sysWOW64

[Trooper_Shock]

Hello, my name is Dax. Feel free to refer to me by my user name or my real name or any nicknames you coin for me. Recently my computer has been running very slowly so I took a look at task manager to see what was slowing it down. What I first saw was three or four files named "dllhost.exe *32" with a description of "com surrogate". I got suspicious of it and looked around for information on the internet. From what I read, it seems I have a virus. Looking into a lot of the high running files, one of which being the dllhost.exe *32, I noticed they all fell into one file location: C:\Windows\SysWOW64. When I ran scans from malwarebytes and Avira they reported that nothing was wrong, meanwhile windows defender always says it runs into an error before it can finish scanning. Can anyone help me delete this virus? I'm not very computer savvy so I may get confused easy and be slow in executing your advice. Tell me if you need any more information!

[LiquidTension]

Hello Dax, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
• If you are unable to copy/paste your logs directly into your post, please attach the file. 
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
• Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page. 
   

======================================================

STEP 1
 Malwarebytes Anti-Malware (MBAM)

• Open Malwarebytes Anti-Malware and click Update Now.
• Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• Click Copy to Clipboard and paste the log in your next reply. 
   

STEP 2
 Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
• Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
• Right-Click FRST.exe / FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

STEP 3
 TDSSKiller Scan

• Please download TDSSKiller and save the file to your Desktop.
• Right-Click TDSSKiller.exe and select  Run as administrator to run the programme.
• Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.
• ​Click Start Scan. Do not use the computer during the scan.
• If objects are found, change the action to skip.
• Click Continue and close the window.
• A log will be created and saved to the root directory (usually C:\). Attach the file in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• MBAM scan log
• FRST.txt
• Addition.txt
• TDSSKiller log (attached!)

[Trooper_Shock]

Hello Adam! Thanks for your reply! Here is all the scans you asked for!

Malwarebytes:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/2/2014
Scan Time: 6:47:46 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.12.03.02
Rootkit Database: v2014.12.02.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Dax

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 385298
Time Elapsed: 53 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

I appreciate the Help!

FRST scan #1.txt

Addition FRST scan #1.txt

TDSSKiller.3.0.0.41_02.12.2014_20.16.00_log.txt

[LiquidTension]

Hi Dax, 
 
This machine is badly infected. 
Using a clean device/computer, I would suggest changing details for accounts recently used.
 
Please do the following. 
 
STEP 1
 Creating System Restore Point (W7/Vista)

• Click the Windows Start Button . Right-click Computer and click Properties.
• Click System protection in the panel on the left. 
• Click the System Protection tab, followed by Create.
• In the System Protection dialog box, type a description, and click Create.
• Upon completion, close the window.
   

STEP 2
 ComboFix

• Note: Please read through these instructions before running ComboFix. 
• Please download ComboFix and save the file to your Desktop. << Important!
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click ComboFix.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
   
• Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
• Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
• Re-enable your anti-virus software.
   

Important Notes:

• Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
• Do NOT use your computer whilst ComboFix is running.
• Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
   
• If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
• ComboFix will disconnect your machine from the Internet as soon as it starts.
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If you are unable to access the Internet after running ComboFix, please reboot your computer. 
   

STEP 3
 Farbar Recovery Scan Tool (FRST) Scan

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• ComboFix.txt
• FRST.txt
• Addition.txt

[Trooper_Shock]

I'm sorry for the long wait. I have been very busy this week and unfortunately do not have times to preform the procedure tonight. Thank you for your help. and I will complete these steps tomorrow if possible. I really am sorry for the delay. Thank you for all your help and patience!

[LiquidTension]

That's quite alright, Dax. 

 

I do not suggest using or connecting this machine to the Internet. You risk additional malware being downloaded onto machine, which may result in loss of personal documents, images, etc. 

[Trooper_Shock]

I unticked enable real-time protection on Avira antivirus but combo fix still sent me a warning: ComboFix has detected the following real time scanner(s) to be active

antivirus: Avira desktop

antispywear: Avira desktop 

It then went on saying that these may cause problems and cause damages to my computer and prompted me to only press "OK" when these scanners have been disabled. Is their anything further I must do before running this. I will currently turn Avira back on until further notice so any virus cant harm my computer further. 

[LiquidTension]

Hello, 

 

Exit completely out of Avira, and proceed with ComboFix.

[Trooper_Shock]

The scans have finished. here are the results:

ComboFix scan: 

ComboFix 14-12-07.01 - Dax 12/07/2014  15:21:11.2.4 - x64

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5943.4091 [GMT -8:00]

Running from: c:\users\Dax\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Microsoft\Windows\DRM\6B24.tmp

c:\programdata\Microsoft\Windows\DRM\6E04.tmp

c:\users\Dax\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll

c:\windows\msdownld.tmp

.

