Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infected with a Worm


  • This topic is locked This topic is locked
20 replies to this topic

#1 Digital_Veil

Digital_Veil

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 29 January 2013 - 09:16 AM

Hello BC,
As I've already posted in this thread, I've been having multiple problems with my PC for couple of days which I assume to be a rogue virus/worm of some kind. Things started when I switched on my PC yesterday to see the Windows Explorer crashing continuously and I had the option to close or restart it, which on restarting brings up the same error. I was unable to use the explorer or anything related to it and used the task manager to open firefox through commands. I did some googling and opened the Event Manager and found out it's thumbnail cache problem or something related to it. So I did a system cleanup and it cleaned up the cache and the explorer problem was gone. I am now able to use the PC normally but with certain problems.

Now I can browse and use the explorer properly but whenever I open a folder or a drive from My Computer, it opens up in a new window instead of the same window. I tried changing it through folder options and tried changing it through the registry editor by deleting the MountPoint2 folder under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer which from some sources I assume to be part of a worm but it just came back when I opened the registry again.

I have Malwarebytes PRO installed and did both quick scan and flash scan and found no threats. I also downloaded Microsoft Security Essentials and did a full scan which resulted in no positives too. While between the scan, all off a sudden the wallpaper I had just went blank and it was all white and I was unable to right click on the desktop for some reason. So I again did some googling and did some regedit stuffs which fixed the error for me on rebooting. I just said it since it might help you guys to figure out the problem.

So that's about what has happened and almost all the detail I can provide. Now I'll post the log from the DDS scan below:


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.9.2
Run by Raghu at 19:27:58 on 2013-01-29
#Option MBR scan is disabled.
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.91.1033.18.959.319 [GMT 5.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\capiws.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: QT Button Bar: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} -
TB: QTTabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} -
TB: QT Versatile Bar: {d2bf470e-ed1c-487f-a777-2bd8835eb6ce} -
TB: QT Management toolbar: {d2bf470e-ed1c-487f-a300-2bd8835eb6ce} -
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: Interfaces\{E6CF9E77-9C65-4569-919D-333F8E463FA3} : NameServer = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: QTTabBarLib.ExplorerProcessCaptor - {D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE} -
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\raghu\appdata\roaming\mozilla\firefox\profiles\dwn6rumk.default-1359022634761\
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\raghu\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-01-24 16:04; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\raghu\appdata\roaming\mozilla\firefox\profiles\dwn6rumk.default-1359022634761\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-01-25 06:52; isreaditlater@ideashower.com; c:\users\raghu\appdata\roaming\mozilla\firefox\profiles\dwn6rumk.default-1359022634761\extensions\isreaditlater@ideashower.com.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\drivers\hssdrv6.sys [2012-8-1 35560]
R1 MpKslaea8ef53;MpKslaea8ef53;c:\programdata\microsoft\microsoft antimalware\definition updates\{db26d2f7-26e7-4ad0-9ddf-a37ba0233969}\MpKslaea8ef53.sys [2013-1-29 29904]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 99272]
R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-10-11 34432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-14 21104]
R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-10-11 25088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
.
=============== Created Last 30 ================
.
2013-01-29 09:58:40 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db26d2f7-26e7-4ad0-9ddf-a37ba0233969}\offreg.dll
2013-01-29 09:58:40 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db26d2f7-26e7-4ad0-9ddf-a37ba0233969}\MpKslaea8ef53.sys
2013-01-29 09:24:58 740840 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{499fff20-271e-4510-ac9b-917944417880}\gapaengine.dll
2013-01-29 09:24:26 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db26d2f7-26e7-4ad0-9ddf-a37ba0233969}\mpengine.dll
2013-01-29 08:12:26 -------- d-----w- c:\program files\Microsoft Security Client
2013-01-28 17:25:35 -------- d-sh--w- C:\$RECYCLE.BIN
2013-01-28 17:22:33 -------- d-----w- c:\users\raghu\appdata\local\temp
2013-01-28 17:08:40 98816 ----a-w- c:\windows\sed.exe
2013-01-28 17:08:40 256000 ----a-w- c:\windows\PEV.exe
2013-01-28 17:08:40 208896 ----a-w- c:\windows\MBR.exe
2013-01-27 09:22:34 -------- d-----w- c:\users\raghu\appdata\local\JonathanLeger.com
2013-01-27 09:22:06 -------- d-----w- c:\program files\TheBestSpinner3
2013-01-27 06:27:04 -------- d-----w- c:\users\raghu\appdata\local\Adobe
2013-01-20 11:55:15 -------- d-----w- c:\program files\Ask.com
2013-01-20 11:51:23 -------- d-----w- c:\users\raghu\appdata\local\ManyCam
2013-01-20 11:51:22 -------- d-----w- c:\programdata\ManyCam
2013-01-20 11:51:20 -------- d-----w- c:\users\raghu\appdata\roaming\ManyCam
2013-01-20 11:39:31 -------- d-----w- c:\program files\ManyCam
2013-01-16 01:41:55 -------- d-----w- C:\Motion-Twin
2013-01-15 06:20:50 -------- d-----w- c:\program files\Citrix
2013-01-15 04:58:28 -------- d-----w- c:\users\raghu\appdata\local\Adobe-BackupByPhotoshopCS6Portable
2013-01-15 03:59:32 -------- d-----w- c:\users\raghu\appdata\roaming\Adobe-BackupByPhotoshopCS6Portable
2013-01-14 09:30:00 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-14 09:30:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-13 01:40:43 1187697 ----a-w- c:\windows\unins000.exe
2013-01-11 07:25:06 -------- d-----w- c:\users\raghu\appdata\local\{B57E115F-E6F6-4126-B8E4-3A8B09DD3A61}
2013-01-11 06:53:05 -------- d-----w- c:\users\raghu\appdata\roaming\ImTOO
2013-01-11 06:53:05 -------- d-----w- c:\program files\ImTOO
2013-01-11 06:15:41 -------- d-----w- c:\program files\Audacity
2013-01-06 05:58:00 -------- d-----w- c:\users\raghu\tor_service
2013-01-06 05:34:47 303616 ----a-w- c:\windows\IsUninst.exe
.
==================== Find3M ====================
.
2012-12-22 06:13:50 421888 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-12-22 06:13:42 2174976 ----a-w- c:\program files\common files\atimpenc.dll
2012-12-14 01:37:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 01:37:00 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 19:30:38.35 ===============

