Use Proxy Server For your LAN will not uncheck

[jackaroe]

I have seen recently where users have been helped with the same problem I have. Have a Windows Vista Home Desktop. Cleaned up tons of malware using Malwarebytes, Rogue Killer, TDSS. and more. Seems to be clean now. Except the "Use proxy server for your LAN" remains checked no matter what is done. Have tried to correct this in the registry but the registry keys revert to previous values or replace themselves after being deleted. One expert forum member seems to have fixed this with Farbar. Out of options. Need help? Attached are Farbar logs

FRST.txt

Addition.txt

[TwinHeadedEagle]

Hello,

 

 

You still with us?

[jackaroe]

Yes I am

[TwinHeadedEagle]

Scan with ZOEK
 
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[jackaroe]

Zoek.exe v5.0.0.0 Updated 24-11-2014
Tool run by Nicole on Mon 11/24/2014 at 22:05:12.74.
Microsoft® Windows Vista™ Home Premium  6.0.6001 Service Pack 1 x86
Running in: Normal Mode Internet Access Detected
Launched: H:\zoek.exe [scan all users] [script inserted]

==== System Restore Info ======================

11/24/2014 10:12:34 PM Zoek.exe System Restore Point Created Succesfully.

==== Empty Folders Check ======================

C:\Program Files\HitmanPro deleted successfully
C:\Program Files\HP Connections deleted successfully
C:\Program Files\MSXML 4.0 deleted successfully
C:\Program Files\The Weather Channel FW deleted successfully
C:\PROGRA~2\InstallSightSDK deleted successfully
C:\PROGRA~2\Roxio deleted successfully
C:\Users\Nicole\AppData\Local\CrashDumps deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6B574766-F06C-4685-92D3-806C52BF9B7A} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Program Files\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml deleted
C:\Program Files\AVG Web TuneUp deleted
C:\Program Files\Yahoo! deleted
C:\Windows\system32\config\systemprofile\AppData\LocalLow\AVG Web TuneUp deleted
C:\Windows\System32\AI_RecycleBin deleted
"C:\Windows\Installer\6f0e32.msi" deleted
"C:\Users\Nicole\AppData\Local\4m3j43x6c613o7e6h8l47k6013u5jp4" deleted
"C:\ProgramData\4m3j43x6c613o7e6h8l47k6013u5jp4" deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [11/16/2014 05:55 AM]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"{1266764D-FC4F-4FA7-B63B-884D53B1680F}"="C:\Users\Nicole\AppData\Roaming\NetAssistant" [11/16/2014 05:56 AM]

==== Firefox Extensions ======================

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\ctfwyy2s.default-1415727901339
D2377C9458EFEB094E38B8C874AA214C    - C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll -    Google Update
67D325B5AEB28E381B84E8DE1A90C7A8    - C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll -    Shockwave Flash
559E8D42BE485208F1C4BB294D6840A4    - C:\Program Files\QuickTime\Plugins\npqtplugin5.dll -    QuickTime Plug-in 7.7.6
5D4279248A0E506CF007BD51EBF74CEA    - C:\Program Files\QuickTime\Plugins\npqtplugin4.dll -    QuickTime Plug-in 7.7.6
F9DE379CE8A782530A4FA0B731F3A49B    - C:\Program Files\QuickTime\Plugins\npqtplugin3.dll -    QuickTime Plug-in 7.7.6
049BD7AD3B94F24FA274ED1F7FC5871B    - C:\Program Files\QuickTime\Plugins\npqtplugin2.dll -    QuickTime Plug-in 7.7.6
D937A4645EFF8CB4F123E3C899C052B2    - C:\Program Files\QuickTime\Plugins\npqtplugin.dll -    QuickTime Plug-in 7.7.6
893BF7D2261C56C24F813405D9D018E0    - c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll -    Silverlight Plug-In
54740489C66AFC8B78CF9A2893A5DA63    - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll -    iTunes Application Detector
FD3F83A4EC716F5F95C036EE051F3D25    - C:\Program Files\Citrix\ICA Client\npURLInterceptorPlugin.dll -    Citrix URL-Redirection Helper Plugin
10909A59F2A52E95FC6C8E731BBE3E87    - C:\Program Files\Citrix\ICA Client\npicaN.dll -    Citrix ICA Client
E2318E8514ABF50E3ECEDAB9465A90A1    - C:\Windows\system32\Adobe\Director\np32dsw.dll -    Shockwave for Director / Shockwave for Director
AB87EEFFD18F2BAAFC274E7075EA6C67    - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll -    Windows Presentation Foundation / Windows Presentation Foundation
6DE7BF0DADC0881F7ED82D9FCC998B89    - C:\Program Files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll -    Adobe Acrobat
8DA2ED6B04EA33F2EAE8BA883F903729    - c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrlui.dll -    Microsoft® Silverlight


