Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack? Weird one that doesnt want to be removed


  • This topic is locked This topic is locked
25 replies to this topic

#1 gobbers

gobbers

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 30 October 2013 - 04:30 PM

"Hi,

 

I have a works laptop that I has a problem with both Firefox and IE. (Not Chrome after testing)

 

The problem is that when an web address is entered incorrectly into the address bar it redirects to www.boardgames.co.uk

 

It appears that it redirects there if the address is not a fqdn

 

eg www.abc.com is okay, abc is not

 

Entering a correct URL there is no problem, even when autocomplete/search is off. 

 

I have followed many of the 'How-tos' and completed all steps from safe mode.

 

Software I have ran includes:

sfc /scannow
spybot S&D
Super Anti Spyware
Emisoft Emeergency kit
RKill
TDSSKiller
Rogue Killer
Malwarbytes
Malwarebytes Anti rootkit
Hitman Pro
adwcleaner
Junkremoval tool
Microsoft Malicious removal tool
Microsoft Security scan
CCleaner
OTL
MiniToolBox
farbar recovery scan tool

Kapersky Pure 3 anti virus

 

None of which have returned any real kind of infection nor managed to cure it.

 

The browsers are not particually running slow and this is the only problem that he stumbled upon.  It may have been here for a while.

 

However it is on my bosses laptop therefore he thinks its the end of the world. :angry:

 

I get the laptop back later, any help or pointers would be greatly appreciated."

 

My initial post from the "Have I been infected" thread -

 

Thanks Quietman7 and look forward to any help others can give. :)

 

Additional infomation.

Apart from Kaspersky all Anti Malware/Spyware software has been installed in the past day or so and can be uninstalled upon request.