I'll wait for any replies.
Regards,
TBH

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 02 February 2013 - 07:10 PM

Greetings The Big Helper and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please run these programs for me.


===================================================


Running TDSSKiller with Changed Parameters

--------------------

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    Posted Image

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    Posted Image
  • Click Start Scan and allow the scan process to run


    Posted Image

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    Posted Image

  • Click Reboot computer
  • Please copy and paste the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    Posted Image
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    Posted Image
  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Digital_Veil

Digital_Veil
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 02 February 2013 - 11:19 PM

Thanks for the reply Gary. So I've done all that you've instructed. After the TDSSKiller scan, there were 2 log files but the first one seemed to be just the startup log with little detail. I'm not sure whether you need it or not but here's the actual long log file from TDSSKiller. It seems I can't include both logs in the same post since it says it's too long. So I'll paste the log from aswMBR here and a link for the TDSSKiller log since it's too long to fit. I hope it's alright!



-------------------------------------------------------------------------------------------------------------------------

aswMBR

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-03 08:47:14
-----------------------------
08:47:14.372 OS Version: Windows 6.1.7601 Service Pack 1
08:47:14.372 Number of processors: 1 586 0x409
08:47:14.372 ComputerName: RAGHU-PC UserName: Raghu
08:47:27.810 Initialize success
09:08:32.339 AVAST engine defs: 13020201
09:10:59.167 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4
09:10:59.167 Disk 0 Vendor: ST3802110A 3.AAE Size: 76319MB BusType: 3
09:10:59.198 Disk 0 MBR read successfully
09:10:59.214 Disk 0 MBR scan
09:10:59.417 Disk 0 Windows 7 default MBR code
09:10:59.479 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 20002 MB offset 63
09:10:59.604 Disk 0 Partition - 00 0F Extended LBA 56305 MB offset 40965750
09:10:59.636 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 20002 MB offset 40965813
09:10:59.761 Disk 0 Partition - 00 05 Extended 18002 MB offset 81931500
09:10:59.792 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 18002 MB offset 81931563
09:10:59.854 Disk 0 Partition - 00 05 Extended 18300 MB offset 159766425
09:10:59.870 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 18300 MB offset 118800738
09:10:59.964 Disk 0 scanning sectors +156280320
09:11:00.667 Disk 0 scanning C:\Windows\system32\drivers
09:11:30.651 Service scanning
09:12:03.511 Service MpKsl8b403ef5 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DB26D2F7-26E7-4AD0-9DDF-A37BA0233969}\MpKsl8b403ef5.sys **LOCKED** 32
09:12:50.667 Modules scanning
09:13:28.464 Disk 0 trace - called modules:
09:13:28.495 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
09:13:28.511 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84eaa460]
09:13:28.526 3 CLASSPNP.SYS[86fbd59e] -> nt!IofCallDriver -> [0x84e0f918]
09:13:28.542 5 ACPI.sys[86ca53d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-4[0x84df4030]
09:13:29.261 AVAST engine scan C:\Windows
09:13:40.870 AVAST engine scan C:\Windows\system32
09:20:16.354 AVAST engine scan C:\Windows\system32\drivers
09:20:50.964 AVAST engine scan C:\Users\Raghu
09:21:04.870 File: C:\Users\Raghu\AppData\Local\Apps\2.0\OT4587CV.LLY\Q0BATZ6O.Z2L\cash..tion_e4d3262ec3531220_0001.0000_152f2051b21a47a5\GopherPopUp.dll **INFECTED** Win32:Adware-gen [Adw]
09:21:04.995 File: C:\Users\Raghu\AppData\Local\Apps\2.0\OT4587CV.LLY\Q0BATZ6O.Z2L\goph..opup_2391b11f0e6c431a_0001.0001_none_3d77891f7902f72f\GopherPopUp.dll **INFECTED** Win32:Adware-gen [Adw]
09:28:21.684 AVAST engine scan C:\ProgramData
09:30:58.824 Scan finished successfully
09:39:32.153 Disk 0 MBR has been saved successfully to "C:\Users\Raghu\Desktop\MBR.dat"
09:39:32.310 The log file has been saved successfully to "C:\Users\Raghu\Desktop\aswMBR.txt"


-------------------------------------------------------------------------------------------------------------------

TDSSKiller

http://pastebin.com/JtTfbw87

That's it! I'll wait for your reply.
Thanks!

