Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Optimizer Pro but still having problems with Cartwheel


  • This topic is locked This topic is locked
3 replies to this topic

#1 blaise914

blaise914

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 04 September 2013 - 11:43 AM

Mod Edit, Moved ComboFix log to proper forum ~~ boopme

Hi I was having similar problems to another user and I followed your instructions on http://www.bleepingcomputer.com/forums/t/495886/need-help-with-removing-pc-optimizer-pro/
however on that last security check after the combo fix it kept saying unsupported operating system! aborted! instead of running. So far a lot of my problems have been removed but I still have this popup box called "Cartwheel" on all my tabs whenever I use the internet. the following is all the logs from the scans I was able to perform. Thank you in advanced!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.7 (09.01.2013:1)
OS: Windows 7 Enterprise x86
Ran by Ely on Wed 09/04/2013 at  8:39:38.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{95E0F85F-EFF1-49CC-A2BF-BBF6DAA7992C}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D1C75D71-F033-43EF-AEF8-E4267C455351}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E7C8B5A-96AB-438F-BF9B-782400655440}



~~~ Files



~~~ Folders

Failed to delete: [Folder] "C:\Program Files\browsersafeguard"



~~~ FireFox

Emptied folder: C:\Users\Ely\AppData\Roaming\mozilla\firefox\profiles\i1i0v4so.default\minidumps [144 files]



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Ely\appdata\local\Google\Chrome\User Data\Default\Extensions\dnfaglepmjgohnkcoieaijlheabmcdeo
Successfully deleted: [Folder] C:\Users\Ely\appdata\local\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 09/04/2013 at  8:42:31.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
# AdwCleaner v3.002 - Report created 04/09/2013 at 08:35:23
# Updated 01/09/2013 by Xplode
# Operating System : Windows 7 Enterprise Service Pack 1 (32 bits)
# Username : Ely - ELY-PC
# Running from : C:\Users\Ely\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : CltMngSvc
Service Deleted : spd Updater

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\optimizer pro
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Savepath Deals
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\Program Files\SPDUpdater
Folder Deleted : C:\Users\Ely\AppData\Local\Conduit
Folder Deleted : C:\Users\Ely\AppData\Local\cre
Folder Deleted : C:\Users\Ely\AppData\Local\DefineExt
Folder Deleted : C:\Users\Ely\AppData\Local\Temp\CT3298566
Folder Deleted : C:\Users\Ely\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Ely\AppData\LocalLow\MixiDJ_V30
Folder Deleted : C:\Users\Ely\AppData\LocalLow\Swag_Bucks
Folder Deleted : C:\Users\Ely\AppData\Roaming\optimizer pro
Folder Deleted : C:\Users\Ely\AppData\Roaming\Qwiklinx
Folder Deleted : C:\Users\Ely\AppData\Roaming\SearchProtect
Folder Deleted : C:\Users\Ely\Documents\optimizer pro
Folder Deleted : C:\Users\MamiPapi\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Administrator\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\Smartbar
Folder Deleted : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\StumbleUpon
Folder Deleted : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\CT3298566
Folder Deleted : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\Extensions\{1122b43d-30ee-403f-9bfa-3cc99b0caddd}
Folder Deleted : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\Extensions\{6921B3CC-9935-4D28-9A83-B3D824210580}
Folder Deleted : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\Extensions\savepathdeals@savepathdeals.com
Folder Deleted : C:\Users\Ely\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnfaglepmjgohnkcoieaijlheabmcdeo
Folder Deleted : C:\Users\Ely\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh
File Deleted : C:\END
File Deleted : C:\Users\Ely\Desktop\Optimizer Pro.lnk
File Deleted : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\searchplugins\Conduit.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Optimizer Pro]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchProtect]
Key Deleted : HKLM\SOFTWARE\Classes\QwiklinxBHO
Key Deleted : HKLM\SOFTWARE\Classes\QwiklinxBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\SavepathDeals.MyObjectWithSite
Key Deleted : HKLM\SOFTWARE\Classes\SavepathDeals.MyObjectWithSite.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\tracing\askpartnercobrandingtool_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2260173
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3298566
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_fdkednngfjmpnljkolbapdednncafhen]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F66C7EC4-63CC-4452-A8C9-5A2E898F8EFF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DAA6D527-6513-453E-A4E6-DA2BFA6C7A75}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{85675E8E-5807-456E-8005-29ECDFB5AA98}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E2C1A522-B8E1-45D1-B316-F5625004A28C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{204C0025-C26A-43E2-853C-D8A8EB1BCE51}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{91E6F004-F9BB-4E4C-A023-94BA5E56DF8F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F66C7EC4-63CC-4452-A8C9-5A2E898F8EFF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F66C7EC4-63CC-4452-A8C9-5A2E898F8EFF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DAA6D527-6513-453E-A4E6-DA2BFA6C7A75}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{85675E8E-5807-456E-8005-29ECDFB5AA98}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7E1973BA-F3A0-42FD-ADC0-1CCC87623EAF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{601D1985-DAE6-430B-A5B8-37FF89A103A5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A61F59B6-0066-473B-9602-27BADFB54E91}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11472402-0F9A-47C8-A2B8-E95794F3B74B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\Qwiklinx
