 335360 ----a-w- C:\Windows\System32\msieftp.dll
2013-12-11 18:39:06 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-12-11 18:39:06 301568 ----a-w- C:\Windows\SysWow64\msieftp.dll
2013-12-07 08:06:57 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A42F377A-D45E-4652-947B-6FD58A0FBC58}\gapaengine.dll
2013-11-28 19:58:25 -------- d-----w- C:\Windows\rescache
2013-11-28 18:35:20 -------- d-----w- C:\Users\elijah\AppData\Local\Bundled software uninstaller
2013-11-24 12:31:42 -------- d-----w- C:\Program Files\CCleaner
2013-11-24 12:24:32 -------- d-----w- C:\Users\elijah\AppData\Roaming\Malwarebytes
2013-11-24 12:24:23 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-11-24 12:24:23 -------- d-----w- C:\ProgramData\Malwarebytes
2013-11-19 20:08:24 -------- d-----w- C:\Program Files (x86)\Image-Line
==================== Find3M  ====================
2013-12-10 22:18:05 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-10 22:18:05 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-26 10:19:07 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2013-11-26 10:18:23 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2013-11-26 09:48:07 66048 ----a-w- C:\Windows\System32\iesetup.dll
2013-11-26 09:46:25 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2013-11-26 09:23:02 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-11-26 09:18:39 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-11-26 09:18:09 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2013-11-26 09:16:57 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2013-11-26 08:35:02 5769216 ----a-w- C:\Windows\System32\jscript9.dll
2013-11-26 08:28:16 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2013-11-26 08:16:12 4243968 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-11-26 08:02:16 1995264 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-11-26 07:32:06 1928192 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-11-26 07:07:57 2334208 ----a-w- C:\Windows\System32\wininet.dll
2013-11-26 06:33:33 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-08 07:50:37 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll
2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-09-28 01:09:10 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-09-27 09:53:06 248240 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2013-09-27 09:53:06 134944 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll
2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll
2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2013-09-25 01:58:17 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-09-25 01:57:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe
============= FINISH: 19:22:15.69 ===============
Link to post
Share on other sites

Step 1

Please uninstall the following applications:




Search Protection

Yontoo 1.10.02

Step 2

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 3

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well.
Step 4
  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • Junkware Removal Tool log
  • AdwCleaner log
  • Malwarebytes' Anti-Malware log
Link to post
Share on other sites

Junkware Removal Tool (JRT) by Thisisu

Version: 6.0.8 (11.05.2013:1)

OS: Windows 7 Home Premium x64

Ran by elijah on 20/12/2013 at 12:23:51.85






~~~ Services




~~~ Registry Values




~~~ Registry Keys




~~~ Files




~~~ Folders


Failed to delete: [Folder] "C:\Program Files (x86)\splashtop"




~~~ FireFox


Successfully deleted: [File] C:\user.js

Failed to delete: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml"

Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml"

Successfully deleted: [File] C:\Users\elijah\AppData\Roaming\mozilla\firefox\profiles\mqzevvme.default\user.js

Successfully deleted: [Folder] C:\Users\elijah\AppData\Roaming\mozilla\firefox\profiles\mqzevvme.default\extensions\plugin@yontoo.com

Successfully deleted: [Folder] C:\Users\elijah\AppData\Roaming\mozilla\firefox\profiles\mqzevvme.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}

Successfully deleted the following from C:\Users\elijah\AppData\Roaming\mozilla\firefox\profiles\mqzevvme.default\prefs.js


user_pref("CT1060933.FirstTime", "true");

user_pref("CT1060933.FirstTimeFF3", "true");

user_pref("CT1060933.UserID", "UN85965468586753555");

user_pref("CT1060933.autoDisableScopes", -1);

user_pref("CT1060933.defaultSearch", "true");

user_pref("CT1060933.enableAlerts", "false");

user_pref("CT1060933.enableSearchFromAddressBar", "true");

user_pref("CT1060933.fixPageNotFoundError", "true");

user_pref("CT1060933.installId", "ConduitNSISIntegration");

user_pref("CT1060933.installType", "ConduitNSISIntegration");