That's it! I'll wait for your reply.
Regards, TBH :)

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 03 February 2013 - 08:24 AM

Greetings,

Yes, that was perfect. Please run this program for me now.


===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
If Combofix fails to run properly using the above instructions please attempt the following:

  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Digital_Veil

Digital_Veil
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 03 February 2013 - 09:08 AM

Here it is!
ComboFix 13-02-02.05 - Raghu 03-02-2013 19:18:19.2.1 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.91.1033.18.959.395 [GMT 5.5:30]
Running from: c:\users\Raghu\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Raghu\AppData\Roaming\Love
c:\users\Raghu\AppData\Roaming\Love\mari0\options.txt
.
.
((((((((((((((((((((((((( Files Created from 2013-01-03 to 2013-02-03 )))))))))))))))))))))))))))))))
.
.
2013-02-03 14:00 . 2013-02-03 14:01 -------- d-----w- c:\users\Raghu\AppData\Local\temp
2013-02-03 14:00 . 2013-02-03 14:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-03 13:44 . 2013-02-03 13:44 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB26D2F7-26E7-4AD0-9DDF-A37BA0233969}\MpKsl659d7f75.sys
2013-02-03 03:07 . 2013-02-03 03:07 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB26D2F7-26E7-4AD0-9DDF-A37BA0233969}\MpKsl8b403ef5.sys
2013-01-29 09:58 . 2013-02-03 13:31 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB26D2F7-26E7-4AD0-9DDF-A37BA0233969}\offreg.dll
2013-01-29 09:24 . 2013-01-29 09:24 740840 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{499FFF20-271E-4510-AC9B-917944417880}\gapaengine.dll
2013-01-29 09:24 . 2013-01-07 15:27 6991832 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB26D2F7-26E7-4AD0-9DDF-A37BA0233969}\mpengine.dll
2013-01-29 08:12 . 2013-01-29 08:13 -------- d-----w- c:\program files\Microsoft Security Client
2013-01-27 09:22 . 2013-01-27 09:22 -------- d-----w- c:\users\Raghu\AppData\Local\JonathanLeger.com
2013-01-27 09:22 . 2013-01-27 09:25 -------- d-----w- c:\program files\TheBestSpinner3
2013-01-20 11:55 . 2013-01-20 11:55 -------- d-----w- c:\program files\Ask.com
2013-01-20 11:51 . 2013-01-20 11:52 -------- d-----w- c:\users\Raghu\AppData\Local\ManyCam
2013-01-20 11:51 . 2013-01-20 11:51 -------- d-----w- c:\programdata\ManyCam
2013-01-20 11:51 . 2013-01-20 11:52 -------- d-----w- c:\users\Raghu\AppData\Roaming\ManyCam
2013-01-20 11:39 . 2013-01-20 11:51 -------- d-----w- c:\program files\ManyCam
2013-01-16 01:41 . 2013-01-16 01:42 -------- d-----w- C:\Motion-Twin
2013-01-15 06:20 . 2013-01-15 06:20 -------- d-----w- c:\program files\Citrix
2013-01-15 04:58 . 2013-01-16 07:54 -------- d-----w- c:\users\Raghu\AppData\Local\Adobe
2013-01-14 09:30 . 2013-01-14 09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-14 09:30 . 2012-12-14 11:19 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-11 06:53 . 2013-01-11 06:53 -------- d-----w- c:\users\Raghu\AppData\Roaming\ImTOO
2013-01-11 06:53 . 2013-01-11 06:53 -------- d-----w- c:\program files\ImTOO
2013-01-11 06:16 . 2013-01-11 07:56 -------- d-----w- c:\users\Raghu\AppData\Roaming\Audacity
2013-01-11 06:15 . 2013-01-11 06:16 -------- d-----w- c:\program files\Audacity
2013-01-06 05:58 . 2013-01-06 06:03 -------- d-----w- c:\users\Raghu\tor_service
2013-01-06 05:34 . 1997-11-19 10:19 303616 ----a-w- c:\windows\IsUninst.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-22 06:13 . 2012-12-22 06:13 421888 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-12-22 06:13 . 2012-12-22 06:13 2174976 ----a-w- c:\program files\Common Files\atimpenc.dll
2012-12-14 01:37 . 2012-06-17 06:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 01:37 . 2012-06-17 06:06 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-19 06:45 . 2013-01-19 06:44 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-06-17 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d2bf470e-ed1c-487f-a300-2bd8835eb6ce}"= "mscoree.dll" [2010-11-20 297808]
.
[HKEY_CLASSES_ROOT\clsid\{d2bf470e-ed1c-487f-a300-2bd8835eb6ce}]
[HKEY_CLASSES_ROOT\QTTabBarLib.QManagementBar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}"= "mscoree.dll" [2010-11-20 297808]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OpenVPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OpenVPN Client.lnk
backup=c:\windows\pss\OpenVPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2012-12-19 17:20 1645856 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoclk]
2009-10-12 12:03 126976 ----a-w- c:\windows\autoclk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-12-14 11:19 512360 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
2012-12-05 06:37 5379472 ----a-w- c:\program files\ManyCam\Bin\ManyCam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 15:26 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 03:34 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R2 OpenVPNAccessClient;OpenVPN Access Client;c:\program files\OpenVPN Technologies\OpenVPN Client\core\capiws.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]
S1 MpKsl659d7f75;MpKsl659d7f75;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB26D2F7-26E7-4AD0-9DDF-A37BA0233969}\MpKsl659d7f75.sys [x]
S1 MpKsl8b403ef5;MpKsl8b403ef5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB26D2F7-26E7-4AD0-9DDF-A37BA0233969}\MpKsl8b403ef5.sys [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [x]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv.sys [x]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL659D7F75
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: Interfaces\{E6CF9E77-9C65-4569-919D-333F8E463FA3}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\
FF - ExtSQL: 2013-01-31 15:11; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-01-31 15:54; isreaditlater@ideashower.com; c:\users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\extensions\isreaditlater@ideashower.com.xpi
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-23831744.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-03 19:33:44
ComboFix-quarantined-files.txt 2013-02-03 14:03
ComboFix2.txt 2013-01-28 17:30
.
Pre-Run: 3,632,406,528 bytes free
Post-Run: 3,766,661,120 bytes free
.
- - End Of File - - 945751F78D4F1C0D73100B5925DC3A64

