Jump to content

Malicious Website Blocked


Alex1978

Recommended Posts

I am getting repeated messages (very frequent) that Malwarebytes has blocked a Malicious Website for the following websites:

 

4682b4.com

xmlclick-t.com

 

I have tried repeated scans and no threats are showing up.

 

I am also having issues with something blocking program downloads and updates.

 

I have attached a scan log from Malwarebytes.

 

Any help would be greatly apprieciated.

MBScan 09-13-14.txt

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

 

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

Malwarebytes Scan

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/17/2014
Scan Time: 8:47:07 PM
Logfile: MBScan 091714.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.17.10
Rootkit Database: v2014.09.15.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321384
Time Elapsed: 1 hr, 8 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Farbar Recovery Scan Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-09-2014 Ran by Owner (administrator) on OWNER-PC on 17-09-2014 22:36:37 Running from C:\Users\Owner\Desktop\Fix Tools Platform: Windows Vista Home Premium Service Pack 2 (X64) OS Language: English (United States) Internet Explorer Version 8 Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\stacsv64.exe (Microsoft Corporation) C:\Windows\System32\SLsvc.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Hewlett-Packard Company) C:\Windows\System32\hpservice.exe (Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe (Check Point Software Technologies LTD) C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (Sony Corporation) C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe () C:\Windows\SysWOW64\PSIService.exe (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe () C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe () C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe () C:\Windows\SMINST\BLService.exe (Viewpoint Corporation) C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe (Check Point Software Technologies, Ltd.) C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe (Microsoft Corporation) C:\Windows\WindowsMobile\wmdSync.exe (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe (Corel, Inc.) C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe (CyberLink Corp.) C:\Program Files (x86)\HP\QuickPlay\QPService.exe ( Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe (Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (Sony Corporation) C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe () C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe (Check Point Software Technologies LTD) C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe (Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Abine Inc.) C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\AbineSDK\IE\DNTPService.exe (Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated) HKLM\...\Run: [OnScreenDisplay] => C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [685568 2008-01-24] ( Hewlett-Packard Development Company, L.P.) HKLM\...\Run: [Windows Mobile-based device management] => C:\Windows\WindowsMobile\wmdSync.exe [225792 2008-01-20] (Microsoft Corporation) HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup HKLM\...\Run: [sysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.) HKLM\...\Run: [Corel Photo Downloader] => C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [531784 2007-10-30] (Corel, Inc.) HKLM-x32\...\Run: [QPService] => C:\Program Files (x86)\HP\QuickPlay\QPService.exe [468264 2008-06-26] (CyberLink Corp.) HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2008-03-14] ( Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [Corel Photo Downloader] => "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" -startup HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [AT&T Communication Manager] => C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe [33280 2008-12-01] (ATT) HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard) HKLM-x32\...\Run: [HP Health Check Scheduler] => c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard) HKLM-x32\...\Run: [PMBVolumeWatcher] => C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [597792 2009-11-04] (Sony Corporation) HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.) HKLM-x32\...\Run: [Corel File Shell Monitor] => C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe [16200 2007-10-30] () HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [5188112 2014-08-25] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [ZoneAlarm] => C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe [74160 2014-01-29] (Check Point Software Technologies LTD) HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-05-15] (Apple Inc.) HKLM\...\Winlogon: [userinit] userinit.exe,C:\ProgramData\ahrpDn37\ahrpDn37.exe -sm, HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter HKU\S-1-5-21-107157824-2076508555-3078036908-1000\...