user_pref("CT1060933.isPerformedSmartBarTransition", "true");

user_pref("CT1060933.openThankYouPage", "false");

user_pref("CT1060933.openUninstallPage", "true");

user_pref("CT1060933.settingsINI", true);

user_pref("CT1060933.shouldFirstTimeDialog", "false");

user_pref("CT1060933.smartbar.CTID", "CT1060933");

user_pref("CT1060933.smartbar.Uninstall", "0");

user_pref("CT1060933.smartbar.toolbarName", "Freecorder ");

user_pref("CT1060933.startPage", "true");

user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");

user_pref("browser.search.order.1", "Search the web (Babylon)");

user_pref("extensions.BabylonToolbar_i.aflt", "babsst");

user_pref("extensions.BabylonToolbar_i.babExt", "");

user_pref("extensions.BabylonToolbar_i.babTrack", "affID=113480&tt=050412_30b");

user_pref("extensions.BabylonToolbar_i.hardId", "7e81655f00000000000050e5494ff411");

user_pref("extensions.BabylonToolbar_i.id", "7e81655f00000000000050e5494ff411");

user_pref("extensions.BabylonToolbar_i.instlDay", "15502");

user_pref("extensions.BabylonToolbar_i.instlRef", "sst");

user_pref("extensions.BabylonToolbar_i.newTab", true);

user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");

user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");

user_pref("extensions.BabylonToolbar_i.smplGrp", "none");

user_pref("extensions.BabylonToolbar_i.srcExt", "ss");

user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");

user_pref("extensions.BabylonToolbar_i.vrsn", "");

user_pref("extensions.BabylonToolbar_i.vrsnTs", "");

user_pref("extensions.BabylonToolbar_i.vrsni", "");




~~~ Chrome


Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc