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 03 February 2013 - 09:17 AM

Thank you for the information. What symptoms are you experiencing now?

I will be away from my computer for about 4 hours or so (Sunday) but I will certainly post back after that.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Digital_Veil

Digital_Veil
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 04 February 2013 - 09:37 AM

Explorer windows opening in a new window. I also suspect presence of some kind of malicious programs. Today MSE detected an adware which I've quarantined for now. Another thing, I installed QtTabBar, which is like an extension to the explorer that allows tabbed windows, from sourceforge but now I can't seem to remove it :-S I thought I would uninstall it since I did not quite like its functions. So I went into control panel and can't find QtTabBar. But on right clicking the taskbar, I can see it's still installed.
Posted Image

And here are the MSE detections that I've quarantined:
Posted Image
I tried using Ccleaner's inbuilt uninstaller but it too did not find the program in the list. So any help would be appreciated!

Edited by The Big Helper, 04 February 2013 - 09:39 AM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 04 February 2013 - 11:12 AM

Greetings,

So when you are in Windows Explorer and you click a folder to expand the contents it doesn't do that but instead simply launches a second Windows Explorer screen?

Please run these for me.


===================================================


Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text below into the Notepad document

    ClearJavaCache::
  • Save this on your desktop as CFScript.txt.


    Posted Image

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

===================================================


AdwCleaner by Xplode - Search for Adware

-------------------

  • Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Search
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix log
  • Explorer symptoms
  • AdwCleaner log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Digital_Veil

Digital_Veil
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 07 February 2013 - 09:53 PM

Hello Garry,

I'm extremely sorry for the delay but I had no time whatsoever to run the scans and post the log. I hope it's alright. Here are my logs:

 

AdwCleaner

 

# AdwCleaner v2.111 - Logfile created 02/08/2013 at 07:41:54
# Updated 05/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Raghu - RAGHU-PC
# Boot Mode : Normal
# Running from : C:\Users\Raghu\Downloads\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\END
Folder Found : C:\Program Files\Ask.com
Folder Found : C:\Program Files\Conduit
Folder Found : C:\ProgramData\Ask
Folder Found : C:\Users\Raghu\AppData\Local\Conduit
Folder Found : C:\Users\Raghu\AppData\LocalLow\AskToolbar
Folder Found : C:\Users\Raghu\AppData\LocalLow\Conduit
Folder Found : C:\Users\Raghu\AppData\LocalLow\PriceGong
Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Found : HKCU\Software\APN
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\StartSearch
Key Found : HKLM\Software\APN
Key Found : HKLM\Software\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3067601
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\Software\PIP
Key Found : HKU\S-1-5-21-306219716-897267522-1200711480-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6573 octets] - [08/02/2013 07:41:54]

########## EOF - C:\AdwCleaner[R1].txt - [6633 octets] ##########
 

------------------------------------------------------------------------------------------------------------------------------------------

 

Combofix Log

 

