Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ads popping up on my webpages (even google) and redirecting.


  • This topic is locked This topic is locked
21 replies to this topic

#16 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 31 August 2013 - 10:25 AM

Hi ninjapanda

Unfortunately you are making this harder than it should be.

I did mention to you about running tools from the Temp Internet files, but you still continue to do this:
 

Running from C:\Users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOC22ZJR

FRST must be downloaded to the DESKTOP.
We need to run a fix and FRST and the fix must be run from the same directory.
Please download FRST again using the previous instructions and make sure it gets downloaded to the DESKTOP.
Please post another report showing it running from the Desktop.

Also i did ask:

If you have problems uninstalling/reinstalling MSSE, let me know.

But you provided no information.

Edited by Starbuck, 31 August 2013 - 10:26 AM.

BBPP6nz.png


BC AdBot (Login to Remove)

 


#17 ninjapanda

ninjapanda
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 02 September 2013 - 02:34 AM

ok I downloaded to desktop. There wasn't an addition.txt this time though. I reinstalled MSSE. thx

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-09-2013 04
Ran by Jeremy (administrator) on JEREMY-PC on 02-09-2013 17:31:02
Running from C:\Users\Jeremy\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\windows\system32\atiesrxx.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
() C:\Windows\System32\GFNEXSrv.exe
(AMD) C:\windows\system32\atieclxx.exe
(SafeNet Inc.) C:\windows\system32\hasplms.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.77\ccSvcHst.exe
(TOSHIBA Corporation) C:\windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.77\ccSvcHst.exe
(Microsoft Corporation) C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\Teco.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\PeakShift\TPSCMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Synaptics Incorporated) C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(BitTorrent Inc.) C:\Users\Jeremy\AppData\Roaming\uTorrent\uTorrent.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_257_ActiveX.exe
(Microsoft Corporation) C:\windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WD2KJTQK\mseinstall.exe
(Microsoft Corporation) c:\c36260f6ea31e1120b981596\epplauncher.exe
(Microsoft Corporation) c:\c36260f6ea31e1120b981596\amd64\Setup.exe
(Microsoft Corporation) C:\windows\system32\msiexec.exe
(Microsoft Corporation) c:\Windows\system32\MsiExec.exe
(Microsoft Corporation) c:\Windows\syswow64\MsiExec.exe
(Microsoft Corporation) c:\Windows\system32\MsiExec.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12459112 2012-03-15] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2866960 2011-12-19] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-09-22] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [989056 2011-12-13] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1548208 2011-11-24] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TPSCMain] - C:\Program Files\TOSHIBA\PeakShift\TPSCMain.exe [740792 2011-12-21] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-11-25] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [598448 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-07-18] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [NoDrives] 0
HKCU\...\Run: [SandboxieControl] - C:\Program Files\Sandboxie\SbieCtrl.exe [759384 2013-07-08] (Sandboxie Holdings, LLC)
HKCU\...\Run: [Steam] - "C:\Program Files (x86)\Steam\Steam.exe" -silent [x]
HKCU\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKCU\...\Policies\Explorer: [NoDrives] 0
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [38112 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2012-01-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ITSecMng] - C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [80840 2011-04-01] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-05] (Intel Corporation)
HKLM-x32\...\Run: [NortonOnlineBackup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1110360 2010-05-03] (Symantec Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
SearchScopes: HKLM-x32 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Snap.DoEngine - {31ad400d-1b06-4e33-a59a-90c2c140cba0} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
Toolbar: HKLM - Snap.Do - {ae07101b-46d4-4a98-af68-0333ea26e113} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138

Chrome:
=======
CHR HomePage: hxxp://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.57\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.57\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.57\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Extension: (Google Docs) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Wolfram|Alpha (Official)) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\icncamkooinmbehmkeilcccmoljfkdhp\1.2.2_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR Extension: (Better Pop Up Blocker) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpeeekfhbmikbdhlpjbfmnpgcbeggic\2.1.6_0
CHR Extension: (Gmail) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM-x32\...\Chrome\Extension: [okkbcpjgdooahcefofhjdpacngfecaaa] - C:\Program Files (x86)\Lyrics_Fan\128.crx