==== Chromium Look ======================

Google Voice Search Hotword (Beta) - Nicole\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} @ieframe.dll,-12512  Url="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
{67EDBC16-D057-4FBF-B8B0-8C9F1B1D8105} Live Search Url="http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en"

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully

==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully

==== Reset IE Proxy ======================

Value(s) before fix:
"ProxyServer"="http=127.0.0.1:8000;https=127.0.0.1:8000"
"ProxyOverride"="<-loopback>"
"ProxyEnable"=dword:00000001

Value(s) after fix:
"ProxyEnable"=dword:00000000

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\358CA8E5BB5699C40AE9918B81151EC4 deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5E8AC853-65BB-4C99-A09E-19B81851E14C} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\358CA8E5BB5699C40AE9918B81151EC4 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW7 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin deleted successfully

==== Empty IE Cache ======================

C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N0R8S8Q will be deleted at reboot
C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Nicole\AppData\Local\Mozilla\Firefox\Profiles\ctfwyy2s.default-1415727901339\Cache emptied successfully
C:\Users\Nicole\AppData\Local\Mozilla\Firefox\Profiles\ctfwyy2s.default-1415727901339\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=4 folders=23 4310321 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Nicole\AppData\Local\Temp will be emptied at reboot
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Nicole\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1N0R8S8Q" not found

==== EOF on Mon 11/24/2014 at 22:39:49.11 ======================
 

[TwinHeadedEagle]

Very good. How is the situation now?

[jackaroe]

The same. Internet options>Connections>LAN settings. I un-check Use a Proxy server for your LAN. Click OK. This setting gets re-checked on its own

[TwinHeadedEagle]

FRST search
 
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type ProxyServer;ProxyOverride;ProxyEnable into the Search: field in FRST then click the Search Registry button.
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
• Please attach it to your reply.

[jackaroe]

see attached. also below

 

Farbar Recovery Scan Tool (x86) Version: 13-11-2014 01
Ran by Nicole at 2014-11-26 09:05:00
Running from H:\
Boot Mode: Normal

================== Search Registry: "ProxyServer;ProxyOverride;ProxyEnable" ===========


===================== Search result for "ProxyServer" ==========

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:8000;https=127.0.0.1:8000"

[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"d"="reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings" /v ProxyServer /f\1"

[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:8000;https=127.0.0.1:8000"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="http=127.0.0.1:8000;https=127.0.0.1:8000"

===================== Search result for "ProxyOverride" ==========

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"="<-loopback>"

[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"="<-loopback>"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"="<-loopback>"


===================== Search result for "ProxyEnable" ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable"="1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable"="1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable"="1"

[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"c"="reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings" /v ProxyEnable /t REG_DWORD /d 0 /f\1"

[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"="1"

[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\InternetSettings]
"ProxyEnable"="0"

====== End Of Search ======

Search11.26.txt

[TwinHeadedEagle]

Registry Fix

Modifying the registry may create unforeseen results. Please do not proceed, unless you have created a registry backup prior to doing that!

We need to prepare a fix file first.

• Press the + R on your keyboard at the same time.
• A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
• In the shown window paste in the following script. Make sure that all of the codebox content is pasted!
  