ComboFix 13-02-03.03 - Raghu 08-02-2013   7:59.3.1 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.91.1033.18.959.322 [GMT 5.5:30]
Running from: c:\users\Raghu\Desktop\ComboFix.exe
Command switches used :: c:\users\Raghu\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-08 to 2013-02-08  )))))))))))))))))))))))))))))))
.
.
2013-02-08 02:40 . 2013-02-08 02:40    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-08 02:18 . 2013-02-08 02:18    29904    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8A3989C-789E-474E-B61F-EB39AA12C54B}\MpKsl9dce3dff.sys
2013-02-07 13:59 . 2013-01-07 15:27    6991832    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8A3989C-789E-474E-B61F-EB39AA12C54B}\mpengine.dll
2013-02-06 11:24 . 2013-01-07 15:27    6991832    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-02-03 14:03 . 2013-02-08 02:40    --------    d-----w-    c:\users\Raghu\AppData\Local\temp
2013-01-29 09:24 . 2013-01-29 09:24    740840    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{499FFF20-271E-4510-AC9B-917944417880}\gapaengine.dll
2013-01-29 08:12 . 2013-01-29 08:13    --------    d-----w-    c:\program files\Microsoft Security Client
2013-01-27 09:22 . 2013-01-27 09:22    --------    d-----w-    c:\users\Raghu\AppData\Local\JonathanLeger.com
2013-01-27 09:22 . 2013-01-27 09:25    --------    d-----w-    c:\program files\TheBestSpinner3
2013-01-20 11:55 . 2013-01-20 11:55    --------    d-----w-    c:\program files\Ask.com
2013-01-20 11:51 . 2013-01-20 11:52    --------    d-----w-    c:\users\Raghu\AppData\Local\ManyCam
2013-01-20 11:51 . 2013-01-20 11:51    --------    d-----w-    c:\programdata\ManyCam
2013-01-20 11:51 . 2013-01-20 11:52    --------    d-----w-    c:\users\Raghu\AppData\Roaming\ManyCam
2013-01-20 11:39 . 2013-01-20 11:51    --------    d-----w-    c:\program files\ManyCam
2013-01-16 01:41 . 2013-01-16 01:42    --------    d-----w-    C:\Motion-Twin
2013-01-15 06:20 . 2013-01-15 06:20    --------    d-----w-    c:\program files\Citrix
2013-01-15 04:58 . 2013-01-16 07:54    --------    d-----w-    c:\users\Raghu\AppData\Local\Adobe
2013-01-14 09:30 . 2013-01-14 09:42    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-01-14 09:30 . 2012-12-14 11:19    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-01-11 06:53 . 2013-01-11 06:53    --------    d-----w-    c:\users\Raghu\AppData\Roaming\ImTOO
2013-01-11 06:53 . 2013-01-11 06:53    --------    d-----w-    c:\program files\ImTOO
2013-01-11 06:16 . 2013-01-11 07:56    --------    d-----w-    c:\users\Raghu\AppData\Roaming\Audacity
2013-01-11 06:15 . 2013-01-11 06:16    --------    d-----w-    c:\program files\Audacity
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-16 19:58 . 2012-06-17 05:46    232336    ------w-    c:\windows\system32\MpSigStub.exe
2012-12-22 06:13 . 2012-12-22 06:13    421888    ----a-w-    c:\windows\system32\RealMediaSplitter.ax
2012-12-22 06:13 . 2012-12-22 06:13    2174976    ----a-w-    c:\program files\Common Files\atimpenc.dll
2012-12-14 01:37 . 2012-06-17 06:06    73656    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 01:37 . 2012-06-17 06:06    697272    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-06 02:56 . 2013-02-06 02:55    262552    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-06-17 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d2bf470e-ed1c-487f-a300-2bd8835eb6ce}"= "mscoree.dll" [2010-11-20 297808]
.
[HKEY_CLASSES_ROOT\clsid\{d2bf470e-ed1c-487f-a300-2bd8835eb6ce}]
[HKEY_CLASSES_ROOT\QTTabBarLib.QManagementBar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}"= "mscoree.dll" [2010-11-20 297808]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OpenVPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OpenVPN Client.lnk
backup=c:\windows\pss\OpenVPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2012-12-19 17:20    1645856    ----a-w-    c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoclk]
2009-10-12 12:03    126976    ----a-w-    c:\windows\autoclk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-12-14 11:19    512360    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
2012-12-05 06:37    5379472    ----a-w-    c:\program files\ManyCam\Bin\ManyCam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 15:26    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 03:34    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 OpenVPNAccessClient;OpenVPN Access Client;c:\program files\OpenVPN Technologies\OpenVPN Client\core\capiws.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]
S1 MpKsl9dce3dff;MpKsl9dce3dff;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8A3989C-789E-474E-B61F-EB39AA12C54B}\MpKsl9dce3dff.sys [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [x]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [x]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL9DCE3DFF
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: Interfaces\{E6CF9E77-9C65-4569-919D-333F8E463FA3}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\
FF - ExtSQL: 2013-01-31 15:11; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-01-31 15:54; isreaditlater@ideashower.com; c:\users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\extensions\isreaditlater@ideashower.com.xpi
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-08  08:12:55
ComboFix-quarantined-files.txt  2013-02-08 02:42
ComboFix2.txt  2013-01-28 17:30
.
Pre-Run: 3,349,561,344 bytes free
Post-Run: 3,348,119,552 bytes free
.
- - End Of File - - 5FB7B9710FEFB91E0C6ED9613FDEAE9A
 

-----------------------

 

Explorer Symptoms

 

  • The first one still exists. Can't open any folders or drives on the same window
  • QTTab Desktop Tool still appears on right clicking the Task Bar, can't find it in the Add/Remove programs in control panel.