==================== Services (Whitelisted) =================

R2 GFNEXSrv; C:\Windows\System32\GFNEXSrv.exe [162824 2010-09-09] ()
R2 hasplms; C:\windows\system32\hasplms.exe [3750400 2009-12-16] (SafeNet Inc.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2013-07-18] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-07-18] (Microsoft Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2782552 2010-05-03] (Symantec Corporation)
R2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [132056 2013-01-31] (Symantec Corporation)
R2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.77\ccSvcHst.exe [126392 2011-09-13] (Symantec Corporation)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [183896 2013-07-08] (Sandboxie Holdings, LLC)
S3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [x]

==================== Drivers (Whitelisted) ====================

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
R3 RtkBtFilter; C:\Windows\System32\DRIVERS\RtkBtfilter.sys [21096 2012-01-05] (Realtek Microelectronics)
R3 RTL8192Ce; C:\Windows\System32\DRIVERS\rtwlane.sys [1082472 2012-01-16] (Realtek Semiconductor Corporation                           )
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [199384 2013-07-08] (Sandboxie Holdings, LLC)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [x]
S3 TDEIO; \??\C:\Windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-02 16:51 - 2013-09-02 16:52 - 00000000 ____D C:\Users\Jeremy\Desktop\Diablo 2 full game with expansion
2013-08-31 16:17 - 2013-08-31 16:17 - 00000000 ____D C:\Users\Jeremy\Desktop\Week4
2013-08-31 16:16 - 2013-08-31 16:16 - 00002408 _____ C:\Users\Jeremy\Desktop\Week4.zip
2013-08-31 13:24 - 2013-08-31 13:24 - 00000000 ____D C:\FRST
2013-08-28 12:56 - 2013-08-28 12:56 - 00019750 _____ C:\ComboFix.txt
2013-08-28 12:30 - 2013-08-28 12:30 - 00602112 _____ (OldTimer Tools) C:\Users\Jeremy\Desktop\OTL.scr
2013-08-28 12:20 - 2011-06-25 23:45 - 00256000 _____ C:\windows\PEV.exe
2013-08-28 12:20 - 2010-11-07 10:20 - 00208896 _____ C:\windows\MBR.exe
2013-08-28 12:20 - 2009-04-19 21:56 - 00060416 _____ (NirSoft) C:\windows\NIRCMD.exe
2013-08-28 12:20 - 2000-08-30 17:00 - 00518144 _____ (SteelWerX) C:\windows\SWREG.exe
2013-08-28 12:20 - 2000-08-30 17:00 - 00406528 _____ (SteelWerX) C:\windows\SWSC.exe
2013-08-28 12:20 - 2000-08-30 17:00 - 00098816 _____ C:\windows\sed.exe
2013-08-28 12:20 - 2000-08-30 17:00 - 00080412 _____ C:\windows\grep.exe
2013-08-28 12:20 - 2000-08-30 17:00 - 00068096 _____ C:\windows\zip.exe
2013-08-28 12:19 - 2013-08-28 12:56 - 00000000 ____D C:\Qoobox
2013-08-28 12:17 - 2013-08-28 12:17 - 00000474 _____ C:\Users\Jeremy\Desktop\defogger_disable.log
2013-08-28 12:17 - 2013-08-28 12:17 - 00000000 _____ C:\Users\Jeremy\defogger_reenable
2013-08-28 12:16 - 2013-08-28 12:16 - 00000000 ____D C:\_OTL
2013-08-24 17:33 - 2013-08-24 17:33 - 00000000 ____D C:\windows\ERUNT
2013-08-23 21:18 - 2013-08-23 21:18 - 00000000 ____D C:\ProgramData\Symantec
2013-08-21 18:18 - 2013-08-21 18:18 - 01588856 _____ C:\windows\Minidump\082113-53508-01.dmp
2013-08-20 23:44 - 2013-08-20 23:44 - 00002854 _____ C:\Users\Jeremy\Downloads\CSC.zip
2013-08-20 23:44 - 2013-08-20 23:44 - 00000000 ____D C:\Users\Jeremy\Downloads\CSC
2013-08-19 17:30 - 2013-09-02 08:29 - 01685132 _____ C:\Users\Jeremy\Documents\WordRqmErrors.log
2013-08-19 17:21 - 2013-08-19 18:08 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-19 17:18 - 2013-08-19 17:18 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\Malwarebytes
2013-08-19 17:18 - 2013-08-19 17:18 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-19 03:00 - 2013-08-19 03:05 - 00000642 _____ C:\Users\Jeremy\Documents\Workspace.sws