  Windows Registry Editor Version 5.00[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyServer"=""[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyServer"=""[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyServer"=""[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyOverride"="<local>"[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyOverride"="<local>"[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyOverride"="<local>"[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]"ProxyEnable"="0"[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]"ProxyEnable"="0"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings]"ProxyEnable"="0"[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyEnable"="0"[HKEY_USERS\S-1-5-21-4172106357-54864154-2038427578-1000\Software\Microsoft\Windows\CurrentVersion\InternetSettings]"ProxyEnable"="0"

• Go to File menu and select Save as.
• Make sure that the Save as type option is set to All Files (*.*) and the place to save will be your desktop.
• Name the file fix.reg and select Save.

After that, your prepared fix.reg file should be located on your desktop.

Now we need to import the file into the registry.

• Locate the fix.reg file on your desktop.
• Right-click the icon of your file and select Merge.
• You'll be prompted about adding the information to the registry. Please agree.

After this please manually reboot your machine. Any report won't be generated.

[jackaroe]

still happening

[TwinHeadedEagle]

Scan with TDSSKiller
 
Please download TDSSKiller by Kaspersky and save it to your desktop.

• Right-click on
• icon and select Run as Administrator to start the tool.

• Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
• Your machine may appear very slow and unusable after that - it's normal.
• TDSSKiller will run automaticaly. Click on Change parameters and click OK.
• Click the Start Scan button and wait patiently.
• If anything will be found follow this guidelines:
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    If Cure is not available, please choose Skip instead.
  • Do not choose Delete unless instructed!
  A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

 

 

Scan with ComboFix
 
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
 
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

[jackaroe]

Below and following is the TDSS log. ComboFix did not produce a log file. Should I run it again?

 

08:04:09.0683 0x0b30  TDSS rootkit removing tool 3.0.0.41 Oct 28 2014 17:58:34
08:04:13.0115 0x0b30  ============================================================
08:04:13.0115 0x0b30  Current date / time: 2014/11/27 08:04:13.0115
08:04:13.0115 0x0b30  SystemInfo:
08:04:13.0115 0x0b30  
08:04:13.0115 0x0b30  OS Version: 6.0.6001 ServicePack: 1.0
08:04:13.0115 0x0b30  Product type: Workstation
08:04:13.0115 0x0b30  ComputerName: NICOLE-PC
08:04:13.0115 0x0b30  UserName: Nicole
08:04:13.0115 0x0b30  Windows directory: C:\Windows
08:04:13.0115 0x0b30  System windows directory: C:\Windows
08:04:13.0115 0x0b30  Processor architecture: Intel x86
08:04:13.0115 0x0b30  Number of processors: 2
08:04:13.0115 0x0b30  Page size: 0x1000
08:04:13.0115 0x0b30  Boot type: Normal boot
08:04:13.0115 0x0b30  ============================================================
08:04:13.0411 0x0b30  KLMD registered as C:\Windows\system32\drivers\65782277.sys
08:04:14.0004 0x0b30  System UUID: {DF9A6E84-57F4-8C5B-9B62-E3BA6C8A5879}
08:04:14.0893 0x0b30  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 ( 298.09 Gb ), SectorSize: 0x200, Cylinders: 0xA181, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
08:04:14.0909 0x0b30  ============================================================
08:04:14.0909 0x0b30  \Device\Harddisk0\DR0:
08:04:14.0909 0x0b30  MBR partitions:
08:04:14.0909 0x0b30  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2475B841
08:04:14.0909 0x0b30  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x2475B880, BlocksNum 0xCD1A90
08:04:14.0909 0x0b30  ============================================================
08:04:14.0924 0x0b30  C: <-> \Device\Harddisk0\DR0\Partition1
08:04:14.0971 0x0b30  D: <-> \Device\Harddisk0\DR0\Partition2
08:04:14.0971 0x0b30  ============================================================
08:04:14.0971 0x0b30  Initialize success
08:04:14.0971 0x0b30  ============================================================
08:04:50.0009 0x0fc4  KLMD registered as C:\Windows\system32\drivers\50439361.sys
08:04:50.0695 0x0fc4  Deinitialize success

[TwinHeadedEagle]

Did TDSS killer find anything? Run ComboFix again.