\Run: [DW7] => "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe" HKU\S-1-5-21-107157824-2076508555-3078036908-1000\...\Run: [WMPNSCFG] => C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe HKU\S-1-5-21-107157824-2076508555-3078036908-1000\...\Run: [AVG-Secure-Search-Update_0214c] => C:\Users\Owner\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=e36e0d8092d347d284a2d157aa490ac4-b0914dc39c86c69320f180822bf46d57a5bfc979 /CMPID=0214c HKU\S-1-5-21-107157824-2076508555-3078036908-1000\...\MountPoints2: {c1edbb43-c9ac-11e2-9c98-001eecade337} - H:\LaunchU3.exe -a HKU\S-1-5-21-107157824-2076508555-3078036908-1000\...\MountPoints2: {ec22c8d6-eea4-11e3-a094-001eecade337} - G:\LaunchU3.exe -a HKU\S-1-5-21-107157824-2076508555-3078036908-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.yahoo.com/ http://www.yahoo.com/?ilc=1 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKLM - DefaultScope {80F9CE9F-1811-48D0-AB07-45BF1DBB1FF0} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvnb SearchScopes: HKLM - {80F9CE9F-1811-48D0-AB07-45BF1DBB1FF0} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvnb SearchScopes: HKLM - {8548F34C-3305-470E-A035-6629D40BCD02} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKLM-x32 - DefaultScope {80F9CE9F-1811-48D0-AB07-45BF1DBB1FF0} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvnb SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} SearchScopes: HKLM-x32 - {80F9CE9F-1811-48D0-AB07-45BF1DBB1FF0} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvnb SearchScopes: HKLM-x32 - {8548F34C-3305-470E-A035-6629D40BCD02} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKLM-x32 - {8fe8d013-c3fd-4802-af48-79274e9f969e} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^YO^xdm135^YYA^us&si=314029&ptb=CB3BB960-D6A8-46D1-956C-CED1F603A322&psa=&ind=2013112416&st=sb&n=77fda860&searchfor={searchTerms} SearchScopes: HKCU - DefaultScope {FCBE1E0F-F0D2-473D-90DF-FB82A4F85835} URL = http://search.zonealarm.com/search?src=sp&tbid=HFA5&Lan=en&q={searchTerms}&gu=5c28395db02f4bf28ecf0732f5972290&tu=10G9y00Ce2C01x0&sku=&tstsId=&ver=&&r=340 SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC SearchScopes: HKCU - {80F9CE9F-1811-48D0-AB07-45BF1DBB1FF0} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvnb SearchScopes: HKCU - {8548F34C-3305-470E-A035-6629D40BCD02} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKCU - {8fe8d013-c3fd-4802-af48-79274e9f969e} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^YO^xdm135^YYA^us&si=314029&ptb=CB3BB960-D6A8-46D1-956C-CED1F603A322&psa=&ind=2013112416&st=sb&n=77fda860&searchfor={searchTerms} SearchScopes: HKCU - {FCBE1E0F-F0D2-473D-90DF-FB82A4F85835} URL = http://search.zonealarm.com/search?src=sp&tbid=HFA5&Lan=en&q={searchTerms}&gu=5c28395db02f4bf28ecf0732f5972290&tu=10G9y00Ce2C01x0&sku=&tstsId=&ver=&&r=340 BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.) BHO-x32: Zonealarm Helper Object -> {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} -> C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.28.13\bh\zonealarm.dll (Check Point Software Technologies LTD) BHO-x32: SSVHelper Class -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.) BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation) BHO-x32: Arcadesafari BHO -> {adff4c9a-4f49-4a1f-8885-360e107b7938} -> C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation) BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.) Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) Toolbar: HKLM-x32 - ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.28.13\zonealarmTlbr.dll (Check Point Software Technologies LTD) Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Winsock: Catalog9 01 bmnet.dll File Not found () Winsock: Catalog9 02 bmnet.dll File Not found () Winsock: Catalog9 03 bmnet.dll File Not found () Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 FireFox: ======== FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll () FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-06-19] FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-06-19] FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF HKCU\...