IE has been reset to default settings having no effect on the problem.  All add ons etc have been disabled on both FF and IE to no effect.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.45.2
Run by Dad at 21:00:09 on 2013-10-30
Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.8095.3559 [GMT 0:00]
.
AV: Kaspersky PURE 3.0 *Enabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
SP: Kaspersky PURE 3.0 *Enabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: Kaspersky PURE 3.0 *Enabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe
C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsComProviderSvr.exe
C:\Windows\System32\ThpSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\widimon\widimon.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Aurora\firefox.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\Kaspersky Password Manager\spIEBho.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {876d9f09-c6d6-4324-a2cc-04dd9a4de12f} - C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\OnlineBanking\online_banking_bho.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - c:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\UrlAdvisor\klwtbbho.dll
TB: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\Kaspersky Password Manager\spIEBho.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
EB: Web Test Recorder 10.0: {3142c289-f319-47f5-a594-a827028714c9} -
EB: Web Test Recorder 10.0: {5802D092-1784-4908-8CDB-99B6842D353D} -
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ie_banner_deny.htm
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\UrlAdvisor\klwtbbho.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://localhost:1174/Reserved.ReportViewerWebControl.axd?ReportSession=ixsziryxdes4om55pjyakbmk&Culture=2057&CultureOverrides=True&UICulture=1033&UICultureOverrides=True&ReportStack=1&ControlID=cc341fe14be44ff08558f3470216e7c0&OpType=PrintCab&Arch=X86
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{C791A500-376A-489A-B9E2-57CF447EC278} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{E8029911-C0AE-46BA-999E-3E587CF41BE1} : DHCPNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{E8029911-C0AE-46BA-999E-3E587CF41BE1}\A4C4A434 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{E8029911-C0AE-46BA-999E-3E587CF41BE1}\E416E61674 : DHCPNameServer = 194.168.4.100 194.168.8.100
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\OnlineBanking\online_banking_bho.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-Run: [ThpSrv] C:\Windows\System32\thpsrv /logon
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray
x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\xsady6k7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Windows\System32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\System32\drivers\CSCrySec.sys [2013-5-24 84536]
R0 SMR410;Symantec SMR Utility Service 4.1.0;C:\Windows\System32\drivers\SMR410.SYS [2013-10-30 96856]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\Windows\System32\drivers\thpdrv.sys [2009-6-29 34880]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\Windows\System32\drivers\Thpevm.sys [2009-6-29 14784]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2009-6-24 482384]
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\EEK\Run\a2ddax64.sys [2013-10-29 26176]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\System32\drivers\CSVirtualDiskDrv.sys [2013-5-24 66616]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2012-8-2 28504]
R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2012-10-18 54368]
R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2012-8-13 178448]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-12-12 661504]
R2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe [2012-12-20 356128]
R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-1-13 135952]
R2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2012-12-21 819040]
R2 MsDepSvc;Web Deployment Agent Service;C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-4-1 67400]
R2 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2011-6-1 73216]
R2 risdxc;risdxc;C:\Windows\System32\drivers\risdxc64.sys [2011-9-27 101376]
R2 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2011-9-27 53760]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-10-29 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-10-29 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-10-29 171416]
R2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.sys [2009-9-17 11576]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-10-24 5087584]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-9-27 2656280]
R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-12-12 195072]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-10-15 317440]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\Windows\System32\drivers\klkbdflt.sys [2012-9-3 29280]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2012-9-3 29280]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-2-10 82432]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-2-10 181760]
R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2011-9-27 35008]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]
R3 wdkmd;Intel WiDi KMD;C:\Windows\System32\drivers\WDKMD.sys [2010-12-25 42392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-12-12 195072]
S3 cleanhlp;cleanhlp;C:\EEK\Run\cleanhlp64.sys [2013-10-29 57024]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-7-24 103448]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2012-1-4 340240]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2011-11-5 24176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-27 19456]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-7-24 203672]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 Te.Service;Te.Service;C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [2012-7-25 126976]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-2-10 112080]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-27 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-10-27 30208]
S3 usbrndis6;USB RNDIS6 Adapter;C:\Windows\System32\drivers\usb80236.sys [2013-3-14 19968]