[jackaroe]

TDSS did not find anything. There is a longer TDSS log file that is too long to post. Do you need that? WIll run comboifx again.

[jackaroe]

ComboFix 14-11-25.01 - Nicole 11/28/2014   9:45.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2047.1364 [GMT -7:00]
Running from: c:\users\Nicole\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\logs\scecomp.log
.
---- Previous Run -------
.
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-28 to 2014-11-28  )))))))))))))))))))))))))))))))
.
.
2014-11-28 17:00 . 2014-11-28 17:00    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-11-26 22:48 . 2014-11-26 22:48    --------    d-----w-    c:\program files\ERUNT
2014-11-25 05:35 . 2014-11-25 05:05    24064    ----a-w-    c:\windows\zoek-delete.exe
2014-11-25 05:35 . 2014-11-28 17:00    --------    d-----w-    c:\users\Nicole\AppData\Local\Temp
2014-11-25 05:05 . 2014-11-25 05:31    --------    d-----w-    C:\zoek_backup
2014-11-16 19:50 . 2014-11-16 19:51    --------    d-----w-    C:\NPE
2014-11-16 18:09 . 2014-11-16 20:34    --------    d-----w-    c:\users\Nicole\AppData\Local\NPE
2014-11-16 18:08 . 2014-11-18 06:18    --------    d-----w-    c:\programdata\Sophos
2014-11-16 12:59 . 2014-11-16 12:59    --------    d-----w-    C:\Boot
2014-11-16 06:09 . 2014-11-16 08:31    --------    d-----w-    C:\$UPGRADE.~OS
2014-11-15 21:42 . 2014-11-26 16:05    --------    d-----w-    C:\FRST
2014-11-13 15:41 . 2014-11-13 15:41    --------    d-----w-    c:\users\Default\AppData\Roaming\TuneUp Software
2014-11-12 21:11 . 2014-11-28 15:59    --------    d-----w-    c:\programdata\Citrix
2014-11-12 21:10 . 2014-11-28 15:58    --------    d-----w-    c:\program files\Citrix
2014-11-12 18:32 . 2014-11-12 18:32    --------    d-----w-    c:\users\UpdatusUser
2014-11-12 18:31 . 2014-11-16 12:54    --------    d-----w-    c:\programdata\NVIDIA
2014-11-12 18:31 . 2012-03-06 22:05    62272    ----a-w-    c:\windows\system32\nvshext.dll
2014-11-12 18:31 . 2012-03-06 22:05    645440    ----a-w-    c:\windows\system32\nvvsvc.exe
2014-11-12 18:31 . 2012-03-06 22:05    2561344    ----a-w-    c:\windows\system32\nvsvcr.dll
2014-11-12 18:29 . 2012-03-07 08:06    61248    ----a-w-    c:\windows\system32\OpenCL.dll
2014-11-12 18:28 . 2014-11-12 18:28    --------    d-----w-    c:\programdata\NVIDIA Corporation
2014-11-12 18:28 . 2014-11-12 18:32    --------    d-----w-    c:\program files\NVIDIA Corporation
2014-11-12 18:27 . 2014-11-12 18:28    --------    d-----w-    c:\windows\system32\config\systemprofile\{15b80a68-4b00-4ceb-b8e3-7292582bfb1d}
2014-11-12 18:26 . 2008-07-08 15:45    4984    ----a-w-    c:\windows\system32\drivers\nvphy.bin
2014-11-11 20:43 . 2014-11-16 12:59    --------    d-----w-    c:\users\Nicole\{e9e61e10-d816-495e-bf83-99c392d1e4cb}
2014-11-10 19:39 . 2014-11-10 19:39    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-11-10 19:39 . 2014-11-10 19:39    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-11-10 19:39 . 2014-11-10 19:39    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-11-10 19:39 . 2014-11-10 19:39    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-11-10 19:39 . 2014-11-10 19:39    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-11-10 19:35 . 2012-10-03 23:14    26840    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2014-11-10 19:33 . 2014-11-16 12:49    --------    d-----w-    c:\program files\iPod
2014-11-10 19:33 . 2014-11-16 12:51    --------    d-----w-    c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-11-07 01:30 . 2014-11-07 01:30    --------    d-----w-    c:\windows\Sun
2014-11-06 20:08 . 2014-11-16 12:56    --------    d-----w-    c:\users\Nicole\AppData\Roaming\Download Manager
2014-11-06 19:42 . 2014-11-16 12:55    --------    d-----w-    c:\users\Nicole\AppData\Local\join.me
2014-11-04 14:55 . 2014-11-04 14:55    --------    d-----w-    c:\program files\ESET
2014-11-04 14:51 . 2014-11-04 14:51    --------    d-----w-    c:\users\Nicole\AppData\Roaming\AVG2015
2014-11-04 14:49 . 2014-11-04 14:49    --------    d-----w-    c:\users\Nicole\AppData\Roaming\TuneUp Software
2014-11-04 14:46 . 2014-11-04 14:50    --------    d-----w-    c:\programdata\AVG2015
2014-11-04 14:46 . 2014-11-04 14:46    --------    d-----w-    C:\$AVG
2014-11-04 14:44 . 2014-11-04 14:44    --------    d-----w-    c:\program files\AVG