~~~ Event Viewer Logs were cleared







Scan was completed on 20/12/2013 at 14:07:50.75

End of JRT log


# AdwCleaner v3.015 - Report created 20/12/2013 at 14:34:28

# Updated 10/12/2013 by Xplode

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : elijah - ELIJAH-PC

# Running from : C:\Users\elijah\Desktop\AdwCleaner.exe

# Option : Clean


***** [ Services ] *****


Service Deleted : SCBackService


***** [ Files / Folders ] *****


Folder Deleted : C:\ProgramData\NCH Software

Folder Deleted : C:\Program Files (x86)\Bench

Folder Deleted : C:\Program Files (x86)\NCH Software

Folder Deleted : C:\Program Files (x86)\Splashtop

Folder Deleted : C:\Users\elijah\AppData\Local\Bundled software uninstaller

Folder Deleted : C:\Users\elijah\AppData\Roaming\NCH Software

File Deleted : C:\Windows\System32\roboot64.exe

File Deleted : C:\Windows\System32\Tasks\NCH Software


***** [ Shortcuts ] *****



***** [ Registry ] *****


Key Deleted : HKLM\SOFTWARE\Classes\AddressBarSearch.SearchHook

Key Deleted : HKLM\SOFTWARE\Classes\AddressBarSearch.SearchHook.1

Key Deleted : HKLM\SOFTWARE\Classes\STC.FBServiceAPPEventsSink

Key Deleted : HKLM\SOFTWARE\Classes\STC.FBServiceAPPEventsSink.1

Key Deleted : HKLM\SOFTWARE\Classes\STC.OptionMenu

Key Deleted : HKLM\SOFTWARE\Classes\STC.OptionMenu.1

Key Deleted : HKLM\SOFTWARE\Classes\STC.Protocol

Key Deleted : HKLM\SOFTWARE\Classes\STC.Protocol.1

Key Deleted : HKLM\SOFTWARE\Classes\STC.VisualBookmark

Key Deleted : HKLM\SOFTWARE\Classes\STC.VisualBookmark.1

Key Deleted : HKLM\SOFTWARE\Classes\STC.WebObject

Key Deleted : HKLM\SOFTWARE\Classes\STC.WebObject.1

Key Deleted : HKLM\SOFTWARE\Classes\STCHelper.BHOHelper

Key Deleted : HKLM\SOFTWARE\Classes\STCHelper.BHOHelper.1

Key Deleted : HKLM\SOFTWARE\Classes\STCHelper.FBServiceAPP

Key Deleted : HKLM\SOFTWARE\Classes\STCHelper.FBServiceAPP.1

Key Deleted : HKLM\SOFTWARE\Classes\STCHelper.Protocol

Key Deleted : HKLM\SOFTWARE\Classes\STCHelper.Protocol.1

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{82A5CE4D-AF0C-45B6-8AF8-75625BE6A08D}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B2B7E0CD-E169-43B3-A233-E129610EE314}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0DEC13F0-5C8C-4147-8329-6CDFAD9755B7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0F3DC9E0-C459-4A40-BCF8-747BD9322E10}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5E97F0FA-3B44-4634-A87E-8B0D5CFD6365}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{951F5841-FD1E-4F1D-8607-67B174DBD753}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D1CCB0CC-DA45-4797-93D3-DEE7A13F8177}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DCE24E28-D8EF-49BE-BC01-A1DD3B58FCE3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E4F7F1A5-490E-4884-A9E3-CBD6A25749E1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFE66D00-A56A-4F7F-81D7-4A28C5816D6C}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E8E0178-00EF-413D-9324-E7B3E31572E3}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A1A533A8-E106-422B-AE29-D0025269AF83}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B1759D04-0EF9-472A-B5C3-C774997B5321}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFE66D00-A56A-4F7F-81D7-4A28C5816D6C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80ED3EBC-CC05-4336-ABCC-295798855718}

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{0F3DC9E0-C459-4A40-BCF8-747BD9322E10}]

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{6EB4A4C0-6036-4D2E-B010-20707C4B62E8}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EB4A4C0-6036-4D2E-B010-20707C4B62E8}

Key Deleted : HKCU\Software\Ask&Record

Key Deleted : HKCU\Software\NCH Software

Key Deleted : HKCU\Software\Splashtop Inc.

Key Deleted : HKCU\Software\WEDLMNGR

Key Deleted : HKCU\Software\AppDataLow\Software\Show-Password

Key Deleted : HKLM\Software\NCH Software

Key Deleted : HKLM\Software\SimplyGen

Key Deleted : HKLM\Software\Splashtop Inc.

Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}


***** [ Browsers ] *****


-\\ Internet Explorer v11.0.9600.16428



-\\ Mozilla Firefox v12.0 (en-US)


[ File : C:\Users\elijah\AppData\Roaming\Mozilla\Firefox\Profiles\mqzevvme.default\prefs.js ]


Line Deleted : user_pref("extentions.y2layers.defaultEnableAppsList", "ezLooker,pagerage,buzzdock,toprelatedtopics,twittube");

Line Deleted : user_pref("extentions.y2layers.installId", "77202495-989f-4bd9-82eb-cc2aeececa52");


-\\ Google Chrome v31.0.1650.63


[ File : C:\Users\elijah\AppData\Local\Google\Chrome\User Data\Default\preferences ]





AdwCleaner[R0].txt - [7053 octets] - [20/12/2013 14:33:22]

AdwCleaner[s0].txt - [6884 octets] - [20/12/2013 14:34:28]


########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [6944 octets] ##########

Malwarebytes Anti-Malware



Database version: v2013.12.17.08


Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 11.0.9600.16476

elijah :: ELIJAH-PC [administrator]


20/12/2013 14:36:06

mbam-log-2013-12-20 (14-36-06).txt


Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 221491

Time elapsed: 2 minute(s), 21 second(s)


Memory Processes Detected: 0

(No malicious items detected)


Memory Modules Detected: 0

(No malicious items detected)


Registry Keys Detected: 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.


Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|svchost (Backdoor.Bot) -> Data: \Windows\Explorer.exe -> Delete on reboot.


Registry Data Items Detected: 0

(No malicious items detected)


Folders Detected: 1

C:\ProgramData\svchost0 (Trojan.Agent.Gen) -> Delete on reboot.


Files Detected: 0

(No malicious items detected)




Link to post
Share on other sites

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

Link to post
Share on other sites
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.