2013-08-19 02:59 - 2013-08-19 03:05 - 00057488 _____ C:\Users\Jeremy\Desktop\ObjectOrientedModel_2.oom
2013-08-19 02:55 - 2013-08-19 03:05 - 00001273 _____ C:\Users\Jeremy\Documents\Full Object Report.html
2013-08-19 02:55 - 2013-08-19 02:55 - 00000000 ____D C:\Users\Jeremy\Documents\Full Object Report_files
2013-08-19 00:34 - 2013-08-19 00:34 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\PowerDesigner
2013-08-19 00:31 - 2011-12-12 04:24 - 00260096 ____N (Microsoft Corporation) C:\windows\SysWOW64\RICHTX32.OCX
2013-08-19 00:31 - 2011-12-12 04:24 - 00140488 ____N (Microsoft Corporation) C:\windows\SysWOW64\COMDLG32.OCX
2013-08-19 00:28 - 2013-08-19 00:56 - 00000000 ____D C:\ProgramData\PowerDesigner 16
2013-08-19 00:28 - 2013-08-19 00:28 - 00000000 ____D C:\Program Files (x86)\Sybase
2013-08-18 23:38 - 2013-08-18 23:38 - 353134605 _____ (Acresso Software Inc.                                        ) C:\Users\Jeremy\Downloads\PowerDesigner161_Evaluation.exe
2013-08-18 22:29 - 2013-08-18 22:29 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\eIntaller
2013-08-18 21:26 - 2013-08-18 21:26 - 00000589 _____ C:\Users\Jeremy\Desktop\eclipse - Shortcut.lnk
2013-08-18 02:18 - 2013-07-25 22:13 - 02241024 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2013-08-18 02:18 - 2013-07-25 22:13 - 01365504 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2013-08-18 02:18 - 2013-07-25 22:13 - 00051712 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2013-08-18 02:18 - 2013-07-25 22:12 - 19239424 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 15405056 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 03958784 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 02647040 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 00855552 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 00603136 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 00136704 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 00067072 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 00053760 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2013-08-18 02:18 - 2013-07-25 22:12 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2013-08-18 02:18 - 2013-07-25 20:35 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2013-08-18 02:18 - 2013-07-25 20:13 - 01767936 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2013-08-18 02:18 - 2013-07-25 20:13 - 01141248 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 14329344 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 02877440 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 02048512 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 00493056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 00391168 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 00109056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 00061440 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2013-08-18 02:18 - 2013-07-25 20:12 - 00039936 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2013-08-18 02:18 - 2013-07-25 20:11 - 13761024 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2013-08-18 02:18 - 2013-07-25 20:11 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2013-08-18 02:18 - 2013-07-25 19:49 - 02706432 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2013-08-18 02:18 - 2013-07-25 19:39 - 00089600 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
2013-08-18 02:18 - 2013-07-25 18:59 - 00071680 _____ (Microsoft Corporation) C:\windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-16 00:30 - 2013-08-16 00:30 - 00000000 ____D C:\windows\system32\appmgmt
2013-08-14 18:18 - 2013-07-18 18:58 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2013-08-14 18:18 - 2013-07-18 18:41 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2013-08-14 18:18 - 2013-07-08 22:52 - 00224256 _____ (Microsoft Corporation) C:\windows\system32\wintrust.dll