.

CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.

You should verify if current CLSID data is correct: 

.

HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

    (Default)    REG_SZ    Thumbnail Cache Class Factory for Out of Proc Server

    AppID    REG_SZ    {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

.

HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32

    (Default)    REG_SZ    c:\windows\system32\thumbcache.dll

    ThreadingModel    REG_SZ    Apartment

.

HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32

.

HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\

.

(((((((((((((((((((((((((   Files Created from 2014-11-08 to 2014-12-08  )))))))))))))))))))))))))))))))

.

.

2014-12-08 01:08 . 2014-12-08 01:08 -------- d-----w- c:\users\Public\AppData\Local\temp

2014-12-08 01:08 . 2014-12-08 01:08 -------- d-----w- c:\users\Parker\AppData\Local\temp

2014-12-08 01:08 . 2014-12-08 01:08 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-12-03 03:58 . 2014-12-03 04:01 -------- d-----w- C:\FRST

2014-11-20 02:30 . 2014-11-20 02:30 -------- d-----w- c:\program files\iPod

2014-11-20 02:30 . 2014-11-20 02:34 -------- d-----w- c:\programdata\E1864A66-75E3-486a-BD95-D1B7D99A84A7

2014-11-20 02:30 . 2014-11-20 02:34 -------- d-----w- c:\program files\iTunes

2014-11-20 02:30 . 2014-11-20 02:34 -------- d-----w- c:\program files (x86)\iTunes

2014-11-19 01:52 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll

2014-11-19 01:52 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll

2014-11-19 01:52 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll

2014-11-19 01:52 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll

2014-11-16 07:09 . 2014-11-16 07:09 -------- d-----w- c:\program files (x86)\NVIDIA Corporation

2014-11-16 07:09 . 2014-11-16 07:09 -------- d-----w- c:\program files (x86)\AGEIA Technologies

2014-11-13 01:05 . 2014-11-13 01:05 -------- d-sh--w- c:\users\Dax\AppData\Local\EmieBrowserModeList

2014-11-12 04:02 . 2014-08-21 06:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2014-11-12 04:01 . 2014-10-18 02:05 861696 ----a-w- c:\windows\system32\oleaut32.dll

2014-11-12 04:01 . 2014-10-18 01:33 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll

2014-11-09 01:10 . 2014-11-09 01:10 -------- d-----w- c:\programdata\B5F9D6B23B0B5B50D342EB8FC01A051D

2014-11-09 01:06 . 2014-11-09 01:10 -------- d-----w- c:\users\Dax\AppData\Local\gamemaker_studio

2014-11-09 01:06 . 2014-11-09 01:06 -------- d-----w- c:\programdata\gamemaker_studio

2014-11-08 22:14 . 2014-11-08 22:14 -------- d-----w- c:\users\Dax\AppData\Roaming\fltk.org

2014-11-08 22:14 . 2014-11-08 22:14 -------- d-----w- c:\programdata\fltk.org

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-12-03 02:42 . 2014-07-03 09:54 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-11-26 03:29 . 2012-04-01 05:16 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2014-11-26 03:29 . 2011-07-26 07:57 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2014-11-12 05:55 . 2011-07-08 01:16 103374192 ----a-w- c:\windows\system32\MRT.exe

2014-11-04 22:30 . 2010-11-21 03:27 275080 ------w- c:\windows\system32\MpSigStub.exe

2014-11-02 04:20 . 2014-12-06 08:23 11632448 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{74A9CE1A-F457-4835-90EC-1881DEE04615}\mpengine.dll

2014-10-14 22:09 . 2013-05-07 22:34 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys

2014-10-14 22:09 . 2013-03-29 03:46 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys

2014-10-14 22:09 . 2013-03-29 03:46 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2014-10-01 18:11 . 2014-07-03 09:53 63704 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-10-01 18:11 . 2014-07-03 09:53 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-10-01 18:11 . 2013-06-17 21:06 25816 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-09-25 02:08 . 2014-09-30 22:10 371712 ----a-w- c:\windows\system32\qdvd.dll

2014-09-25 01:40 . 2014-09-30 22:10 519680 ----a-w- c:\windows\SysWow64\qdvd.dll

2014-09-09 22:11 . 2014-09-23 22:14 2048 ----a-w- c:\windows\system32\tzres.dll

2014-09-09 21:47 . 2014-09-23 22:14 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-26 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]

"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-11-19 703736]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]

"mobilegeni daemon"="c:\program files (x86)\Mobogenie\DaemonProcess.exe" [2014-03-01 775872]

"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-10-22 124208]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-10-15 157480]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Exetender"="c:\program files (x86)\Free Ride Games\GPlayer.exe" [2011-06-22 4837808]

.