S3 vpcuxd;USB Virtualization Stub Service;C:\Windows\System32\drivers\vpcuxd.sys [2011-9-28 16384]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-9-27 1255736]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\System32\drivers\RsFx0103.sys [2009-3-30 311656]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== Created Last 30 ================
.
2013-10-30 11:02:11    --------    d-----w-    C:\FRST
2013-10-30 10:22:31    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-30 10:13:11    96856    ----a-w-    C:\Windows\System32\drivers\SMR410.SYS
2013-10-30 09:59:25    --------    d-----w-    C:\Users\Dad\AppData\Local\NPE
2013-10-30 09:59:25    --------    d-----w-    C:\ProgramData\Norton
2013-10-29 22:09:31    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-10-29 21:44:22    116440    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2013-10-29 20:46:33    --------    d-----w-    C:\Program Files (x86)\Tweaking.com
2013-10-29 18:15:42    21040    ----a-w-    C:\Windows\System32\sdnclean64.exe
2013-10-29 18:15:41    --------    d-----w-    C:\ProgramData\Spybot - Search & Destroy
2013-10-29 18:15:37    --------    d-----w-    C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-10-29 17:15:37    --------    d-----w-    C:\EEK
2013-10-29 16:51:38    --------    d-----w-    C:\Program Files\CCleaner
2013-10-29 12:49:28    --------    d-----w-    C:\Program Files (x86)\ESET
2013-10-29 12:37:31    --------    d-----w-    C:\Windows\ERUNT
2013-10-29 12:29:10    --------    d-----w-    C:\AdwCleaner
2013-10-29 11:41:13    --------    d-----w-    C:\ProgramData\HitmanPro
2013-10-29 10:43:43    --------    d-----w-    C:\Users\Dad\AppData\Roaming\SUPERAntiSpyware.com
2013-10-29 10:43:39    --------    d-----w-    C:\ProgramData\SUPERAntiSpyware.com
2013-10-29 10:43:39    --------    d-----w-    C:\Program Files\SUPERAntiSpyware
2013-10-29 08:59:49    --------    d-----w-    C:\Program Files (x86)\Aurora
2013-10-29 08:54:40    10280728    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{848FB4A5-555B-4B59-B1DF-3FFA19F63B56}\mpengine.dll
2013-10-28 12:51:48    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-10-28 12:51:12    91352    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2013-10-24 14:46:12    --------    d-----w-    C:\Program Files (x86)\TeamViewer
2013-10-11 07:51:09    99840    ----a-w-    C:\Windows\System32\drivers\usbccgp.sys
2013-10-11 07:51:09    7808    ----a-w-    C:\Windows\System32\drivers\usbd.sys
2013-10-11 07:51:09    52736    ----a-w-    C:\Windows\System32\drivers\usbehci.sys
2013-10-11 07:51:09    343040    ----a-w-    C:\Windows\System32\drivers\usbhub.sys
2013-10-11 07:51:09    325120    ----a-w-    C:\Windows\System32\drivers\usbport.sys
2013-10-11 07:51:09    30720    ----a-w-    C:\Windows\System32\drivers\usbuhci.sys
2013-10-11 07:51:09    25600    ----a-w-    C:\Windows\System32\drivers\usbohci.sys
.
==================== Find3M  ====================
.
2013-10-30 10:09:42    151552    ----a-w-    C:\Windows\KMSEmulator.exe
2013-10-25 09:37:18    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-25 09:37:17    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-16 12:11:01    29280    ----a-w-    C:\Windows\System32\drivers\klmouflt.sys
2013-10-16 12:11:01    29280    ----a-w-    C:\Windows\System32\drivers\klkbdflt.sys
2013-10-16 12:11:00    90208    ----a-w-    C:\Windows\System32\drivers\klflt.sys
2013-10-16 12:10:57    7717984    ----a-w-    C:\Windows\System32\drivers\kl1.sys
2013-09-22 23:28:06    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49    2876928    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-09-22 23:27:48    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-09-22 23:27:48    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-09-22 22:55:10    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-09-22 22:54:51    3959296    ----a-w-    C:\Windows\System32\jscript9.dll
2013-09-22 22:54:50    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-09-22 22:54:50    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-09-21 03:38:39    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-09-21 03:30:24    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-14 01:10:19    497152    ----a-w-    C:\Windows\System32\drivers\afd.sys
2013-09-08 02:30:37    1903552    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14    327168    ----a-w-    C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58    231424    ----a-w-    C:\Windows\SysWow64\mswsock.dll
2013-09-03 13:35:10    278800    ------w-    C:\Windows\System32\MpSigStub.exe
2013-08-29 02:17:48    5549504    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-08-29 02:16:35    1732032    ----a-w-    C:\Windows\System32\ntdll.dll
2013-08-29 02:16:28    243712    ----a-w-    C:\Windows\System32\wow64.dll
2013-08-29 02:16:14    859648    ----a-w-    C:\Windows\System32\tdh.dll
2013-08-29 02:13:28    878080    ----a-w-    C:\Windows\System32\advapi32.dll
2013-08-29 01:51:45    3969472    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45    3914176    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-08-29 01:50:30    1292192    ----a-w-    C:\Windows\SysWow64\ntdll.dll
2013-08-29 01:50:16    619520    ----a-w-    C:\Windows\SysWow64\tdh.dll
2013-08-29 01:48:17    640512    ----a-w-    C:\Windows\SysWow64\advapi32.dll
2013-08-29 01:48:15    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-08-29 00:49:53    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-08-29 00:49:52    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-08-29 00:49:52    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-08-28 01:21:06    3155968    ----a-w-    C:\Windows\System32\win32k.sys
2013-08-28 01:12:33    461312    ----a-w-    C:\Windows\System32\scavengeui.dll
2013-08-05 02:25:45    155584    ----a-w-    C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:14:57    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-08-02 02:13:34    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2013-08-02 01:50:42    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17    338432    ----a-w-    C:\Windows\System32\conhost.exe
2013-08-02 00:59:09    112640    ----a-w-    C:\Windows\System32\smss.exe
2013-08-02 00:43:05    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 21:00:46.80 ===============
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 02 November 2013 - 08:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 gobbers