 

Thanks



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 07 February 2013 - 10:57 PM

Greetings,

Please do the following for me.


===================================================


AdwCleaner by Xplode - Delete Adware

-------------------
  • Close all open programs and internet browser
  • Double click on adwcleaner.exe
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
  • ===================================================


    Modifying Folder Options is Windows 7

    --------------------
    • Click Start, Control Panel, then Folder Options
    • Click the General tab
    • Under Browse Folders select Open each folder in the same window
    • Click the View tab
    • Under Advanced settings:, Hidden files and folders uncheck Launch folder windows in a separate process
    • Click Apply, then OK
    ===================================================


    SystemLook by jpshortstuff

    --------------------

    Please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1
    Download Mirror #2
    Download Mirror #3 For 64-bit users

    • Double-click SystemLook.exe to run it.
    • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following codebox into the main textfield:
      :filefind
      QTTab.*
      :regfind
      QTTab
      :reg
      HKEY_CLASSES_ROOT\Directory\shell
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    ===================================================


    Things I would like to see in your next reply. Please be sure to copy and paste
the information rather than send an attachment. icon_thumb.gif
  • AdwCleaner log
  • Folder Options correct now?
  • SystemLook log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 07 February 2013 - 10:57 PM

Greetings,

Please do the following for me.

I apologize for the formatting issues. The system is being updated.


===================================================


AdwCleaner by Xplode - Delete Adware

-------------------
  • Close all open programs and internet browser
  • Double click on adwcleaner.exe
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
  • ===================================================


    Modifying Folder Options is Windows 7

    --------------------
    • Click Start, Control Panel, then Folder Options
    • Click the General tab
    • Under Browse Folders select Open each folder in the same window
    • Click the View tab
    • Under Advanced settings:, Hidden files and folders uncheck Launch folder windows in a separate process
    • Click Apply, then OK
    ===================================================


    SystemLook by jpshortstuff

    --------------------

    Please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1
    Download Mirror #2
    Download Mirror #3 For 64-bit users

    • Double-click SystemLook.exe to run it.
    • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following codebox into the main textfield:
      :filefind
      QTTab.*
      :regfind
      QTTab
      :reg
      HKEY_CLASSES_ROOT\Directory\shell
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    ===================================================


    Things I would like to see in your next reply. Please be sure to copy and paste
the information rather than send an attachment. icon_thumb.gif
  • AdwCleaner log
  • Folder Options correct now?
  • SystemLook log
  • How is your computer running?

Edited by Oh My, 07 February 2013 - 11:07 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Digital_Veil

Digital_Veil
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 08 February 2013 - 12:23 AM

AdwCleaner Log

 

# AdwCleaner v2.111 - Logfile created 02/08/2013 at 10:46:15
# Updated 05/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Raghu - RAGHU-PC
# Boot Mode : Normal
# Running from : C:\Users\Raghu\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\END
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\Raghu\AppData\Local\Conduit
Folder Deleted : C:\Users\Raghu\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Raghu\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Raghu\AppData\LocalLow\PriceGong
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\StartSearch
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3067601
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\Software\PIP

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Users\Raghu\AppData\Roaming\Mozilla\Firefox\Profiles\kxinrq33.default-1359620333012\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6702 octets] - [08/02/2013 07:41:54]
AdwCleaner[S1].txt - [6490 octets] - [08/02/2013 10:46:15]

########## EOF - C:\AdwCleaner[S1].txt - [6550 octets] ##########
 

--------------------------------------------------------------------------------------------------

 

I already tried the steps you provided in Folder Options before I even posted this log but I made sure those settings were configured right. So yeah, the settings are correct now.

 

 

 

SystemLook log

 

SystemLook 30.07.11 by jpshortstuff
Log created at 10:41 on 08/02/2013 by Raghu
Administrator - Elevation successful

========== filefind ==========

Searching for "QTTab.*"
No files found.