c:\users\Dax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Curse.lnk - c:\users\Dax\AppData\Roaming\Curse Client\Bin\Curse.exe /startup [2014-5-23 6142728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"wave2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 CXPLRCAP;Capture Device;c:\windows\system32\drivers\CxPlrCap.sys;c:\windows\SYSNATIVE\drivers\CxPlrCap.sys [x]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]

R3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys;c:\windows\SYSNATIVE\drivers\hitmanpro36.sys [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]

R3 Origin Client Service;Origin Client Service;c:\program files (x86)\Origin\OriginClientService.exe;c:\program files (x86)\Origin\OriginClientService.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R4 Dyyno Launcher;Dyyno Service;c:\program files (x86)\Dyyno\Dyyno Broadcaster\launcherd.exe;c:\program files (x86)\Dyyno\Dyyno Broadcaster\launcherd.exe [x]

R4 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]

R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [x]

R4 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys;c:\windows\SYSNATIVE\drivers\ElRawDsk.sys [x]

S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]

S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [x]

S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [x]

S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [x]

S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]

S2 X5XSEx;X5XSEx;c:\program files (x86)\Free Ride Games\X5XSEx.Sys;c:\program files (x86)\Free Ride Games\X5XSEx.Sys [x]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]

start [bU]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-11-27 00:12 1087304 ----a-w- c:\program files (x86)\Google\Chrome\Application\39.0.2171.71\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-12-08 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 03:29]

.

2014-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-26 01:58]

.

2014-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-26 01:58]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060832]

"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-05-30 2055816]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 167704]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 392984]

"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 417560]

.

------- Supplementary Scan -------

.

uStart Page = https://www.google.com/

uLocal Page = c:\windows\system32\blank.htm

TCP: DhcpNameServer = 192.168.1.254

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE "%1"

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-{199DC582-663B-46BB-A6BB-2115193364E7} - (no file)

Wow6432Node-HKCU-Run-{694A76D2-2C33-42B7-94E4-7FB900050370} - (no file)

Wow6432Node-HKCU-Run-Mozilla Tray - c:\users\Dax\AppData\Local\Mozilla\rlgrujphca.dll

Wow6432Node-HKCU-Run-{3CA72574-2421-4B80-992B-654883D4F148} - (no file)

Wow6432Node-HKCU-Run-{1A204769-544F-4E9B-8C01-ABD1DD649CEE} - (no file)

Wow6432Node-HKCU-Run-{05F5278C-078B-45C1-9D8F-B68407270FEE} - (no file)

Wow6432Node-HKCU-Run-{174DC19A-EC9E-4ED9-9396-1069BD044F3C} - (no file)

Wow6432Node-HKCU-Run-Mxbrbmekqb - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

AddRemove-WT089446 - c:\program files (x86)\WildTangent\Dell Games\Wedding Dash - Ready

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,

   89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b

"{F92A9FE4-2850-4198-B9D5-279880E49B16}"=hex:51,66,7a,6c,4c,1d,38,12,8a,9c,39,

   fd,62,66,f6,04,c6,c3,64,d8,85,ba,df,02

"{30F9B915-B755-4826-820B-08FBA6BD249D}"=hex:51,66,7a,6c,4c,1d,38,12,7b,ba,ea,

   34,67,f9,48,0d,fd,1d,4b,bb,a3,e3,60,89

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

"{F3FEE66E-E034-436A-86E4-9690573BEE8A}"=hex:51,66,7a,6c,4c,1d,38,12,00,e5,ed,

   f7,06,ae,04,06,f9,f2,d5,d0,52,65,aa,9e

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{27B4851A-3207-45A2-B947-BE8AFE6163AB}"=hex:51,66,7a,6c,4c,1d,38,12,74,86,a7,

   23,35,7c,cc,00,c6,51,fd,ca,fb,3f,27,bf

"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,

   34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,38,12,ce,d6,a1,

   79,73,3c,17,0b,c9,9b,20,49,f5,42,16,25

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,

   aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

   b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,

   d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:98,8d,13,4b,a4,68,cd,01

.

[HKEY_USERS\S-1-5-21-2800673357-853013121-2299416948-1000\Software\SecuROM\License information*]

@Allowed: (Read) (RestrictedCode)

"datasecu"=hex:a7,c7,2c,f1,09,5f,07,ed,c0,e7,db,d2,68,a0,62,4f,69,c9,39,88,0c,

   68,04,32,1a,63,a4,44,ea,bf,86,9c,8a,16,42,b9,8b,8d,b1,a9,4a,9c,3b,69,37,b1,\

"rkeysecu"=hex:6a,d1,27,b2,dd,a6,5b,3d,04,16,a0,f4,93,92,f1,f1

.