2013-08-14 18:18 - 2013-07-08 22:46 - 01472512 _____ (Microsoft Corporation) C:\windows\system32\crypt32.dll
2013-08-14 18:18 - 2013-07-08 22:46 - 00184320 _____ (Microsoft Corporation) C:\windows\system32\cryptsvc.dll
2013-08-14 18:18 - 2013-07-08 22:46 - 00139776 _____ (Microsoft Corporation) C:\windows\system32\cryptnet.dll
2013-08-14 18:18 - 2013-07-08 21:52 - 00175104 _____ (Microsoft Corporation) C:\windows\SysWOW64\wintrust.dll
2013-08-14 18:18 - 2013-07-08 21:46 - 01166848 _____ (Microsoft Corporation) C:\windows\SysWOW64\crypt32.dll
2013-08-14 18:18 - 2013-07-08 21:46 - 00140288 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptsvc.dll
2013-08-14 18:18 - 2013-07-08 21:46 - 00103936 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptnet.dll
2013-08-14 18:17 - 2013-07-25 02:25 - 01888768 _____ (Microsoft Corporation) C:\windows\system32\WMVDECOD.DLL
2013-08-14 18:17 - 2013-07-25 01:57 - 01620992 _____ (Microsoft Corporation) C:\windows\SysWOW64\WMVDECOD.DLL
2013-08-14 18:17 - 2013-07-08 23:03 - 05550528 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2013-08-14 18:17 - 2013-07-08 22:54 - 01732032 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2013-08-14 18:17 - 2013-07-08 22:53 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2013-08-14 18:17 - 2013-07-08 22:51 - 01217024 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2013-08-14 18:17 - 2013-07-08 22:03 - 03968960 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2013-08-14 18:17 - 2013-07-08 22:03 - 03913664 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2013-08-14 18:17 - 2013-07-08 21:53 - 01292192 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2013-08-14 18:17 - 2013-07-08 21:52 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2013-08-14 18:17 - 2013-07-08 21:52 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2013-08-14 18:17 - 2013-07-08 19:49 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2013-08-14 18:17 - 2013-07-08 19:49 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2013-08-14 18:17 - 2013-07-08 19:49 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2013-08-14 18:17 - 2013-07-08 19:49 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2013-08-14 18:17 - 2013-07-05 23:03 - 01910208 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2013-08-14 18:17 - 2013-06-14 21:32 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tssecsrv.sys
2013-08-10 23:29 - 2013-08-10 23:29 - 00000000 ____D C:\Users\Jeremy\Desktop\week2
2013-08-10 22:44 - 2013-08-31 16:18 - 00000000 ____D C:\Users\Jeremy\workspace
2013-08-10 22:41 - 2013-08-10 22:41 - 01093032 _____ (Oracle Corporation) C:\windows\system32\npDeployJava1.dll
2013-08-10 22:41 - 2013-08-10 22:41 - 00972712 _____ (Oracle Corporation) C:\windows\system32\deployJava1.dll
2013-08-10 22:41 - 2013-08-10 22:41 - 00312232 _____ (Oracle Corporation) C:\windows\system32\javaws.exe
2013-08-10 22:41 - 2013-08-10 22:41 - 00189352 _____ (Oracle Corporation) C:\windows\system32\javaw.exe
2013-08-10 22:41 - 2013-08-10 22:41 - 00188840 _____ (Oracle Corporation) C:\windows\system32\java.exe
2013-08-10 22:41 - 2013-08-10 22:41 - 00108968 _____ (Oracle Corporation) C:\windows\system32\WindowsAccessBridge-64.dll
2013-08-10 22:39 - 2013-08-10 22:40 - 00000000 ____D C:\Program Files\Java
2013-08-10 22:18 - 2013-08-31 16:16 - 00000000 ____D C:\Users\Jeremy\Desktop\eclipse
2013-08-10 22:18 - 2013-08-10 22:18 - 00000000 ____D C:\Users\Jeremy\Downloads\eclipse-standard-kepler-R-win32-x86_64
2013-08-08 09:39 - 2013-08-08 09:39 - 00000000 ____D C:\47d7cb9f68a4c6c2d1beaf0e7d90cee3
2013-08-03 15:50 - 2013-08-28 12:48 - 00000000 ____D C:\AMD