\Firefox\Extensions: [module@com.arcadesafari.firefox] - C:\Users\Owner\AppData\Local\Arcadesafari\module@com.arcadesafari.firefox FF Extension: Arcadesafari - C:\Users\Owner\AppData\Local\Arcadesafari\module@com.arcadesafari.firefox [2013-02-01] Chrome: ======= CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (No Name) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmeemomfelpigklppifflheakfpkfjjg [2013-02-01] ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 ATTRcAppSvc; C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe [113152 2008-11-20] (SmithMicro Inc.) R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3242000 2014-08-25] (AVG Technologies CZ, s.r.o.) R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [289328 2014-08-25] (AVG Technologies CZ, s.r.o.) S3 CAATT; C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [125440 2008-11-20] (SmithMicro Inc.) R2 HP Health Check Service; c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-16] (Hewlett-Packard) [File not signed] S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation) R2 ProtexisLicensing; C:\Windows\SysWOW64\PSIService.exe [177704 2007-06-05] () R2 QPCapSvc; C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [292216 2008-06-26] () R2 QPSched; C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe [116080 2008-06-26] () R2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-04-26] () S3 RichVideo; C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] () R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\STacSV64.exe [240128 2009-07-21] (IDT, Inc.) R2 Viewpoint Manager Service; C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [24652 2007-01-04] (Viewpoint Corporation) [File not signed] R2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [2445816 2014-01-29] (Check Point Software Technologies LTD) R2 ZAPrivacyService; C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [50704 2013-10-15] (Check Point Software Technologies, Ltd.) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R3 AVerBDA6x_x64; C:\Windows\System32\DRIVERS\AVerBDA716x_x64.sys [1217792 2008-06-23] (AVerMedia TECHNOLOGIES, Inc.) R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [152344 2014-06-30] (AVG Technologies CZ, s.r.o.) R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [244504 2014-07-21] (AVG Technologies CZ, s.r.o.) R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-17] (AVG Technologies CZ, s.r.o.) R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [235800 2014-06-17] (AVG Technologies CZ, s.r.o.) R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [328984 2014-06-17] (AVG Technologies CZ, s.r.o.) R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-08-06] (AVG Technologies CZ, s.r.o.) R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-17] (AVG Technologies CZ, s.r.o.) R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [269080 2014-06-17] (AVG Technologies CZ, s.r.o.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-09-17] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2014-05-12] (Malwarebytes Corporation) S3 NVENETFD; C:\Windows\System32\DRIVERS\nvm60x64.sys [742696 2006-10-09] (NVIDIA Corporation) S3 PCTINDIS5X64; C:\Windows\system32\PCTINDIS5X64.SYS [43032 2008-11-20] (Smith Micro Inc.) S3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [114856 2007-07-03] (MCCI Corporation) R3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [30088 2008-08-22] () S1 tcpipBM; C:\Windows\SysWow64\Drivers\tcpipBM.sys [18816 2008-11-20] (Bytemobile, Inc.) [File not signed] S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [51712 2011-05-10] (Apple, Inc.) [File not signed] R1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [444952 2013-06-13] (Check Point Software Technologies LTD) R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263}; C:\Program Files (x86)\HP\QuickPlay\000.fcl [27632 2008-06-26] (Cyberlink Corp.) U1 eabfiltr; No ImagePath S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] S3 PCASp50a64; System32\Drivers\PCASp50a64.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-17 22:35 - 2014-09-17 22:36 - 00000000 ____D () C:\FRST 2014-09-17 22:06 - 2014-09-17 22:06 - 00001073 _____ () C:\Users\Owner\Desktop\MBScan 091714.txt 2014-09-17 17:36 - 2014-09-17 17:37 - 05429848 _____ () C:\Users\Owner\Desktop\RogueKillerX64.exe 2014-09-17 17:31 - 2014-09-17 22:36 - 00000000 ____D () C:\Users\Owner\Desktop\Fix Tools 2014-09-13 17:20 - 2014-09-13 17:20 - 00001264 _____ () C:\Users\Owner\Desktop\MBScan 09-13-14.txt 2014-09-13 14:50 - 2014-09-13 14:50 - 00003086 _____ () C:\Windows\System32\Tasks\{493B5A4D-8372-483F-97E6-1A6C7CC8B7FF} 2014-09-13 13:14 - 2014-09-13 13:14 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys 2014-09-06 16:11 - 2014-09-06 16:11 - 00000000 ____D () C:\ProgramData\Avg_Update_0814av 2014-09-06 15:27 - 2014-09-17 22:25 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-09-06 15:26 - 2014-09-06 15:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2014-09-06 15:26 - 2014-09-06 15:26 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-09-06 15:26 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-09-06 15:26 - 2014-05-12 07:26 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-17 22:36 - 2014-09-17 22:35 - 00000000 ____D () C:\FRST 2014-09-17 22:36 - 2014-09-17 17:31 - 00000000 ____D () C:\Users\Owner\Desktop\Fix Tools 2014-09-17 22:35 - 2006-11-02 11:22 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2014-09-17 22:35 - 2006-11-02 11:22 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2014-09-17 22:25 - 2014-09-06 15:27 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-09-17 22:25 - 2011-09-11 