[HKEY_USERS\S-1-5-21-2800673357-853013121-2299416948-1000_Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]

@Allowed: (B 1 2 3 5) (S-1-5-21-2800673357-853013121-2299416948-1000)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.15"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE

c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

.

**************************************************************************

.

Completion time: 2014-12-07  17:17:39 - machine was rebooted

ComboFix-quarantined-files.txt  2014-12-08 01:17

ComboFix2.txt  2013-06-17 22:14

.

Pre-Run: 286,881,050,624 bytes free

Post-Run: 331,248,615,424 bytes free

.

- - End Of File - - DFD4472783D3954409A673B7FB838009

5C616939100B85E558DA92B899A0FC36

 

Thank you for your patience!

FRST scan #2.txt

Addition FRST scan #2.txt

[LiquidTension]

Hi Dax, 
 
Please do the following. 
 
STEP 1
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startCloseProcesses:HKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-2800673357-853013121-2299416948-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\S-1-5-21-2800673357-853013121-2299416948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONURLSearchHook: HKLM-x32 - (No Name) - {f92a9fe4-2850-4198-b9d5-279880e49b16} - No FileSearchScopes: HKLM -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBoxSearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBoxSearchScopes: HKLM-x32 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1320680SearchScopes: HKU\S-1-5-21-2800673357-853013121-2299416948-1000 -> {9448CCC9-8E8D-4637-AA51-71BA5C3CC938} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}SearchScopes: HKU\S-1-5-21-2800673357-853013121-2299416948-1000 -> {9D4BA016-9AFA-4206-A773-BD46A463EFD3} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10266&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=^AGX&apn_dtid=^YYYYYY^YY^US&apn_uid=fb1c9d47-bd1b-4f55-84cd-d82da17d52e0&apn_sauid=200A3866-CD96-400E-AE44-2C735BF82559SearchScopes: HKU\S-1-5-21-2800673357-853013121-2299416948-1000 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1320680BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} ->  No FileFilter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No FileFF Plugin-x32: @exent.com/npExentCtl,version=7.0.0.0 -> C:\Program Files (x86)\Free Ride Games\npExentCtl.dll (Exent Technologies Ltd.)FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No FileC:\Program Files (x86)\Pando NetworksCHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No PathS3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]2014-11-12 17:05 - 2014-11-12 17:05 - 00000000 __SHD () C:\Users\Dax\AppData\Local\EmieBrowserModeListFolder: C:\ProgramData\B5F9D6B23B0B5B50D342EB8FC01A051DC:\Windows\SysWOW64\config\systemprofile\AppData\Local\{9af037cc-f32e-75fc-ffea-c43a048d51e2}C:\Users\Dax\AppData\Local\Temp\spetdwpCustomCLSID: HKU\S-1-5-21-2800673357-853013121-2299416948-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File PathTask: {CDD36156-F3BD-4D23-A8C4-47E6D1112896} - System32\Tasks\{F13D3A1D-48A8-435B-8FEE-301CC80F5B04} => C:\Users\Dax\AppData\Local\7f7c434a-9ce1-480e-a292-2fd6220cd967ad\fcaceeafdcdad.exeC:\Users\Dax\AppData\Local\7f7c434a-9ce1-480e-a292-2fd6220cd967adCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
 Revo Uninstaller

• Please download and install Revo Uninstaller Free.
• Double-click Revo Uninstaller to run the programme. 
• From the list of programmes, locate the following, or anything similar and carry out the steps below one at a time.
  • A Free Ride Games Bar Toolbar
  • Conduit Engine
  • Free Ride Games Player
  • Mobogenie
  • YTD Toolbar v7.0
• ​Double-click the programme. 
• When prompted if you want to uninstall click Yes.
• Ensure the Moderate option is selected and click Next.
• The programme uninstaller will run. If prompted again click Yes.
• Work your way through the uninstaller, ensuring you read each page thoroughly.
• Note: Ensure you decline offers of additional software if applicable. 
• Once the built-in uninstaller is finished click Next.
• Once the programme has searched for leftovers click Next.
• Check items in bold only in the list and click Delete. You may have to expand folders by clicking the "+" mark.
• When prompted click Yes, followed by Next.
• Click Select all, followed by Delete.
• When prompted click Yes, followed by Next.
• Once done click Finish.
   

STEP 3
 RogueKiller

• Please download RogueKiller (x64) and save the file to your Desktop.
• Close any running programmes.
• Right-Click RogueKiller.exe and select  Run as administrator to run the programme.
• Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
• A browser window may open. Close the browser window.
• Click . Upon completion, click .
• Close the programme. Do not fix anything!
• A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Fixlog.txt
• Did the programmes uninstall OK?
• RKreport.txt

[Trooper_Shock]

I got the fix log and i was able to delete "A Free Ride Games Bar" "Conduit Engine" "free rides game player" and "YTD toolbar" but was unable to find and delete "Mobogenie." I know "Mobogenie" is connected to "Raidcall" which I use to chat with some friends. Should I delete "Raidcall" or continue the steps you have already given?