==================== One Month Modified Files and Folders =======

2013-09-02 17:31 - 2013-05-02 12:38 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-09-02 17:31 - 2013-02-21 18:06 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\uTorrent
2013-09-02 17:30 - 2013-09-02 17:27 - 01951950 _____ (Farbar) C:\Users\Jeremy\Desktop\FRST64.exe
2013-09-02 17:30 - 2013-05-02 12:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-09-02 17:11 - 2012-11-10 08:17 - 00000912 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-02 17:02 - 2013-02-26 17:51 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\Skype
2013-09-02 16:52 - 2013-09-02 16:51 - 00000000 ____D C:\Users\Jeremy\Desktop\Diablo 2 full game with expansion
2013-09-02 16:45 - 2012-11-10 08:17 - 00000908 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-02 16:44 - 2012-11-10 07:40 - 01195640 _____ C:\windows\WindowsUpdate.log
2013-09-02 16:31 - 2012-11-10 07:42 - 00000830 _____ C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2013-09-02 08:29 - 2013-08-19 17:30 - 01685132 _____ C:\Users\Jeremy\Documents\WordRqmErrors.log
2013-09-02 01:15 - 2009-07-13 21:51 - 00068182 _____ C:\windows\setupact.log
2013-09-01 19:38 - 2013-05-01 17:46 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-09-01 19:38 - 2012-11-10 08:32 - 00000000 ____D C:\ProgramData\Skype
2013-09-01 13:49 - 2012-11-10 08:34 - 00000000 ____D C:\ProgramData\Norton
2013-08-31 16:18 - 2013-08-10 22:44 - 00000000 ____D C:\Users\Jeremy\workspace
2013-08-31 16:17 - 2013-08-31 16:17 - 00000000 ____D C:\Users\Jeremy\Desktop\Week4
2013-08-31 16:16 - 2013-08-31 16:16 - 00002408 _____ C:\Users\Jeremy\Desktop\Week4.zip
2013-08-31 16:16 - 2013-08-10 22:18 - 00000000 ____D C:\Users\Jeremy\Desktop\eclipse
2013-08-31 13:24 - 2013-08-31 13:24 - 00000000 ____D C:\FRST
2013-08-29 16:32 - 2009-07-13 21:45 - 00028080 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-29 16:32 - 2009-07-13 21:45 - 00028080 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-29 16:31 - 2009-07-13 22:13 - 00726316 _____ C:\windows\system32\PerfStringBackup.INI
2013-08-29 16:26 - 2013-07-17 17:26 - 00002490 _____ C:\windows\Sandboxie.ini
2013-08-29 16:26 - 2013-04-27 22:11 - 00000000 ____D C:\Users\Jeremy\Documents\Bluetooth
2013-08-29 16:26 - 2013-03-05 15:45 - 00000000 ____D C:\Users\Jeremy\AppData\Local\CrashDumps
2013-08-29 16:25 - 2012-11-10 07:42 - 00000828 _____ C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2013-08-29 16:25 - 2009-07-13 22:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-08-28 12:56 - 2013-08-28 12:56 - 00019750 _____ C:\ComboFix.txt
2013-08-28 12:56 - 2013-08-28 12:19 - 00000000 ____D C:\Qoobox