2014-11-04 14:41 . 2014-11-28 15:30    --------    d-----w-    c:\programdata\MFAData
2014-11-04 14:41 . 2014-11-16 12:51    --------    d--h--w-    c:\programdata\Common Files
2014-11-04 14:41 . 2014-11-05 01:37    --------    d-----w-    c:\users\Nicole\AppData\Local\Avg2015
2014-11-04 14:41 . 2014-11-04 14:41    --------    d-----w-    c:\users\Nicole\AppData\Local\MFAData
2014-11-04 14:41 . 2010-09-20 09:25    231936    ----a-w-    c:\windows\system32\msshsq.dll
2014-11-04 14:38 . 2014-10-20 10:37    8901368    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{FF27F667-BF11-4E63-8E77-D93951F33EED}\mpengine.dll
2014-11-04 08:09 . 2014-11-15 21:08    --------    d-----w-    C:\AdwCleaner
2014-11-04 08:09 . 2014-11-04 08:09    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2014-11-04 07:36 . 2014-11-15 21:16    34808    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-11-04 07:36 . 2014-11-04 07:36    --------    d-----w-    c:\programdata\RogueKiller
2014-11-04 07:10 . 2014-11-16 12:51    --------    d-----w-    c:\programdata\HitmanPro
2014-11-04 02:43 . 2014-11-04 02:43    8282192    ----a-w-    c:\programdata\Microsoft\BingBar\BBSvc\7.1.391.0oemBingBarSetup-Partner.EXE
2014-11-04 01:46 . 2014-11-16 21:12    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-04 01:45 . 2014-11-16 12:46    --------    d-----w-    c:\program files\CCleaner
2014-11-04 01:45 . 2014-11-16 12:49    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-11-04 01:45 . 2014-11-04 01:45    --------    d-----w-    c:\programdata\Malwarebytes
2014-11-04 01:45 . 2014-10-01 18:11    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-11-04 01:45 . 2014-10-01 18:11    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-11-04 01:45 . 2014-10-01 18:11    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-11-03 20:52 . 2014-11-16 12:49    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2014-11-03 19:54 . 2010-04-14 17:46    80896    ----a-w-    c:\windows\system32\MSNP.ax
2014-11-03 19:54 . 2010-04-14 17:47    293376    ----a-w-    c:\windows\system32\psisdecd.dll
2014-11-03 19:54 . 2010-04-14 17:47    217088    ----a-w-    c:\windows\system32\psisrndr.ax
2014-11-03 17:52 . 2011-02-22 12:51    69632    ----a-w-    c:\windows\system32\drivers\bowser.sys
2014-11-03 17:52 . 2010-09-10 16:35    168960    ----a-w-    c:\program files\Windows Media Player\wmplayer.exe
2014-11-03 17:52 . 2010-09-10 16:37    8147456    ----a-w-    c:\windows\system32\wmploc.DLL
2014-11-03 17:50 . 2010-08-26 16:07    157184    ----a-w-    c:\windows\system32\t2embed.dll
2014-11-03 17:44 . 2010-06-16 15:59    898952    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2014-11-03 17:41 . 2010-08-31 15:40    531968    ----a-w-    c:\windows\system32\comctl32.dll
2014-11-03 17:41 . 2010-08-20 15:21    866816    ----a-w-    c:\windows\system32\wmpmde.dll
2014-11-03 17:41 . 2010-12-29 17:41    429056    ----a-w-    c:\windows\system32\EncDec.dll
2014-11-03 17:41 . 2010-12-29 17:41    323072    ----a-w-    c:\windows\system32\sbe.dll
2014-11-03 17:41 . 2010-12-29 17:41    153088    ----a-w-    c:\windows\system32\sbeio.dll
2014-11-03 17:41 . 2010-12-29 17:39    177664    ----a-w-    c:\windows\system32\mpg2splt.ax
2014-11-03 17:41 . 2010-04-16 16:10    1314816    ----a-w-    c:\windows\system32\quartz.dll
2014-11-03 17:39 . 2008-05-08 21:59    90112    ----a-w-    c:\windows\system32\wshext.dll
2014-11-03 17:39 . 2008-05-08 21:59    180224    ----a-w-    c:\windows\system32\scrobj.dll
2014-11-03 17:39 . 2008-05-08 21:59    172032    ----a-w-    c:\windows\system32\scrrun.dll
2014-11-03 17:39 . 2008-05-08 21:59    155648    ----a-w-    c:\windows\system32\wscript.exe
2014-11-03 17:39 . 2008-05-08 21:58    135168    ----a-w-    c:\windows\system32\cscript.exe
2014-11-03 17:39 . 2008-05-08 21:58    135168    ----a-w-    c:\windows\system32\wshom.ocx
2014-11-03 17:38 . 2011-04-20 14:47    375808    ----a-w-    c:\windows\system32\winsrv.dll
2014-11-03 17:38 . 2011-04-20 14:44    49152    ----a-w-    c:\windows\system32\csrsrv.dll
2014-11-02 22:15 . 2014-11-16 18:09    --------    d-----w-    c:\programdata\Norton
2014-11-02 17:46 . 2014-10-28 13:35    229000    ----a-w-    c:\windows\system32\MpSigStub.exe
2014-11-02 03:38 . 2014-11-02 03:38    --------    d-----w-    c:\programdata\IsolatedStorage