Here is the fix log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-12-2014 02

Ran by Dax at 2014-12-07 19:55:51 Run:1

Running from C:\Users\Dax\Downloads

Loaded Profile: Dax (Available profiles: Dax & Parker)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]

HKU\S-1-5-21-2800673357-853013121-2299416948-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-2800673357-853013121-2299416948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

URLSearchHook: HKLM-x32 - (No Name) - {f92a9fe4-2850-4198-b9d5-279880e49b16} - No File

SearchScopes: HKLM -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox

SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox

SearchScopes: HKLM-x32 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1320680

SearchScopes: HKU\S-1-5-21-2800673357-853013121-2299416948-1000 -> {9448CCC9-8E8D-4637-AA51-71BA5C3CC938} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}

SearchScopes: HKU\S-1-5-21-2800673357-853013121-2299416948-1000 -> {9D4BA016-9AFA-4206-A773-BD46A463EFD3} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10266&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=^AGX&apn_dtid=^YYYYYY^YY^US&apn_uid=fb1c9d47-bd1b-4f55-84cd-d82da17d52e0&apn_sauid=200A3866-CD96-400E-AE44-2C735BF82559

SearchScopes: HKU\S-1-5-21-2800673357-853013121-2299416948-1000 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1320680

BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} ->  No File

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File

FF Plugin-x32: @exent.com/npExentCtl,version=7.0.0.0 -> C:\Program Files (x86)\Free Ride Games\npExentCtl.dll (Exent Technologies Ltd.)

FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File

C:\Program Files (x86)\Pando Networks

CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

2014-11-12 17:05 - 2014-11-12 17:05 - 00000000 __SHD () C:\Users\Dax\AppData\Local\EmieBrowserModeList

Folder: C:\ProgramData\B5F9D6B23B0B5B50D342EB8FC01A051D

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{9af037cc-f32e-75fc-ffea-c43a048d51e2}

C:\Users\Dax\AppData\Local\Temp\spetdwp

CustomCLSID: HKU\S-1-5-21-2800673357-853013121-2299416948-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path

Task: {CDD36156-F3BD-4D23-A8C4-47E6D1112896} - System32\Tasks\{F13D3A1D-48A8-435B-8FEE-301CC80F5B04} => C:\Users\Dax\AppData\Local\7f7c434a-9ce1-480e-a292-2fd6220cd967ad\fcaceeafdcdad.exe

C:\Users\Dax\AppData\Local\7f7c434a-9ce1-480e-a292-2fd6220cd967ad

CMD: ipconfig /flushdns

CMD: netsh winsock reset all

CMD: netsh int ipv4 reset

CMD: netsh int ipv6 reset

EmptyTemp:

end

*****************

 

Processes closed successfully.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.

"HKU\S-1-5-21-2800673357-853013121-2299416948-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.

"HKU\S-1-5-21-2800673357-853013121-2299416948-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.

"HKU\S-1-5-21-2800673357-853013121-2299416948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{f92a9fe4-2850-4198-b9d5-279880e49b16} => value deleted successfully.

"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}" => Key deleted successfully.

"HKCR\CLSID\{49606DC7-976D-4030-A74E-9FB5C842FA68}" => Key not found.

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}" => Key deleted successfully.

"HKCR\Wow6432Node\CLSID\{49606DC7-976D-4030-A74E-9FB5C842FA68}" => Key not found.

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}" => Key deleted successfully.

"HKCR\Wow6432Node\CLSID\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}" => Key not found.

"HKU\S-1-5-21-2800673357-853013121-2299416948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9448CCC9-8E8D-4637-AA51-71BA5C3CC938}" => Key deleted successfully.

"HKCR\CLSID\{9448CCC9-8E8D-4637-AA51-71BA5C3CC938}" => Key not found.

"HKU\S-1-5-21-2800673357-853013121-2299416948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9D4BA016-9AFA-4206-A773-BD46A463EFD3}" => Key deleted successfully.

"HKCR\CLSID\{9D4BA016-9AFA-4206-A773-BD46A463EFD3}" => Key not found.

"HKU\S-1-5-21-2800673357-853013121-2299416948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}" => Key deleted successfully.

"HKCR\CLSID\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}" => Key not found.

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => Key deleted successfully.

"HKCR\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => Key not found.

"HKCR\PROTOCOLS\Filter\application/x-mfe-ipt" => Key deleted successfully.

"HKCR\CLSID\{3EF5086B-5478-4598-A054-786C45D75692}" => Key not found.