2013-08-28 12:56 - 2009-07-13 20:20 - 00000000 __RHD C:\Users\Default
2013-08-28 12:55 - 2013-02-21 17:34 - 00000000 ___RD C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-28 12:54 - 2013-06-13 22:50 - 00000000 ____D C:\windows\erdnt
2013-08-28 12:51 - 2009-07-13 19:34 - 00000215 _____ C:\windows\system.ini
2013-08-28 12:50 - 2010-11-20 20:47 - 00127738 _____ C:\windows\PFRO.log
2013-08-28 12:48 - 2013-08-03 15:50 - 00000000 ____D C:\AMD
2013-08-28 12:48 - 2013-02-21 17:30 - 00000000 ____D C:\Users\Jeremy
2013-08-28 12:30 - 2013-08-28 12:30 - 00602112 _____ (OldTimer Tools) C:\Users\Jeremy\Desktop\OTL.scr
2013-08-28 12:17 - 2013-08-28 12:17 - 00000474 _____ C:\Users\Jeremy\Desktop\defogger_disable.log
2013-08-28 12:17 - 2013-08-28 12:17 - 00000000 _____ C:\Users\Jeremy\defogger_reenable
2013-08-28 12:16 - 2013-08-28 12:16 - 00000000 ____D C:\_OTL
2013-08-24 17:44 - 2013-05-12 21:18 - 00002309 _____ C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
2013-08-24 17:44 - 2013-02-21 17:34 - 00001428 _____ C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-08-24 17:33 - 2013-08-24 17:33 - 00000000 ____D C:\windows\ERUNT
2013-08-23 21:18 - 2013-08-23 21:18 - 00000000 ____D C:\ProgramData\Symantec
2013-08-23 21:13 - 2012-11-10 08:34 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-08-21 18:18 - 2013-08-21 18:18 - 01588856 _____ C:\windows\Minidump\082113-53508-01.dmp
2013-08-21 18:18 - 2013-03-12 13:21 - 00000000 ____D C:\windows\Minidump
2013-08-21 18:17 - 2013-03-12 13:21 - 756084345 _____ C:\windows\MEMORY.DMP
2013-08-20 23:44 - 2013-08-20 23:44 - 00002854 _____ C:\Users\Jeremy\Downloads\CSC.zip
2013-08-20 23:44 - 2013-08-20 23:44 - 00000000 ____D C:\Users\Jeremy\Downloads\CSC
2013-08-19 21:37 - 2010-11-20 20:24 - 00000000 __SHD C:\Users\Jeremy\AppData\Roaming\diuggivu
2013-08-19 18:08 - 2013-08-19 17:21 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-19 17:18 - 2013-08-19 17:18 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\Malwarebytes
2013-08-19 17:18 - 2013-08-19 17:18 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-19 03:05 - 2013-08-19 03:00 - 00000642 _____ C:\Users\Jeremy\Documents\Workspace.sws
2013-08-19 03:05 - 2013-08-19 02:59 - 00057488 _____ C:\Users\Jeremy\Desktop\ObjectOrientedModel_2.oom
2013-08-19 03:05 - 2013-08-19 02:55 - 00001273 _____ C:\Users\Jeremy\Documents\Full Object Report.html
2013-08-19 02:55 - 2013-08-19 02:55 - 00000000 ____D C:\Users\Jeremy\Documents\Full Object Report_files
2013-08-19 00:56 - 2013-08-19 00:28 - 00000000 ____D C:\ProgramData\PowerDesigner 16
2013-08-19 00:34 - 2013-08-19 00:34 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\PowerDesigner