23:34 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-09-17 22:12 - 2013-02-02 15:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-09-17 22:06 - 2014-09-17 22:06 - 00001073 _____ () C:\Users\Owner\Desktop\MBScan 091714.txt 2014-09-17 20:42 - 2008-07-28 11:55 - 00003578 _____ () C:\Windows\System32\Tasks\HP Health Check 2014-09-17 20:41 - 2013-08-24 05:03 - 00000464 _____ () C:\Windows\Tasks\Arcadesafari.job 2014-09-17 20:41 - 2008-09-16 19:49 - 02021525 _____ () C:\Windows\WindowsUpdate.log 2014-09-17 20:40 - 2006-11-02 09:33 - 00000000 ____D () C:\Windows\Registration 2014-09-17 20:39 - 2008-11-29 00:26 - 00031871 _____ () C:\ProgramData\nvModes.001 2014-09-17 20:39 - 2008-11-29 00:24 - 00031871 _____ () C:\ProgramData\nvModes.dat 2014-09-17 20:38 - 2008-09-16 20:35 - 00000253 _____ () C:\ProgramData\hpqp.ini 2014-09-17 20:35 - 2011-09-11 23:34 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-09-17 20:35 - 2006-11-02 11:42 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-09-17 18:40 - 2014-02-23 17:23 - 00000000 ____D () C:\ProgramData\MFAData 2014-09-17 17:37 - 2014-09-17 17:36 - 05429848 _____ () C:\Users\Owner\Desktop\RogueKillerX64.exe 2014-09-17 17:10 - 2008-07-28 11:02 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office 2014-09-17 17:00 - 2014-02-23 18:38 - 00000000 ____D () C:\Users\Owner\AppData\Local\DoNotTrackPlus 2014-09-14 10:04 - 2008-07-28 09:44 - 00000012 _____ () C:\Windows\bthservsdp.dat 2014-09-14 10:04 - 2006-11-02 11:42 - 00032590 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-09-13 17:20 - 2014-09-13 17:20 - 00001264 _____ () C:\Users\Owner\Desktop\MBScan 09-13-14.txt 2014-09-13 15:31 - 2013-02-02 15:58 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-09-13 15:31 - 2013-02-02 15:58 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-09-13 15:31 - 2013-02-02 15:58 - 00003682 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-09-13 15:07 - 2008-01-20 23:26 - 00465454 _____ () C:\Windows\PFRO.log 2014-09-13 14:50 - 2014-09-13 14:50 - 00003086 _____ () C:\Windows\System32\Tasks\{493B5A4D-8372-483F-97E6-1A6C7CC8B7FF} 2014-09-13 14:47 - 2008-07-28 11:30 - 00000000 ____D () C:\ProgramData\Adobe 2014-09-13 14:45 - 2009-01-24 12:05 - 00000000 ____D () C:\Users\Owner\AppData\Local\Adobe 2014-09-13 13:57 - 2014-02-23 17:57 - 00000872 _____ () C:\Users\Public\Desktop\AVG 2014.lnk 2014-09-13 13:57 - 2014-02-23 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2014-09-13 13:35 - 2006-11-02 11:27 - 00101858 _____ () C:\Windows\setupact.log 2014-09-13 13:26 - 2010-06-19 16:18 - 00000000 ____D () C:\ProgramData\Norton 2014-09-13 13:14 - 2014-09-13 13:14 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys 2014-09-06 16:11 - 2014-09-06 16:11 - 00000000 ____D () C:\ProgramData\Avg_Update_0814av 2014-09-06 15:53 - 2014-02-23 16:39 - 00000000 ____D () C:\Program Files (x86)\Bench 2014-09-06 15:53 - 2006-11-02 09:33 - 00000000 ____D () C:\Windows\MSAgent64 2014-09-06 15:26 - 2014-09-06 15:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2014-09-06 15:26 - 2014-09-06 15:26 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-09-06 15:26 - 2014-02-23 16:24 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Malwarebytes 2014-09-06 15:26 - 2014-02-23 16:23 - 00000957 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2014-09-06 15:26 - 2014-02-23 16:23 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-09-06 15:26 - 2014-02-23 16:23 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware 2014-09-06 15:14 - 2010-07-18 17:26 - 00000680 _____ () C:\Users\Owner\AppData\Local\d3d9caps.dat 2014-08-24 10:31 - 2006-11-02 08:46 - 00703516 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-08-23 12:32 - 2009-01-25 16:06 - 00000000 ____D () C:\Users\Owner\Documents\Financials 2014-08-20 18:42 - 2008-11-30 19:37 - 00000021 _____ () C:\ProgramData\hpqp.txt Files to move or delete: ==================== C:\ProgramData\DVD.exe C:\ProgramData\Games.exe C:\ProgramData\Karaoke.exe C:\ProgramData\MobileTV.exe C:\ProgramData\MPV.exe Some content of TEMP: ==================== C:\Users\Owner\AppData\Local\Temp\as_twc.exe C:\Users\Owner\AppData\Local\Temp\dealornodealpc-510006182-setup.s510006182.c110268333.len.u.dl.exe C:\Users\Owner\AppData\Local\Temp\DelayInst.exe C:\Users\Owner\AppData\Local\Temp\hdt4aklp.dll C:\Users\Owner\AppData\Local\Temp\installservice.exe C:\Users\Owner\AppData\Local\Temp\instmsi.exe C:\Users\Owner\AppData\Local\Temp\instmsiw.exe C:\Users\Owner\AppData\Local\Temp\MSNF03A.exe C:\Users\Owner\AppData\Local\Temp\ose00000.exe C:\Users\Owner\AppData\Local\Temp\SetupA2.exe C:\Users\Owner\AppData\Local\Temp\SetupAC.exe C:\Users\Owner\AppData\Local\Temp\The_Weather_Channel_Application.exe C:\Users\Owner\AppData\Local\Temp\vpnclient_setup.exe C:\Users\Owner\AppData\Local\Temp\zh3cogvx.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-09-17 20:43 ==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