"HKLM\Software\Wow6432Node\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0" => Key deleted successfully.

C:\Program Files (x86)\Free Ride Games\npExentCtl.dll => Moved successfully.

"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.

C:\Program Files (x86)\Pando Networks => Moved successfully.

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully.

EagleX64 => Service deleted successfully.

C:\Users\Dax\AppData\Local\EmieBrowserModeList => Moved successfully.

 

========================= Folder: C:\ProgramData\B5F9D6B23B0B5B50D342EB8FC01A051D ========================

 

2014-11-08 17:10 - 2014-11-08 20:27 - 0000785 _____ () C:\ProgramData\B5F9D6B23B0B5B50D342EB8FC01A051D\TraceIDE.log

 

====== End of Folder: ======

 

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{9af037cc-f32e-75fc-ffea-c43a048d51e2} => Moved successfully.

C:\Users\Dax\AppData\Local\Temp\spetdwp => Moved successfully.

"HKU\S-1-5-21-2800673357-853013121-2299416948-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CDD36156-F3BD-4D23-A8C4-47E6D1112896}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDD36156-F3BD-4D23-A8C4-47E6D1112896}" => Key deleted successfully.

C:\Windows\System32\Tasks\{F13D3A1D-48A8-435B-8FEE-301CC80F5B04} => Moved successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{F13D3A1D-48A8-435B-8FEE-301CC80F5B04}" => Key deleted successfully.

C:\Users\Dax\AppData\Local\7f7c434a-9ce1-480e-a292-2fd6220cd967ad => Moved successfully.

 

=========  ipconfig /flushdns =========

 

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

========= End of CMD: =========

 

 

=========  netsh winsock reset all =========

 

 

Sucessfully reset the Winsock Catalog.

You must restart the computer in order to complete the reset.

 

 

========= End of CMD: =========

 

 

=========  netsh int ipv4 reset =========

 

Reseting Global, OK!

Reseting Interface, OK!

Reseting Route, OK!

Restart the computer to complete this action.

 

 

========= End of CMD: =========

 

 

=========  netsh int ipv6 reset =========

 

Reseting Interface, OK!

Reseting Unicast Address, OK!

Reseting Route, OK!

Restart the computer to complete this action.

 

 

========= End of CMD: =========

 

EmptyTemp: => Removed 5.4 GB temporary data.

 

 

The system needed a reboot. 

 

==== End of Fixlog ====

[LiquidTension]

Hello,

Please leave the programme installed, and proceed with Step 3.

[Trooper_Shock]

Alright, here is the RKreport:

RogueKiller V10.0.9.0 (x64) [Dec  8 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Dax [Administrator]

Mode : Scan -- Date : 12/10/2014  16:52:51

 

¤¤¤ Processes : 1 ¤¤¤

[suspicious.Path] Curse.exe -- C:\Users\Dax\AppData\Roaming\Curse Client\Bin\Curse.exe[7] -> Killed [TermProc]

 

¤¤¤ Registry : 15 ¤¤¤

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | mobilegeni daemon : C:\Program Files (x86)\Mobogenie\DaemonProcess.exe  -> Found

[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found

[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2800673357-853013121-2299416948-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2800673357-853013121-2299416948-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 1 ¤¤¤

[suspicious.Path][File] Curse.lnk -- C:\Users\Dax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [LNK@] C:\Users\Dax\AppData\Roaming\CURSEC~1\Bin\Curse.exe /startup -> Found

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

 

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++

--- User ---

[MBR] 3b2b43ae2a63bcb052ff8f9e8f9ed418

[bSP] 8cce1324f39ad24395afca674bf41337 : HP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 14618 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30019584 | Size: 939210 MB

User = LL1 ... OK

User = LL2 ... OK

 

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

[LiquidTension]

That log looks fine, Dax. 
 
Please do the following. 
Let me know how your computer is performing afterwards. 
 
STEP 1
 AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
• Click Scan. 
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean. 
• Follow the prompts and allow your computer to reboot. 
• After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for anything removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
STEP 2
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click  and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to  and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.
   

STEP 3
 Farbar Recovery Scan Tool (FRST) Scan

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

======================================================

STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• AdwCleaner[s0].txt
• ESET log
• FRST.txt
• Addition.txt

[LiquidTension]

Hi Dax, 

 

Do you still require assistance?

[Trooper_Shock]

Hi Adam, i just downloaded and started the scan for adwcleaner. sorry for the delay. I will get back to you with the info in a jiffy!

[LiquidTension]

No problem at all, Dax.