2013-08-19 00:29 - 2012-04-09 22:08 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-08-19 00:28 - 2013-08-19 00:28 - 00000000 ____D C:\Program Files (x86)\Sybase
2013-08-18 23:38 - 2013-08-18 23:38 - 353134605 _____ (Acresso Software Inc.                                        ) C:\Users\Jeremy\Downloads\PowerDesigner161_Evaluation.exe
2013-08-18 22:29 - 2013-08-18 22:29 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\eIntaller
2013-08-18 21:26 - 2013-08-18 21:26 - 00000589 _____ C:\Users\Jeremy\Desktop\eclipse - Shortcut.lnk
2013-08-18 12:19 - 2009-07-13 21:45 - 00416688 _____ C:\windows\system32\FNTCACHE.DAT
2013-08-18 12:17 - 2010-11-21 00:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-08-18 12:17 - 2009-07-13 22:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-08-18 12:17 - 2009-07-13 22:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-08-18 02:01 - 2013-03-15 01:53 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-08-18 02:01 - 2013-03-15 01:53 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-08-16 00:44 - 2013-07-14 22:39 - 00000000 ____D C:\Program Files (x86)\MagicISO
2013-08-16 00:30 - 2013-08-16 00:30 - 00000000 ____D C:\windows\system32\appmgmt
2013-08-10 23:29 - 2013-08-10 23:29 - 00000000 ____D C:\Users\Jeremy\Desktop\week2
2013-08-10 22:41 - 2013-08-10 22:41 - 01093032 _____ (Oracle Corporation) C:\windows\system32\npDeployJava1.dll
2013-08-10 22:41 - 2013-08-10 22:41 - 00972712 _____ (Oracle Corporation) C:\windows\system32\deployJava1.dll
2013-08-10 22:41 - 2013-08-10 22:41 - 00312232 _____ (Oracle Corporation) C:\windows\system32\javaws.exe
2013-08-10 22:41 - 2013-08-10 22:41 - 00189352 _____ (Oracle Corporation) C:\windows\system32\javaw.exe
2013-08-10 22:41 - 2013-08-10 22:41 - 00188840 _____ (Oracle Corporation) C:\windows\system32\java.exe
2013-08-10 22:41 - 2013-08-10 22:41 - 00108968 _____ (Oracle Corporation) C:\windows\system32\WindowsAccessBridge-64.dll
2013-08-10 22:40 - 2013-08-10 22:39 - 00000000 ____D C:\Program Files\Java
2013-08-10 22:18 - 2013-08-10 22:18 - 00000000 ____D C:\Users\Jeremy\Downloads\eclipse-standard-kepler-R-win32-x86_64
2013-08-10 18:30 - 2009-07-13 20:20 - 00000000 ____D C:\windows\rescache
2013-08-10 15:25 - 2009-07-13 20:20 - 00000000 ____D C:\windows\system32\NDF
2013-08-10 00:24 - 2013-02-24 00:22 - 00000000 ____D C:\Users\Jeremy\AppData\Roaming\vlc
2013-08-08 09:39 - 2013-08-08 09:39 - 00000000 ____D C:\47d7cb9f68a4c6c2d1beaf0e7d90cee3
2013-08-05 16:13 - 2013-05-16 21:51 - 00007602 _____ C:\Users\Jeremy\AppData\Local\Resmon.ResmonCfg
2013-08-04 10:52 - 2013-05-16 21:03 - 00000000 ____D C:\Users\Jeremy\AppData\Local\VirtualStore