RogueKiller V9.2.10.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/17/2014  23:56:12

¤¤¤ Bad processes : 1 ¤¤¤
[Tr.Poweliks] dllhost.exe -- [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 10 ¤¤¤
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-107157824-2076508555-3078036908-1000\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_0214c : C:\Users\Owner\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=e36e0d8092d347d284a2d157aa490ac4-b0914dc39c86c69320f180822bf46d57a5bfc979 /CMPID=0214c  -> FOUND
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-107157824-2076508555-3078036908-1000\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_0214c : C:\Users\Owner\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=e36e0d8092d347d284a2d157aa490ac4-b0914dc39c86c69320f180822bf46d57a5bfc979 /CMPID=0214c  -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit : userinit.exe,C:\ProgramData\ahrpDn37\ahrpDn37.exe -sm,  -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-107157824-2076508555-3078036908-1000\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[suspicious.Path] Arcadesafari.job -- C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe -> FOUND
[suspicious.Path] \\Arcadesafari -- C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 60 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP0T0L0-0 : \Driver\hpdskflt @ Unknown (\SystemRoot\system32\drivers\sbp2port.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\disk @ \Device\Harddisk0\DR0 (\SystemRoot\system32\drivers\NETIO.SYS)
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptAddContextFunction : C:\Windows\system32\bcrypt.dll @ 0x7fefb71594c
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptAddContextFunctionProvider : C:\Windows\system32\bcrypt.dll @ 0x7fefb716340
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptCloseAlgorithmProvider : C:\Windows\system32\bcrypt.dll @ 0x7fefb7024fc
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptConfigureContext : C:\Windows\system32\bcrypt.dll @ 0x7fefb7155b8
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptConfigureContextFunction : C:\Windows\system32\bcrypt.dll @ 0x7fefb715f14
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptCreateContext : C:\Windows\system32\bcrypt.dll @ 0x7fefb715128
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptCreateHash : C:\Windows\system32\bcrypt.dll @ 0x7fefb7044bc
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDecrypt : C:\Windows\system32\bcrypt.dll @ 0x7fefb703484
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDeleteContext : C:\Windows\system32\bcrypt.dll @ 0x7fefb7152c8
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDeriveKey : C:\Windows\system32\bcrypt.dll @ 0x7fefb704124
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDestroyHash : C:\Windows\system32\bcrypt.dll @ 0x7fefb704904
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDestroyKey : C:\Windows\system32\bcrypt.dll @ 0x7fefb704338
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDestroySecret : C:\Windows\system32\bcrypt.dll @ 0x7fefb704420
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDuplicateHash : C:\Windows\system32\bcrypt.dll @ 0x7fefb704998
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptDuplicateKey : C:\Windows\system32\bcrypt.dll @ 0x7fefb704270
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptEncrypt : C:\Windows\system32\bcrypt.dll @ 0x7fefb703168
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptEnumAlgorithms : C:\Windows\system32\bcrypt.dll @ 0x7fefb702564
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptEnumContextFunctionProviders : C:\Windows\system32\bcrypt.dll @ 0x7fefb716718
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptEnumContextFunctions : C:\Windows\system32\bcrypt.dll @ 0x7fefb715cdc
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptEnumContexts : C:\Windows\system32\bcrypt.dll @ 0x7fefb715454
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptEnumProviders : C:\Windows\system32\bcrypt.dll @ 0x7fefb702970
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptEnumRegisteredProviders : C:\Windows\system32\bcrypt.dll @ 0x7fefb715050
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptExportKey : C:\Windows\system32\bcrypt.dll @ 0x7fefb703770
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptFinalizeKeyPair : C:\Windows\system32\bcrypt.dll @ 0x7fefb7030f8
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptFinishHash : C:\Windows\system32\bcrypt.dll @ 0x7fefb704860
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptFreeBuffer : C:\Windows\system32\bcrypt.dll @ 0x7fefb702c44
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptGenRandom : C:\Windows\system32\bcrypt.dll @ 0x7fefb705034
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptGenerateKeyPair : C:\Windows\system32\bcrypt.dll @ 0x7fefb702fe0
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptGenerateSymmetricKey : C:\Windows\system32\bcrypt.dll @ 0x7fefb702eec
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptGetFipsAlgorithmMode : C:\Windows\system32\bcrypt.dll @ 0x7fefb717250
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptGetProperty : C:\Windows\system32\bcrypt.dll @ 0x7fefb702c70
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptHashData : C:\Windows\system32\bcrypt.dll @ 0x7fefb70481c
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptImportKey : C:\Windows\system32\bcrypt.dll @ 0x7fefb7039bc
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptImportKeyPair : C:\Windows\system32\bcrypt.dll @ 0x7fefb703adc
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptOpenAlgorithmProvider : C:\Windows\system32\bcrypt.dll @ 0x7fefb7020f0
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptQueryContextConfiguration : C:\Windows\system32\bcrypt.dll @ 0x7fefb71574c
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptQueryContextFunctionConfiguration : C:\Windows\system32\bcrypt.dll @ 0x7fefb7160e0
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptQueryContextFunctionProperty : C:\Windows\system32\bcrypt.dll @ 0x7fefb716bb0
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptQueryProviderRegistration : C:\Windows\system32\bcrypt.dll @ 0x7fefb714e00
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptRegisterConfigChangeNotify : C:\Windows\system32\bcrypt.dll @ 0x7fefb716e38
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptRegisterProvider : C:\Windows\system32\bcrypt.dll @ 0x7fefb714a74
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptRemoveContextFunction : C:\Windows\system32\bcrypt.dll @ 0x7fefb715b20
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptRemoveContextFunctionProvider : C:\Windows\system32\bcrypt.dll @ 0x7fefb71653c
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptResolveProviders : C:\Windows\system32\bcrypt.dll @ 0x7fefb717030
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptSecretAgreement : C:\Windows\system32\bcrypt.dll @ 0x7fefb704000
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptSetAuditingInterface : C:\Windows\system32\bcrypt.dll @ 0x7fefb705510
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptSetContextFunctionProperty : C:\Windows\system32\bcrypt.dll @ 0x7fefb71699c
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptSetProperty : C:\Windows\system32\bcrypt.dll @ 0x7fefb702e2c
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptSignHash : C:\Windows\system32\bcrypt.dll @ 0x7fefb704af0
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptUnregisterConfigChangeNotify : C:\Windows\system32\bcrypt.dll @ 0x7fefb716f50
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptUnregisterProvider : C:\Windows\system32\bcrypt.dll @ 0x7fefb714cbc
[EAT:Addr] (explorer.exe) ncrypt.dll - BCryptVerifySignature : C:\Windows\system32\bcrypt.dll @ 0x7fefb704de4
[EAT:Addr] (explorer.exe) ncrypt.dll - GetAsymmetricEncryptionInterface : C:\Windows\system32\bcrypt.dll @ 0x7fefb705400
[EAT:Addr] (explorer.exe) ncrypt.dll - GetCipherInterface : C:\Windows\system32\bcrypt.dll @ 0x7fefb705364
[EAT:Addr] (explorer.exe) ncrypt.dll - GetHashInterface : C:\Windows\system32\bcrypt.dll @ 0x7fefb7053d0
[EAT:Addr] (explorer.exe) ncrypt.dll - GetRngInterface : C:\Windows\system32\bcrypt.dll @ 0x7fefb7055e8
[EAT:Addr] (explorer.exe) ncrypt.dll - GetSecretAgreementInterface : C:\Windows\system32\bcrypt.dll @ 0x7fefb705490
[EAT:Addr] (explorer.exe) ncrypt.dll - GetSignatureInterface : C:\Windows\system32\bcrypt.dll @ 0x7fefb705410