========== regfind ==========

Searching for "QTTab"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.QTTabGroup]
[HKEY_CURRENT_USER\Software\Quizo\QTTabBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.QTTabGroup]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.QTTabGroup]
@="QTTabBarLib.QGroupOpener"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A300-2BD8835EB6CE}\InprocServer32]
"Class"="QTTabBarLib.QManagementBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A300-2BD8835EB6CE}\InprocServer32]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A300-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Class"="QTTabBarLib.QManagementBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A300-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A300-2BD8835EB6CE}\ProgId]
@="QTTabBarLib.QManagementBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}]
@="QTTabBar - Bottom"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}]
"MenuText"="QTTabBar - Bottom"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}]
"HelpText"="QTTabBar - Bottom"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}\InprocServer32]
"Class"="QTTabBarLib.QTHorizontalExplorerBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}\InprocServer32]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Class"="QTTabBarLib.QTHorizontalExplorerBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A301-2BD8835EB6CE}\ProgId]
@="QTTabBarLib.QTHorizontalExplorerBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A444-2BD8835EB6CE}\InprocServer32]
"Class"="QTTabBarLib.QGroupOpener"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A444-2BD8835EB6CE}\InprocServer32]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A444-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Class"="QTTabBarLib.QGroupOpener"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A444-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A444-2BD8835EB6CE}\ProgId]
@="QTTabBarLib.QGroupOpener"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32]
"Class"="QTTabBarLib.QTDesktopTool"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Class"="QTTabBarLib.QTDesktopTool"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\ProgId]
@="QTTabBarLib.QTDesktopTool"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A888-2BD8835EB6CE}\InprocServer32]
"Class"="QTTabBarLib.QTVersatileBarVertical"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A888-2BD8835EB6CE}\InprocServer32]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A888-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Class"="QTTabBarLib.QTVersatileBarVertical"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A888-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A888-2BD8835EB6CE}\ProgId]
@="QTTabBarLib.QTVersatileBarVertical"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A999-2BD8835EB6CE}]
@="QTTabBarLib.ExplorerCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A999-2BD8835EB6CE}\InprocServer32]
"Class"="QTTabBarLib.ExplorerCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A999-2BD8835EB6CE}\InprocServer32]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A999-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Class"="QTTabBarLib.ExplorerCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A999-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A999-2BD8835EB6CE}\ProgId]
@="QTTabBarLib.ExplorerCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}]
@="QTTabBarLib.ExplorerProcessCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}\InprocServer32]
"Class"="QTTabBarLib.ExplorerProcessCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}\InprocServer32]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Class"="QTTabBarLib.ExplorerProcessCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}\InprocServer32\1.0.0.0]
"Assembly"="QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}\ProgId]
@="QTTabBarLib.ExplorerProcessCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerCaptor]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerCaptor]
@="QTTabBarLib.ExplorerCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerProcessCaptor]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerProcessCaptor]
@="QTTabBarLib.ExplorerProcessCaptor"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QGroupOpener]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QGroupOpener]
@="QTTabBar Group File"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QManagementBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QManagementBar]
@="QTTabBarLib.QManagementBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTDesktopTool]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTDesktopTool]
@="QTTabBarLib.QTDesktopTool"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTHorizontalExplorerBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTHorizontalExplorerBar]
@="QTTabBarLib.QTHorizontalExplorerBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBar]
@="QTTabBarLib.QTVersatileBar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBarVertical]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBarVertical]
@="QTTabBarLib.QTVersatileBarVertical"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\66308896\149d2613\c1]
"DisplayName"="QTTabBar,1.0.0.0,,973461f1cd23d8eb"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4f2e8882\66308896\c1]
"DisplayName"="QTTabBar,1.0.0.0,,973461f1cd23d8eb"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\6c10f708\3c51361a\85]
"DisplayName"="QTTabBar,1.0.0.0,,78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\4f2e8882\6c10f708\81]
"DisplayName"="QTTabBar,1.0.0.0,,78a0cde69b47ca25"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}"="QTTabBarLib.ExplorerProcessCaptor"
[HKEY_USERS\S-1-5-21-306219716-897267522-1200711480-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.QTTabGroup]
[HKEY_USERS\S-1-5-21-306219716-897267522-1200711480-1000\Software\Quizo\QTTabBar]

========== reg ==========

[HKEY_CLASSES_ROOT\Directory\shell]
@="none"

[HKEY_CLASSES_ROOT\Directory\shell\AddToPlaylistUMP]

[HKEY_CLASSES_ROOT\Directory\shell\cmd]

[HKEY_CLASSES_ROOT\Directory\shell\find]

[HKEY_CLASSES_ROOT\Directory\shell\PlayWithUMP]

[HKEY_CLASSES_ROOT\Directory\shell\runas]


-= EOF =-

 

----------------------------------------------------------------------------------------------

 

I still have the explorer problem :'( Cannot open folders/drives in the same explorer window.


Edited by The Big Helper, 08 February 2013 - 01:05 AM.


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 08 February 2013 - 09:44 AM

Greetings,

Please forgive any scripting format irregularities you might find as we upgrade our system to better serve you.

Thanks for double checking the folder settings. I wanted to be sure of that before we take more invasive actions.

As you can see, you still have lots of QTTabBar registry entries left. We will take care of that.

Please do this.


===================================================


ERUNT Registry Backup

--------------------
  • Please download ERUNT (Emergency Recovery Utility for NT) and save it to your desktop
  • Double click the icon
  • Select Run
  • Click OK, then click Next 3 times until you receive the Select Additional Tasks screen
  • Uncheck Create NTREGOPT desktop icon box
  • Select Next, then Install, then No
  • Uncheck Show documentation then Finish
  • Click OK, the OK again, then Yes
  • ERUNT will now back up your registry
  • Once completed click OK
  • ===================================================


    Registry Fix

    -------------------
    • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
    • Type Notepad and press Enter
    • Copy/paste the following bold text inside the code box into a new notepad document.