2014-11-02 03:09 . 2014-11-02 03:09    --------    d-----w-    c:\users\Nicole\AppData\Roaming\com.adobe.mauby
2014-11-01 23:57 . 2014-11-11 18:30    --------    d-----w-    c:\programdata\Oracle
2014-10-31 19:39 . 2014-11-01 22:18    --------    d-----w-    c:\program files\SPD
2014-10-31 19:39 . 2014-02-19 05:52    159032    ----a-w-    c:\windows\system32\ATL90.dll
2014-10-30 04:34 . 2014-10-30 04:34    213784    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-12 18:53 . 2013-04-15 18:29    701104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-11-12 18:53 . 2011-05-24 01:32    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-11-02 19:54 . 2006-11-02 10:32    101888    ----a-w-    c:\windows\system32\ifxcardm.dll
2014-11-02 19:54 . 2006-11-02 10:32    82432    ----a-w-    c:\windows\system32\axaltocm.dll
2014-10-10 22:13 . 2014-10-10 22:13    200984    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2014-10-06 04:42 . 2014-10-06 04:42    98584    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2014-10-02 21:23 . 2014-10-02 21:23    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2014-10-02 21:23 . 2014-10-02 21:23    69632    ----a-w-    c:\windows\system32\QuickTime.qts
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHVA.EXE" [2011-04-25 219008]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2014-10-30 4826904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-12 39408]
"GoogleChromeAutoLaunch_18F9ED406E377D72992EE1809DE354B5"="c:\program files\Google\Chrome\Application\chrome.exe" [2014-11-14 856904]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"AVG_UI"="c:\program files\AVG\AVG2015\avgui.exe" [2014-11-10 3653136]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-10-02 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHVA.EXE" [2011-04-25 219008]
"EPLTarget\P0000000000000001"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHVA.EXE" [2011-04-25 219008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 08:38    34672    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2014-10-11 20:05    60712    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-11-02 09:45    8704    ----a-w-    c:\windows\System32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33    125952    ----a-w-    c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleChromeAutoLaunch_18F9ED406E377D72992EE1809DE354B5]
2014-11-14 21:15    856904    ----a-w-    c:\program files\Google\Chrome\Application\chrome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2014-10-15 12:42    157480    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Hardware Manager]
2006-11-23 17:59    469504    ----a-w-    c:\program files\PC Hardware Manager\PCHardwareManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Plugin Install]
2009-12-06 15:43    86016    ----a-w-    c:\program files\QuickTime\Plugins\DeleteMe1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2014-10-02 21:23    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-12 02:35    39408    ----a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ctxusbm
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs    REG_MULTI_SZ       BthServ
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-11-24 02:40    1087304    ----a-w-    c:\program files\Google\Chrome\Application\39.0.2171.65\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-15 18:53]
.
2014-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-06 22:26]
.
2014-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-06 22:26]
.
2014-11-28 c:\windows\Tasks\User_Feed_Synchronization-{A35F13B9-4175-461C-B81A-F734D454B918}.job
- c:\windows\system32\msfeedssync.exe [2008-08-04 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:8000;https=127.0.0.1:8000
uInternet Settings,ProxyOverride = <-loopback>
TCP: DhcpNameServer = 192.168.98.1
FF - ProfilePath - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\ctfwyy2s.default-1415727901339\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-63556045.sys
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-11-28 10:00
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-11-28  10:03:11
ComboFix-quarantined-files.txt  2014-11-28 17:03
.
Pre-Run: 83,895,246,848 bytes free
Post-Run: 83,834,146,816 bytes free
.
- - End Of File - - 3CEE5B2A1FF6D1A9924F8C10523F788F
8913823FF508CCF109DB74B636C301DA
 