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\MixiDJ_V30
Key Deleted : HKCU\Software\AppDataLow\Software\Swag_Bucks
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\spd
Key Deleted : HKLM\Software\MixiDJ_V30
Key Deleted : HKLM\Software\Swag_Bucks
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E497885-E60B-420A-832D-0148B392E058}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Savepath Deals
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MixiDJ_V30 Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Swag_Bucks Toolbar
Product Deleted : Google Update Helper

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16660

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\prefs.js ]

Line Deleted : user_pref("CT2260173_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1371890185502,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("CT3298566.FF19Solved", "true");
Line Deleted : user_pref("CT3298566.UserID", "UN59498877821298233");
Line Deleted : user_pref("CT3298566.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3298566.fullUserID", "UN59498877821298233.IN.20130903215241");
Line Deleted : user_pref("CT3298566.installDate", "03/09/2013 21:52:42");
Line Deleted : user_pref("CT3298566.installSessionId", "{598B492B-B3BA-4B6B-B03B-9881D12BF549}");
Line Deleted : user_pref("CT3298566.installSp", "TRUE");
Line Deleted : user_pref("CT3298566.installerVersion", "1.6.1.2");
Line Deleted : user_pref("CT3298566.keyword", "true");
Line Deleted : user_pref("CT3298566.originalHomepage", "hxxp://www.google.com/|hxxp://www.facebook.com/|hxxp://my.sa.ucsb.edu/home/index.aspx|hxxp://www.fanfiction.net/|hxxp://www.yahoo.com/|hxxp://www.stumbleupon.c[...]
Line Deleted : user_pref("CT3298566.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&CUI=UN38570713292587031&q=");
Line Deleted : user_pref("CT3298566.originalSearchEngine", "Google");
Line Deleted : user_pref("CT3298566.originalSearchEngineName", "");
Line Deleted : user_pref("CT3298566.searchRevert", "false");
Line Deleted : user_pref("CT3298566.searchUserMode", "2");
Line Deleted : user_pref("CT3298566.smartbar.homepage", "true");
Line Deleted : user_pref("CT3298566.versionFromInstaller", "10.19.2.5");
Line Deleted : user_pref("CT3298566.xpeMode", "0");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3298566&octid=CT3298566&SearchSource=61&CUI=UN59498877821298233&UM=2&UP=SP2B0C4948-B50C-4766-B70A-70E163D8DC12");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&CUI=UN38570713292587031&q=");
Line Deleted : user_pref("browser.newtabpage.pinned", "[{\"url\":\"hxxp://www.tumblr.com/dashboard\",\"title\":\"Tumblr\"},{\"url\":\"hxxp://e-ly-clectic.tumblr.com/\",\"title\":\"eclectic\"},{\"url\":\"hxxp://www.1[...]
Line Deleted : user_pref("browser.search.defaultthis.engineName", "MixiDJ V30 Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566&CUI=UN59498877821298233&UM=2&SearchSource=3&q={searchTerms}");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3298566&octid=CT3298566&SearchSource=61&CUI=UN59498877821298233&UM=2&UP=SP2B0C4948-B50C-4766-B70A-70E163D8DC12");
Line Deleted : user_pref("ct2260173.UserID", "UN38570713292587031");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=E7509F62-F6D4-412D-A2CD-3E52CC05CB29&n=77fc41c0&p2=^YN^xdm068^YY^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.installation.installDate", "2013020608");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.installation.partnerId", "^YN^xdm068^YY^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.installation.partnerSubId", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.installation.toolbarId", "E7509F62-F6D4-412D-A2CD-3E52CC05CB29");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.lastActivePing", "1366311059175");
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._53Members_.weather.location", "90001");
Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "dailyfitnesscenter@mindspark.com");
Line Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566&SearchSource=2&CUI=UN59498877821298233&UM=2&q=");
Line Deleted : user_pref("show.CT2260173", false);
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3298566");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3298566&CUI=UN59498877821298233&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3298566&octid=CT3298566&SearchSource[...]
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566&SearchSource=2&CUI=UN59498877821298233&UM=2&q=");
Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3298566");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3298566");
Line Deleted : user_pref("smartbar.machineId", "TDSBETBRKDBDPZYUZCZGHD0RYDYCP52KFVD9PUPNAK+60TBSHP3G/BXYYDINDLGGRLOCUSRUWBVS/D2YADTABG");
Line Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3298566&CUI=UN59498877821298233&UM=2&SearchSource=13");

[ File : C:\Users\MamiPapi\AppData\Roaming\Mozilla\Firefox\Profiles\klfaw8e0.default\prefs.js ]


[ File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\hux4r3iz.default\prefs.js ]


-\\ Google Chrome v29.0.1547.66

[ File : C:\Users\Ely\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