[Trooper_Shock]

Alright, they are all done! Here they are:

# AdwCleaner v4.105 - Report created 13/12/2014 at 22:28:49

# Updated 08/12/2014 by Xplode

# Database : 2014-12-13.4 [Live]

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : Dax - DAX-PC

# Running from : C:\Users\Dax\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

Service Deleted : c2cautoupdatesvc

Service Deleted : c2cpnrsvc

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\ProgramData\Ask

Folder Deleted : C:\ProgramData\Babylon

Folder Deleted : C:\ProgramData\Systweak

Folder Deleted : C:\ProgramData\ytd video downloader

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader

Folder Deleted : C:\Program Files (x86)\Application Updater

Folder Deleted : C:\Program Files (x86)\Conduit

Folder Deleted : C:\Program Files (x86)\Mobogenie

Folder Deleted : C:\Users\Dax\AppData\Local\apn

Folder Deleted : C:\Users\Dax\AppData\Local\Babylon

Folder Deleted : C:\Users\Dax\AppData\Local\Conduit

Folder Deleted : C:\Users\Dax\AppData\Local\genienext

Folder Deleted : C:\Users\Dax\AppData\Local\Mobogenie

Folder Deleted : C:\Users\Dax\AppData\Local\CrashRpt

Folder Deleted : C:\Users\Dax\AppData\LocalLow\Conduit

Folder Deleted : C:\Users\Dax\AppData\LocalLow\ConduitEngine

Folder Deleted : C:\Users\Dax\AppData\Roaming\Systweak

Folder Deleted : C:\Users\Dax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mobogenie

Folder Deleted : C:\Users\Dax\Documents\Mobogenie

Folder Deleted : C:\Users\Parker\AppData\Roaming\Systweak

Folder Deleted : C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

[x] Not Deleted : C:\Windows\System32\roboot64.exe

File Deleted : C:\Users\Dax\daemonprocess.txt

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileParade bundle uninstaller\FileParade bundle uninstaller.lnk

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mobogenie.exe

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\IM

Key Deleted : HKCU\Software\systweak

Key Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKCU\Software\AppDataLow\Toolbar

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine

Key Deleted : HKLM\SOFTWARE\Babylon

Key Deleted : HKLM\SOFTWARE\Conduit

Key Deleted : HKLM\SOFTWARE\systweak

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mobogenie

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\30C16B15B255BD349A1157B8A83E2AF9

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17496

 

 

-\\ Google Chrome v39.0.2171.95

 

 

-\\ Chromium v

 

 

*************************

 

AdwCleaner[R0].txt - [5336 octets] - [13/12/2014 22:25:42]

AdwCleaner[s0].txt - [5305 octets] - [13/12/2014 22:28:49]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [5365 octets] ##########

 

MyEsetScan.txt

FRST scan #3.txt

Addition FRST scan #3.txt

[LiquidTension]

Hi Dax, 

 

Let me know how your computer is performing after doing the following. 

 

STEP 1
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startC:\$RECYCLE.BIN\S-1-5-21-2800673357-853013121-2299416948-1000\$R6WBO18C:\$RECYCLE.BIN\S-1-5-21-2800673357-853013121-2299416948-1000\$RF9M1N8C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\glgnlmfoninngjlnekapkpknehobdbknC:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\hfeppchlkbnhnabkmdbgfppgggpmmgfgC:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\jfgkhdllihigkpbacgceimhpfcpijfjlC:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\jnbheadbnhadecceclkpdkghadocilgeC:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\mpincfnchjbkefadchbhpnhfobgcbgiiC:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\plellciaeinkknhinnpljmecidjgnjfnC:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\pncolkimahpljhjhjgholhcfioaacbjoC:\Users\Dax\AppData\LocalLow\A_Free_Ride_Games_BarC:\Users\Dax\AppData\Roaming\wabEventSupport16EmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
 Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

•  Adobe Air
•  Adobe Flash Player (uncheck the "Optional Offer")
•  Adobe Reader (uncheck the "Optional Offer")
•  Adobe Shockwave Player
•  Java (watch out for "Optional Offers" or bundled software)
•  Follow these instructions to check for and download the latest Windows Updates.
   

STEP 3
 Remove Outdated Software

• Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programmes, right-click and click Uninstall one at a time.
• Note: The programmes below may not be present. If this is the case, please skip to the next step.
  • Adobe Reader X (10.1.4) 
  • Adobe Shockwave Player 11.6
  • HijackThis 1.99.1
  • Java 7 Update 7
  • Java 6 Update 31
  • JavaFX 2.1.1
• Follow the prompts, and reboot if necessary.
   

STEP 4
 Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (point #7).

• Click the Windows Start Button  and type Java Control Panel (or javacpl) in the search bar. 
• Click on the Java Control Panel. Once opened, click the Security tab.
• Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser. 
• Click Apply. When the Windows User Account Control (UAC) appears, allow permissions to make the changes. 
• Click OK in the Java Plug-in confirmation window.
• Restart your browser(s) for changes to take effect.
• More information can be found here and here.
   