[TwinHeadedEagle]

Fix with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Wait until the database is updated.
• Accept the Terms of use and click Scan.
• When finished, please click Clean.
• Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.

Please include the contents of that file in your reply.
 
Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
 
 
 

Scan with ZOEK
 
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;b

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[jackaroe]

# AdwCleaner v4.102 - Report created 30/11/2014 at 17:39:44
# Updated 23/11/2014 by Xplode
# Database : 2014-11-27.1 [Live]
# Operating System : Windows Vista Home Premium Service Pack 1 (32 bits)
# Username : Nicole - NICOLE-PC
# Running from : C:\Users\Nicole\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\spd

***** [ Browsers ] *****

-\\ Internet Explorer v7.0.6001.18444


-\\ Mozilla Firefox v33.0.3 (x86 en-US)


-\\ Google Chrome v39.0.2171.65


*************************

AdwCleaner[R0].txt - [6860 octets] - [04/11/2014 01:09:54]
AdwCleaner[R1].txt - [2839 octets] - [15/11/2014 14:04:52]
AdwCleaner[R2].txt - [1071 octets] - [30/11/2014 17:35:22]
AdwCleaner[s0].txt - [7069 octets] - [04/11/2014 01:14:02]
AdwCleaner[s1].txt - [2938 octets] - [15/11/2014 14:08:20]
AdwCleaner[s2].txt - [996 octets] - [30/11/2014 17:39:44]