Files to move or delete:
====================
C:\ProgramData\2Pi1V0s.dat
C:\Users\Jeremy\AppData\Local\Temp\SkypeSetup.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-08-31 15:37

==================== End Of Log ============================



#18 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 02 September 2013 - 11:22 AM

Hi ninjapanda
 

ok I downloaded to desktop

Many thanks for that, we can run the fix now.
 

There wasn't an addition.txt this time though.

Nothing to worry about.
FRST only produces the addition.txt on a first run..... and we had it already.
 

I reinstalled MSSE.

Cheers.
I reason i needed to know was because the malware had changed a part of MSSE.
By removing it and reinstalling it saved us a job in correcting it.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Re-run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.

Thanks.

Attached Files


BBPP6nz.png


#19 ninjapanda

ninjapanda
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 06 September 2013 - 08:56 AM

I think the problem has been fixed. there are no more ads anymore and redirects. Thanks for everything!



#20 ninjapanda

ninjapanda
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 06 September 2013 - 08:59 AM

heres the log anyways.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-09-2013 04
Ran by Jeremy at 2013-09-07 00:00:14 Run:1
Running from C:\Users\Jeremy\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
SearchScopes: HKLM-x32 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
HKLM\...\Policies\Explorer: [NoDrives] 0
HKCU\...\Policies\Explorer: [NoDrives] 0
SearchScopes: HKLM-x32 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
CHR HomePage: hxxp://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396
CHR HKLM-x32\...\Chrome\Extension: [okkbcpjgdooahcefofhjdpacngfecaaa] - C:\Program Files (x86)\Lyrics_Fan\128.crx
C:\ProgramData\2Pi1V0s.dat
C:\Users\Jeremy\AppData\Local\Temp\SkypeSetup.exe
C:\Program Files (x86)\Lyrics_Fan

*****************

HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => Key deleted successfully.
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => Key deleted successfully.
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDrives => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDrives => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => Key not found.
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\livecall => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => Key deleted successfully.
HKCR\Wow6432Node\PROTOCOLS\Handler\msnim => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
CHR HomePage: hxxp://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=TOSHIBAXMK6475GSX_82IAFZWJSXX82IAFZWJS&ts=1376890396 ==> The Chrome "Settings" can be used to fix the entry.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\okkbcpjgdooahcefofhjdpacngfecaaa => Key deleted successfully.
"C:\Program Files (x86)\Lyrics_Fan\128.crx" => File/Directory not found.
C:\ProgramData\2Pi1V0s.dat => Moved successfully.
C:\Users\Jeremy\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
"C:\Program Files (x86)\Lyrics_Fan" => File/Directory not found.

==== End of Fixlog ====



#21 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 06 September 2013 - 10:23 AM

Hi ninjapanda
 

the problem has been fixed. there are no more ads anymore and redirects.

That's good to hear.
 

Thanks for everything

You're very welcome.

Just a few small things to finish off the cleaning.

Step 1
Please uninstall Java 6 Update 30.
This is an older version and should have been removed when Java was updated.
Reboot the system once it's removed.
Do Not remove Java 7 Update 25... this is the latest version.

Step 2
Please uninstall ComboFix by
Clicking on Start ...then run ... and type in combofix /uninstall (don't forget there's is a gap between x and /) Then press Ok
cfu.png

This action will uninstall Combofix and also perform a few cleanup measures

By default, Windows 7 does not have the "Run" command on the start menu. It's easy to get this back.

1. Open the start menu.
2. Right click on a non-icon area and select "Properties".
3. Press the "Customize" button.
4. Scroll down and find the "Run command" checkbox.
5. Check it and press OK.
6. Press OK.

You now have your run command on the start menu.


Step 3
  • Please double-click OTL.exe to run it.
  • You should see a CleanUp! button, press that button,

    cleanupbutton.png
  • This will cleanup an assortment of tools used during malware removal, plus itself
Note:
MBAM will not be removed if it's installed.


Step 4
Now you should set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools may not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

Click Start >> Right click Computer >> Properties.
Click System protection (left pane)
Select the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

To delete all but the last restore point:

Open Disk Cleanup by clicking the Start button.
In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
If prompted, select the drive that you want to clean up, and then click OK.
In the Disk Cleanup for (drive letter) dialog box, click Clean up system files.
If prompted, select the drive that you want to clean up, and then click OK.
Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
In the Disk Cleanup dialog box, click Delete.
Click Delete Files, and then click OK.

To find out how you may have been infected....read this topic:
How did i get infected?

Glad I was able to help.

Safe surfing. Computer_addict__by_Sinister_Starfeesh.g

BBPP6nz.png


#22 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 07 September 2013 - 04:06 PM

As this topic has been resolved this thread will now be closed.

If you need this topic reopened, please contact one of the moderating team by PM and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users