[ File : C:\Users\MamiPapi\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [17118 octets] - [04/09/2013 08:33:54]
AdwCleaner[S0].txt - [15151 octets] - [04/09/2013 08:35:23]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [15212 octets] ##########
 
ComboFix 13-09-02.02 - Ely 09/04/2013   8:51.1.2 - x86
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.2039.1289 [GMT -7:00]
Running from: c:\users\Ely\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ely\AppData\Local\Microsoft\Windows\Temporary Internet Files\debug20130904.log
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-04 to 2013-09-04  )))))))))))))))))))))))))))))))
.
.
2013-09-04 15:39 . 2013-09-04 15:39    --------    d-----w-    c:\windows\ERUNT
2013-09-04 15:33 . 2013-09-04 15:35    --------    d-----w-    C:\AdwCleaner
2013-09-04 04:56 . 2013-09-04 15:40    --------    d-----w-    c:\program files\Browsersafeguard
2013-09-04 04:55 . 2013-09-04 04:55    --------    d-----w-    c:\users\Ely\AppData\Local\Programs
2013-09-04 04:54 . 2013-09-04 04:54    --------    d-----w-    c:\users\Ely\AppData\Roaming\Cartwheel
2013-09-03 20:02 . 2013-08-06 07:28    7166848    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{132AD332-859C-40A1-AD73-9D1896EA1D67}\mpengine.dll
2013-08-14 23:51 . 2013-08-14 23:52    --------    d-----w-    c:\windows\system32\MRT
2013-08-14 21:52 . 2013-07-09 04:50    652800    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-08-14 21:52 . 2013-07-09 04:46    1166848    ----a-w-    c:\windows\system32\crypt32.dll
2013-08-14 21:52 . 2013-07-09 04:52    175104    ----a-w-    c:\windows\system32\wintrust.dll
2013-08-14 21:52 . 2013-07-09 04:46    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-08-14 21:52 . 2013-07-09 04:46    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2013-08-14 21:51 . 2013-07-09 05:03    3913664    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-08-14 21:51 . 2013-07-09 05:03    3968960    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-14 21:51 . 2013-07-09 04:53    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-08-14 21:51 . 2013-07-06 05:05    1293760    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-08-14 21:51 . 2013-07-25 08:57    1620992    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-08-14 21:51 . 2013-07-19 01:41    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-08-14 21:51 . 2013-06-15 03:40    918528    ----a-w-    c:\windows\system32\rdpcorets.dll
2013-08-14 21:51 . 2013-06-15 03:38    31232    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-22 04:01 . 2012-06-11 20:00    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-22 04:01 . 2012-06-11 20:00    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{B50DF051-E1D4-439C-B94E-F4DE82B56542}]
2013-08-02 22:36    282048    ----a-w-    c:\users\Ely\AppData\Roaming\Cartwheel\Cartwheel.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-04-05 59720]
"com.apple.dav.bookmarks.daemon"="c:\program files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe" [2013-04-05 59720]
"Spotify"="c:\users\Ely\AppData\Roaming\Spotify\spotify.exe" [2013-07-13 4640768]
"Spotify Web Helper"="c:\users\Ely\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-07-13 1104384]
"BrowserSafeguard"="c:\program files\Browsersafeguard\Browsersafeguard.exe" [2013-08-19 559616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-03-20 280576]
.
c:\users\Ely\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-21 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-02-05 235216]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-03 19:14    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-11 04:01]
.
2013-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-04 06:31]
.
2013-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-04 06:31]
.
2013-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2068472479-1417100870-2176393774-1001Core.job
- c:\users\MamiPapi\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 17:36]
.
2013-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2068472479-1417100870-2176393774-1001UA.job
- c:\users\MamiPapi\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:49195;https=127.0.0.1:49195
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
FF - ProfilePath - c:\users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\
FF - ExtSQL: 2013-09-03 21:54; {162C9CAB-86EA-44BC-A0FD-8D6C7678EC30}; c:\users\Ely\AppData\Roaming\Mozilla\Firefox\Profiles\i1i0v4so.default\extensions\{162C9CAB-86EA-44BC-A0FD-8D6C7678EC30}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
AddRemove-Browsersafeguard - c:\program files\Browsersafeguard\uninstall.browsersafeguard.exe
AddRemove-Define Ext - c:\users\Ely\AppData\Local\DefineExt\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-04  08:59:12
ComboFix-quarantined-files.txt  2013-09-04 15:59
.
Pre-Run: 948,183,040 bytes free
Post-Run: 1,249,517,568 bytes free
.
- - End Of File - - 01B928FEDE5628BE88E1297FBA0D0627
A36C5E4F47E84449FF07ED3517B43A31


Edited by boopme, 04 September 2013 - 09:17 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 22,357 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 09 September 2013 - 10:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 22,357 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 16 September 2013 - 10:02 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 22,357 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 22 September 2013 - 09:24 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users