      ----------

      Windows Registry Editor Version 5.00

      [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.QTTabGroup]
      [-HKEY_CURRENT_USER\Software\Quizo\QTTabBar]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.QTTabGroup]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A300-2BD8835EB6CE}]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerCaptor]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerProcessCaptor]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QGroupOpener]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QManagementBar]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTDesktopTool]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTHorizontalExplorerBar]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBar]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBarVertical]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\66308896\149d2613\c1]
      "DisplayName"="QTTabBar,1.0.0.0,,973461f1cd23d8eb"
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4f2e8882\66308896\c1]
      "DisplayName"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\6c10f708\3c51361a\85]
      "DisplayName"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\4f2e8882\6c10f708\81]
      "DisplayName"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
      "{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}"=-
      [-HKEY_USERS\S-1-5-21-306219716-897267522-1200711480-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.QTTabGroup]
      [-HKEY_USERS\S-1-5-21-306219716-897267522-1200711480-1000\Software\Quizo\QTTabBar]


      ----------
    • Click File, then Save As... .
    • Click Desktop on the left.
    • Under the Save as type dropdown, select All Files.
    • In the box File Name, input TB.reg.
    • Click Save.
    • Double click TB.reg and answer Yes to the prompts. You should receive the message that the entries have been successfully merged. If not, post back with the error message.
    • Delete TB.reg after use.
    • Reboot your computer
    ===================================================


    Running a Batch (.bat) Script

    -------------------
    • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
    • Type Notepad and press enter
    • Copy and paste the following bold text into the Notepad document:

      ----------

      @echo off

      :: 32 bit and 64 bit
      IF EXIST "%SystemRoot%\System32\actxprxy.dll" "%SystemRoot%\System32\regsvr32.exe" "%SystemRoot%\System32\actxprxy.dll"
      IF EXIST "%ProgramFiles%\Internet Explorer\ieproxy.dll" "%SystemRoot%\System32\regsvr32.exe" "%ProgramFiles%\Internet Explorer\ieproxy.dll"

      :: 64 bit only (32bit on 64 bit)
      IF EXIST "%WinDir%\SysWOW64\actxprxy.dll" "%WinDir%\SysWOW64\regsvr32.exe" "%WinDir%\SysWOW64\actxprxy.dll"
      IF EXIST "%ProgramFiles(x86)%\Internet Explorer\ieproxy.dll" "%WinDir%\SysWOW64\regsvr32.exe" "%ProgramFiles(x86)%\Internet Explorer\ieproxy.dll"
      del %0
      shutdown /r /t 05


      ----------
    • Click File, then Save As... .
    • Click Desktop on the left.
    • Under the Save as type dropdown, select All Files.
    • In the box File Name, input Folder.bat.
    • Click Save.
    • Close the Notepad
    • Locate and double-click Folder.bat on the desktop
    • A black CMD window will flash, then disappear
    • Your computer should reboot automatically
    • Check your folders
    ===================================================


    Things I would like to see in your next reply. Please be sure to copy and paste
the information rather than send an attachment. icon_thumb.gif
  • Did ERUNT run successfully?
  • Did the Registry script run successfully?
  • Did the Batch file run successfully?
  • How is your computer behaving?

Edited by Oh My, 08 February 2013 - 09:47 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Digital_Veil

Digital_Veil
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 09 February 2013 - 09:54 PM

Alright Gary. Thanks for the quick reply. And no, the formatting is no issue, it looks great to me :)

Here are the results.

  • Yes ERUNT ran successfully and created the folder at the default location.
  • No, on double clicking it displayed this error:
    n97gefd6.png
  • Yes it did. Though I had to reboot manually, it popped up a window saying the dll file succeeded. So I guess it's OK?
  • As expected, the problem still persists. Probably because the registry did not register.

I'll wait for your replies.

Regards, TBH



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 09 February 2013 - 10:48 PM

Greetings,

Please try it this way.

===================================================

Farbar's MiniRegTool
--------------------
  • Please download MiniRegTool.zip and unzip it
  • Please download MiniRegTool64.zip and unzip it
  • Copy and paste the following into the edit box:
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.QTTabGroup]
    [-HKEY_CURRENT_USER\Software\Quizo\QTTabBar]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.QTTabGroup]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A300-2BD8835EB6CE}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerCaptor]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.ExplorerProcessCaptor]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QGroupOpener]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QManagementBar]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTDesktopTool]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTHorizontalExplorerBar]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBar]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QTTabBarLib.QTVersatileBarVertical]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=78a0cde69b47ca25]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\66308896\149d2613\c1]
    "DisplayName"="QTTabBar,1.0.0.0,,973461f1cd23d8eb"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4f2e8882\66308896\c1]
    "DisplayName"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\6c10f708\3c51361a\85]
    "DisplayName"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\4f2e8882\6c10f708\81]
    "DisplayName"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{D2BF470E-ED1C-487F-AAAA-2BD8835EB6CE}"=-
    [-HKEY_USERS\S-1-5-21-306219716-897267522-1200711480-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.QTTabGroup]
    [-HKEY_USERS\S-1-5-21-306219716-897267522-1200711480-1000\Software\Quizo\QTTabBar]
  • Check the Delete Keys/Values including Locked/Null embedded radio button.
  • Press the Go button and post the result.
===================================================

Things I would like to see in your next reply. icon_thumb.gif
  • MiniRegTool results

Edited by Oh My, 13 February 2013 - 04:26 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users