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3252GSX ATA Device +++++
--- User ---
[MBR] cd8fee3c51bb26b93228642157d62b91
[bSP] 5553fe61ce56c498d00cd35966f434c7 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 293553 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 601198592 | Size: 11688 MB
User = LL1 ... OK
User = LL2 ... OK

Link to post
Share on other sites

Make sure you have created a restore point and.....

bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ===========================

    Please download AdwCleaner from HERE or HERE to your desktop.

    • Double click on AdwCleaner.exe to run the tool.

      Vista/Windows 7/8 users right-click and select Run As Administrator

    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
    • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
    • Look over the log especially under Files/Folders for any program you want to save.
    • If there's a program you may want to save, just uncheck it from AdwCleaner.
    • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
    • If you're ready to clean it all up.....click the Clean button.
    • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
    • Copy and paste the contents of that logfile in your next reply.
    • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
    • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
    • To restore an item that has been deleted:
    • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
    Next..................

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.

    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Next.........

    Please run a Threat Scan

    Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

    Same for PUM (Potentially Unwanted Modifications)

    Quarantine All that's found

    MrC

Link to post
Share on other sites

Hard restart seems to have been ok.  Here is the post restart AdwCleaner log.  The Juckware Removal Tool log will come in next post.

 

# AdwCleaner v3.310 - Report created 19/09/2014 at 19:48:22
# Updated 12/09/2014 by Xplode
# Operating System : Windows Vista Home Premium Service Pack 2 (64 bits)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : Viewpoint Manager Service