STEP 5
 Security Check

• Please download SecurityCheck and save the file to your Desktop.
• Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
• A log (checkup.txt) will automatically open on your Desktop.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 6
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Fixlog.txt
• checkup.txt
• How is your computer performing? Are there any outstanding issues?

[Trooper_Shock]

I have completed all steps to step 3. However when I try to run Java Control Panel a screen will briefly appear and then disappear. As for how my computer runs, it has already shown major improvements! Thanks for all your help so far! 

Here are the results of the FRST fix: 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014

Ran by Dax at 2014-12-18 19:31:04 Run:2

Running from C:\Users\Dax\Downloads\FRST-OlderVersion

Loaded Profiles: Dax & Parker (Available profiles: Dax & Parker)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

C:\$RECYCLE.BIN\S-1-5-21-2800673357-853013121-2299416948-1000\$R6WBO18

C:\$RECYCLE.BIN\S-1-5-21-2800673357-853013121-2299416948-1000\$RF9M1N8

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\glgnlmfoninngjlnekapkpknehobdbkn

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\hfeppchlkbnhnabkmdbgfppgggpmmgfg

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\jfgkhdllihigkpbacgceimhpfcpijfjl

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\jnbheadbnhadecceclkpdkghadocilge

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\mpincfnchjbkefadchbhpnhfobgcbgii

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\plellciaeinkknhinnpljmecidjgnjfn

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\pncolkimahpljhjhjgholhcfioaacbjo

C:\Users\Dax\AppData\LocalLow\A_Free_Ride_Games_Bar

C:\Users\Dax\AppData\Roaming\wabEventSupport16

EmptyTemp:

end

*****************

 

C:\$RECYCLE.BIN\S-1-5-21-2800673357-853013121-2299416948-1000\$R6WBO18 => Moved successfully.

C:\$RECYCLE.BIN\S-1-5-21-2800673357-853013121-2299416948-1000\$RF9M1N8 => Moved successfully.

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\glgnlmfoninngjlnekapkpknehobdbkn => Moved successfully.

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\hfeppchlkbnhnabkmdbgfppgggpmmgfg => Moved successfully.

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\jfgkhdllihigkpbacgceimhpfcpijfjl => Moved successfully.

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\jnbheadbnhadecceclkpdkghadocilge => Moved successfully.

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\mpincfnchjbkefadchbhpnhfobgcbgii => Moved successfully.

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\plellciaeinkknhinnpljmecidjgnjfn => Moved successfully.

C:\Users\Dax\AppData\Local\Google\Chrome\User Data\Default\Users\pncolkimahpljhjhjgholhcfioaacbjo => Moved successfully.

C:\Users\Dax\AppData\LocalLow\A_Free_Ride_Games_Bar => Moved successfully.

C:\Users\Dax\AppData\Roaming\wabEventSupport16 => Moved successfully.

EmptyTemp: => Removed 461.4 MB temporary data.

 

 

The system needed a reboot. 

 

==== End of Fixlog ====

[LiquidTension]

Hi Dax, 

 

Please uninstall all versions of Java. Then, if you need the programme, reinstall and try again. 

Afterwards, please move onto Security Check.

[Trooper_Shock]

Okay, Java is uninstalled and here is the Security Check Checkup:

 

 Results of screen317's Security Check version 0.99.93  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Avira Desktop   

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:````````` 

 Malwarebytes Anti-Malware version 2.0.3.1025  

 Adobe Flash Player 16.0.0.235  

 Adobe Reader XI  

 Google Chrome (39.0.2171.71) 

 Google Chrome (39.0.2171.95) 

````````Process Check: objlist.exe by Laurent````````  

 Avira Antivir avgnt.exe 

 Avira Antivir avguard.exe 

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 2% 

````````````````````End of Log`````````````````````` 

[LiquidTension]

Hi Dax, 

 

That log looks good. 

Now for the good news!

 

All Clean!
Congratulations, your computer appears clean! 
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful. 
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. 
 
 
STEP 1
 ComboFix Uninstall

• Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:

  ComboFix /Uninstall

• Click OK.
• Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
   

STEP 2
 DelFix

• Please download DelFix and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore
  • Reset system settings
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP
   

The following programmes come highly recommended in the security community.

•  AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
• CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware. 
•  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
•  Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
•  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
•  Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
•  Secunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
•  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
•  Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing.   
Adam

[Trooper_Shock]

Thanks Adam! I am so thankful for your help! I'm glad people like you are helping so many people out! I will try to make sure I don't run into any more viruses while I surf the web!

 

Happy Holidays!

-Dax

[LiquidTension]

You're welcome, Dax. It was my pleasure.
 

I will mark your topic as solved. 

 

All the best, 

Adam