gobbers
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 November 2013 - 05:26 PM

Thanks for the help.

 

I'll run them tomorrow morning.



#4 gobbers

gobbers
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 06 November 2013 - 08:40 AM

Hi,

 

Sorry for the delay I just managed to get hold of the laptop.

 

Reports are as follows.

 

# AdwCleaner v3.010 - Report created 05/11/2013 at 12:20:55
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Dad - HOME-DC2
# Running from : C:\Users\Dad\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720


-\\ Mozilla Firefox v

[ File : C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\xsady6k7.default\prefs.js ]


[ File : C:\Users\dean\AppData\Roaming\Mozilla\Firefox\Profiles\glzyqtjq.default\prefs.js ]


-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\Dad\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\dean\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1361 octets] - [29/10/2013 12:29:16]
AdwCleaner[R1].txt - [1184 octets] - [29/10/2013 21:11:24]
AdwCleaner[R2].txt - [1305 octets] - [29/10/2013 21:36:51]
AdwCleaner[R3].txt - [1103 octets] - [05/11/2013 12:20:55]
AdwCleaner[S0].txt - [1434 octets] - [29/10/2013 12:30:51]
AdwCleaner[S1].txt - [1246 octets] - [29/10/2013 21:12:31]
AdwCleaner[S2].txt - [1366 octets] - [29/10/2013 21:37:43]

########## EOF - C:\AdwCleaner\AdwCleaner[R3].txt - [1343 octets] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Windows 7 Professional x64
Ran by Dad on 05/11/2013 at 12:55:53.29
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Dad\appdata\local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05/11/2013 at 13:02:29.76
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