***** [ Files / Folders ] *****

[!] Folder Deleted : C:\ProgramData\Viewpoint
[!] Folder Deleted : C:\Program Files (x86)\Bench
[!] Folder Deleted : C:\Program Files (x86)\Viewpoint
[!] Folder Deleted : C:\Users\Owner\AppData\Local\iac
[!] Folder Deleted : C:\Users\Owner\AppData\Local\Temp\Wajam
[!] Folder Deleted : C:\Users\Owner\AppData\LocalLow\HPAppData
[!] Folder Deleted : C:\Users\Owner\AppData\LocalLow\iac
[!] Folder Deleted : C:\Users\Owner\AppData\Roaming\HPAppData
[!] Folder Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmeemomfelpigklppifflheakfpkfjjg
[!] Folder Deleted : C:\ProgramData\Viewpoint
[!] Folder Deleted : C:\Program Files (x86)\Bench
[!] Folder Deleted : C:\Program Files (x86)\Viewpoint
[!] Folder Deleted : C:\Users\Owner\AppData\Local\iac
[!] Folder Deleted : C:\Users\Owner\AppData\Local\Temp\Wajam
[!] Folder Deleted : C:\Users\Owner\AppData\LocalLow\HPAppData
[!] Folder Deleted : C:\Users\Owner\AppData\LocalLow\iac
[!] Folder Deleted : C:\Users\Owner\AppData\Roaming\HPAppData
[!] Folder Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmeemomfelpigklppifflheakfpkfjjg
File Deleted : C:\END
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{987D9269-F8A1-408F-BF62-4397D2F5363E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E0722BEB-FDA1-4AA1-A2A8-15A74A5B3F70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F1963E76-845B-474C-8C7F-D69A96D8AA34}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220222622278}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660266626678}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E00DE9B9-B128-4C39-B732-B5D85013FA48}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKLM\SOFTWARE\Bench
Key Deleted : HKLM\SOFTWARE\MetaStream
Key Deleted : HKLM\SOFTWARE\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.19489

-\\ Google Chrome v

*************************

AdwCleaner[R3].txt - [8807 octets] - [19/09/2014 06:17:54]
AdwCleaner[R4].txt - [9121 octets] - [19/09/2014 07:05:27]
AdwCleaner[s0].txt - [8669 octets] - [19/09/2014 19:48:22]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [8729 octets] ##########

Link to post
Share on other sites

Junkware Removal Tool Log.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.9 (09.20.2014:1)
OS: Windows Vista Home Premium x64
Ran by Owner on Sat 09/20/2014 at 22:40:38.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\dw7
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-107157824-2076508555-3078036908-1000\Software\wajam
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8fe8d013-c3fd-4802-af48-79274e9f969e}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{8fe8d013-c3fd-4802-af48-79274e9f969e}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{adff4c9a-4f49-4a1f-8885-360e107b7938}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{adff4c9a-4f49-4a1f-8885-360e107b7938}

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 09/20/2014 at 22:57:30.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/20/2014
Scan Time: 11:02:01 PM
Logfile: MBScan 092014.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.20.03
Rootkit Database: v2014.09.19.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327003
Time Elapsed: 19 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

OK...Next:

Make sure you have created that system restore point before you continue!

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

    tds2.jpg

  • Put a checkmark beside loaded modules.

    13040712472913819.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    tds2.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    tdsskiller_guide_5.gif

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    tdsskiller_guide_3.gif

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Then...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

ComboFix Log.

 

 

ComboFix 14-09-18.01 - Owner 09/21/2014  20:19:16.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4092.2510 [GMT -4:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

Link to post
Share on other sites

Had to uninstall AVG.  Couldn't get it to quit interupting scan.  Here is rhe log.

 