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [1055 octets] ##########

 

Zoek.exe v5.0.0.0 Updated 05-November-2014
Tool run by Nicole on Sun 11/30/2014 at 17:46:06.85.
Microsoft® Windows Vista™ Home Premium  6.0.6001 Service Pack 1 x86
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Nicole\Desktop\zoek.exe [scan all users] [script inserted]

==== Older Logs ======================

C:\zoek-results2014-11-25-053949.log    11192 bytes

==== System Restore Info ======================

11/30/2014 5:48:51 PM Zoek.exe System Restore Point Created Succesfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [11/16/2014 05:55 AM]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"{1266764D-FC4F-4FA7-B63B-884D53B1680F}"="C:\Users\Nicole\AppData\Roaming\NetAssistant" [11/16/2014 05:56 AM]

==== Firefox Extensions ======================

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================


==== Chromium Look ======================

Google Voice Search Hotword (Beta) - Nicole\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} @ieframe.dll,-12512  Url="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
{67EDBC16-D057-4FBF-B8B0-8C9F1B1D8105} Live Search Url="http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en"

==== Reset IE Proxy ======================

Value(s) before fix:
"ProxyServer"="http=127.0.0.1:8000;https=127.0.0.1:8000"
"ProxyOverride"="<-loopback>"
"ProxyEnable"=dword:00000001

Value(s) after fix:
"ProxyEnable"=dword:00000000

==== Empty IE Cache ======================

C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Nicole\AppData\Local\Mozilla\Firefox\Profiles\ctfwyy2s.default-1415727901339\Cache emptied successfully
C:\Users\Nicole\AppData\Local\Mozilla\Firefox\Profiles\ctfwyy2s.default-1415727901339\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=4 folders=23 4310321 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Nicole\AppData\Local\Temp will be emptied at reboot
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Users\TEMP\AppData\Local\temp emptied successfully
C:\Users\UpdatusUser\AppData\Local\temp emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Nicole\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found

==== EOF on Sun 11/30/2014 at 18:18:16.35 ======================


 

[TwinHeadedEagle]

How is the situation now?

[jackaroe]

Same.

 

Something keeps replacing the registry keys that pertain to the LAN connections proxy settings

[TwinHeadedEagle]

Download and run this tool from Microsoft

 

http://download.microsoft.com/download/9/A/7/9A7C53C7-CC93-41AA-A5AD-E91996C66DAC/MicrosoftFixit50566.msi

[jackaroe]

ran it

no change.

 

I see where others in my situation have been instructed to use OTL to fix this

[TwinHeadedEagle]

Registry Fix

Modifying the registry may create unforeseen results. Please do not proceed, unless you have created a registry backup prior to doing that!

We need to prepare a fix file first.

• Press the + R on your keyboard at the same time.
• A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
• In the shown window paste in the following script. Make sure that all of the codebox content is pasted!
  

  Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"MigrateProxy"=dword:00000000"ProxyEnable"=dword:00000000"ProxyHttp1.1"=dword:00000000"ProxyServer"=""

• Go to File menu and select Save as.
• Make sure that the Save as type option is set to All Files (*.*) and the place to save will be your desktop.
• Name the file fix.reg and select Save.

After that, your prepared fix.reg file should be located on your desktop.

Now we need to import the file into the registry.

• Locate the fix.reg file on your desktop.
• Right-click the icon of your file and select Merge.
• You'll be prompted about adding the information to the registry. Please agree.

After this please manually reboot your machine. Any report won't be generated.

 

 

 

The use this tool again:

 

http://download.microsoft.com/download/9/A/7/9A7C53C7-CC93-41AA-A5AD-E91996C66DAC/MicrosoftFixit50566.msi

 

 

 

Try to reset IE settings too --> https://support.microsoft.com/kb/923737?wa=wsignin1.0

[jackaroe]

Same issue exists

[TwinHeadedEagle]

You followed whole procedure and still the same.