ComboFix 14-09-18.01 - Owner 09/23/2014  19:50:19.3.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4092.1978 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Games.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-24 to 2014-09-24  )))))))))))))))))))))))))))))))
.
.
2014-09-24 00:02 . 2014-09-24 00:02 -------- d-----w- c:\users\Owner\AppData\Local\temp
2014-09-24 00:02 . 2014-09-24 00:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-23 21:59 . 2014-08-23 01:05 304128 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-09-23 21:59 . 2014-08-23 00:42 390144 ----a-w- c:\windows\system32\gdi32.dll
2014-09-23 21:59 . 2014-08-22 23:38 2782208 ----a-w- c:\windows\system32\win32k.sys
2014-09-23 21:38 . 2014-06-26 22:17 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll
2014-09-23 21:38 . 2014-06-26 22:17 8856 ----a-w- c:\windows\SysWow64\icardres.dll
2014-09-23 21:38 . 2014-06-26 22:17 8848 ----a-w- c:\windows\system32\icardres.dll
2014-09-23 21:38 . 2014-06-26 22:17 171152 ----a-w- c:\windows\system32\infocardapi.dll
2014-09-23 21:38 . 2014-06-26 22:17 1389200 ----a-w- c:\windows\system32\icardagt.exe
2014-09-23 21:38 . 2014-06-26 22:17 619664 ----a-w- c:\windows\SysWow64\icardagt.exe
2014-09-23 21:38 . 2014-06-06 04:29 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-09-23 21:38 . 2014-06-06 04:28 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe
2014-09-23 00:50 . 2014-09-23 00:50 -------- d-----w- c:\windows\Migration
2014-09-23 00:22 . 2014-09-23 00:28 -------- d-----w- c:\windows\system32\MRT
2014-09-23 00:21 . 2014-02-06 04:21 1212416 ----a-w- c:\windows\system32\kernel32.dll
2014-09-23 00:15 . 2014-06-02 21:30 1802752 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2014-09-23 00:15 . 2014-06-02 21:29 1487360 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2014-09-23 00:15 . 2014-06-02 21:29 1435136 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2014-09-23 00:15 . 2014-06-02 21:29 1463808 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2014-09-23 00:15 . 2014-06-02 10:30 937472 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2014-09-23 00:15 . 2014-06-06 07:13 620032 ----a-w- c:\windows\system32\qedit.dll
2014-09-23 00:15 . 2014-06-06 08:59 506880 ----a-w- c:\windows\SysWow64\qedit.dll
2014-09-23 00:14 . 2014-03-25 16:30 12900864 ----a-w- c:\windows\system32\shell32.dll
2014-09-23 00:14 . 2014-04-26 18:21 622592 ----a-w- c:\windows\system32\usp10.dll
2014-09-23 00:14 . 2014-04-26 16:01 502784 ----a-w- c:\windows\SysWow64\usp10.dll
2014-09-23 00:07 . 2014-06-02 21:30 3137536 ----a-w- c:\windows\system32\msi.dll
2014-09-23 00:07 . 2014-06-02 21:29 2280448 ----a-w- c:\windows\system32\authui.dll
2014-09-23 00:07 . 2014-06-02 10:31 2263552 ----a-w- c:\windows\SysWow64\msi.dll
2014-09-23 00:07 . 2014-06-02 21:30 503296 ----a-w- c:\windows\system32\msihnd.dll
2014-09-23 00:07 . 2014-06-02 21:29 45056 ----a-w- c:\windows\system32\appinfo.dll
2014-09-23 00:07 . 2014-06-02 20:29 87552 ----a-w- c:\windows\system32\consent.exe
2014-09-23 00:07 . 2014-06-02 10:31 332800 ----a-w- c:\windows\SysWow64\msihnd.dll
2014-09-23 00:07 . 2014-06-02 10:30 1993728 ----a-w- c:\windows\SysWow64\authui.dll
2014-09-21 21:44 . 2014-05-30 07:10 404992 ----a-w- c:\windows\system32\drivers\afd.sys
2014-09-21 04:27 . 2014-09-21 04:27 0 ---ha-w- c:\users\Owner\AppData\Local\BIT1EDF.tmp
2014-09-21 02:34 . 2014-09-21 02:34 -------- d-----w- c:\users\Owner\AppData\Roaming\HPAppData
2014-09-19 01:50 . 2014-09-19 23:50 -------- d-----w- C:\AdwCleaner
2014-09-19 01:10 . 2014-09-21 02:40 -------- d-----w- c:\windows\ERUNT
2014-09-18 03:36 . 2014-09-18 03:36 36456 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-18 03:36 . 2014-09-18 03:36 -------- d-----w- c:\programdata\RogueKiller
2014-09-18 02:35 . 2014-09-18 02:49 -------- d-----w- C:\FRST
2014-09-13 17:14 . 2014-09-13 17:14 122584 ----a-w- c:\windows\system32\drivers\48230029.sys
2014-09-06 20:11 . 2014-09-06 20:11 -------- d-----w- c:\programdata\Avg_Update_0814av
2014-09-06 19:27 . 2014-09-22 23:46 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-06 19:26 . 2014-05-12 11:26 64216 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-06 19:26 . 2014-05-12 11:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-06 19:26 . 2014-09-06 19:26 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-13 19:31 . 2013-02-02 19:58 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-13 19:31 . 2013-02-02 19:58 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-13 17:30 . 2010-06-24 15:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-29 17:01 . 2006-11-02 12:35 101694776 ----a-w- c:\windows\system32\mrt.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2008-06-26 468264]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"AT&T Communication Manager"="c:\program files (x86)\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2009-11-04 597792]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"Corel File Shell Monitor"="c:\program files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-31 16200]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-05-15 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-02 19:31]
.
2014-09-23 c:\windows\Tasks\Arcadesafari.job
- c:\users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe [2013-08-24 09:03]
.
2014-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-12 03:34]
.
2014-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-12 03:34]
.
2009-04-04 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2008-07-28 03:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2008-01-24 685568]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 225792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 16395880]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
"Corel Photo Downloader"="c:\program files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-10-31 531784]
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKCU-Run-AVG-Secure-Search-Update_0214c - c:\users\Owner\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe
Wow6432Node-HKLM-Run-Corel Photo Downloader - c:\program files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-33742312.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files (x86)\HP\QuickPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
@DACL=(02 0010)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@DACL=(02 0010)
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2014-09-23  20:11:31
ComboFix-quarantined-files.txt  2014-09-24 00:11
.
Pre-Run: 193,156,653,056 bytes free
Post-Run: 192,314,806,272 bytes free
.
- - End Of File - - 48D0B353E306C644995DD73BA9621030
85D751F0E41B8E520AEE8C07A8DA777B
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.