ComboFix 13-11-03.02 - Dad 05/11/2013  13:18:19.5.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.8095.6062 [GMT 0:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
AV: Kaspersky PURE 3.0 *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
FW: Kaspersky PURE 3.0 *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
SP: Kaspersky PURE 3.0 *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-05 to 2013-11-05  )))))))))))))))))))))))))))))))
.
.
2013-11-05 13:28 . 2013-11-05 13:28    --------    d-----w-    c:\users\Public\AppData\Local\temp
2013-11-05 13:28 . 2013-11-05 13:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-11-05 13:28 . 2013-11-05 13:28    --------    d-----w-    c:\users\dean\AppData\Local\temp
2013-11-04 18:37 . 2013-11-04 18:37    --------    d-----w-    c:\program files (x86)\Aurora
2013-11-04 18:30 . 2013-10-14 07:12    10280728    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{588B3722-8287-44DD-8F39-6C1BF48BCC26}\mpengine.dll
2013-10-30 11:02 . 2013-10-30 11:02    --------    d-----w-    C:\FRST
2013-10-30 10:22 . 2013-10-30 10:22    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-10-30 10:22 . 2013-10-30 10:22    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-30 10:22 . 2013-10-30 10:22    --------    d-----w-    c:\program files (x86)\Java
2013-10-30 10:21 . 2013-10-30 10:21    --------    d-----w-    c:\programdata\McAfee
2013-10-30 09:59 . 2013-10-30 10:29    --------    d-----w-    c:\users\Dad\AppData\Local\NPE
2013-10-30 09:59 . 2013-10-30 09:59    --------    d-----w-    c:\programdata\Norton
2013-10-29 21:44 . 2013-10-29 21:44    116440    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-10-29 20:46 . 2013-10-29 20:46    --------    d-----w-    c:\program files (x86)\Tweaking.com
2013-10-29 18:15 . 2013-09-20 10:49    21040    ----a-w-    c:\windows\system32\sdnclean64.exe
2013-10-29 18:15 . 2013-11-05 13:16    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2013-10-29 18:15 . 2013-10-29 22:17    --------    d-----w-    c:\program files (x86)\Spybot - Search & Destroy 2
2013-10-29 17:15 . 2013-10-29 17:15    --------    d-----w-    C:\EEK
2013-10-29 16:51 . 2013-10-29 16:51    --------    d-----w-    c:\program files\CCleaner
2013-10-29 12:49 . 2013-10-29 12:49    --------    d-----w-    c:\program files (x86)\ESET
2013-10-29 12:37 . 2013-10-29 12:37    --------    d-----w-    c:\windows\ERUNT
2013-10-29 12:29 . 2013-11-05 12:21    --------    d-----w-    C:\AdwCleaner
2013-10-29 11:41 . 2013-10-29 11:48    --------    d-----w-    c:\programdata\HitmanPro
2013-10-29 10:43 . 2013-10-29 10:43    --------    d-----w-    c:\users\Dad\AppData\Roaming\SUPERAntiSpyware.com
2013-10-29 10:43 . 2013-10-29 10:43    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-10-29 10:43 . 2013-10-29 10:43    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-10-28 12:51 . 2013-10-29 21:56    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-10-28 12:51 . 2013-10-29 21:43    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-10-24 14:46 . 2013-10-24 14:46    --------    d-----w-    c:\program files (x86)\TeamViewer
2013-10-11 07:51 . 2013-09-04 12:12    343040    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-10-11 07:51 . 2013-09-04 12:11    325120    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-10-11 07:51 . 2013-09-04 12:11    99840    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-10-11 07:51 . 2013-09-04 12:11    52736    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-10-11 07:51 . 2013-09-04 12:11    30720    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-10-11 07:51 . 2013-09-04 12:11    25600    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-10-11 07:51 . 2013-09-04 12:11    7808    ----a-w-    c:\windows\system32\drivers\usbd.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-05 11:46 . 2011-09-28 09:46    151552    ----a-w-    c:\windows\KMSEmulator.exe
2013-11-04 18:26 . 2012-04-12 06:25    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-11-04 18:26 . 2011-09-27 20:45    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-16 12:11 . 2012-09-03 17:23    29280    ----a-w-    c:\windows\system32\drivers\klmouflt.sys
2013-10-16 12:11 . 2012-09-03 16:57    29280    ----a-w-    c:\windows\system32\drivers\klkbdflt.sys
2013-10-16 12:11 . 2013-05-24 11:50    90208    ----a-w-    c:\windows\system32\drivers\klflt.sys
2013-10-16 12:11 . 2013-05-24 11:50    626272    ----a-w-    c:\windows\system32\drivers\klif.sys
2013-10-16 12:10 . 2012-06-19 16:28    7717984    ----a-w-    c:\windows\system32\drivers\kl1.sys
2013-10-10 08:16 . 2011-09-27 17:48    80541720    ----a-w-    c:\windows\system32\MRT.exe
2013-09-03 13:35 . 2010-11-21 03:27    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-29 01:48 . 2013-10-10 08:14    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2012-12-20 17:20    459784    ----a-w-    c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\shellex.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe" [2013-10-16 356128]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys;c:\windows\SYSNATIVE\DRIVERS\amppal.sys [x]
R3 cleanhlp;cleanhlp;c:\eek\Run\cleanhlp64.sys;c:\eek\Run\cleanhlp64.sys [x]
R3 cpuz135;cpuz135;c:\windows\TEMP\cpuz135\cpuz135_x64.sys;c:\windows\TEMP\cpuz135\cpuz135_x64.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys;c:\program files\PeerBlock\pbfilter.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 Te.Service;Te.Service;c:\program files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe;c:\program files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [x]
R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe;c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\DRIVERS\usb80236.sys;c:\windows\SYSNATIVE\DRIVERS\usb80236.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys;c:\windows\SYSNATIVE\DRIVERS\vpcuxd.sys [x]
R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
S0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\DRIVERS\CSCrySec.sys;c:\windows\SYSNATIVE\DRIVERS\CSCrySec.sys [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys;c:\windows\SYSNATIVE\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\eek\RUN\a2ddax64.sys;c:\eek\RUN\a2ddax64.sys [x]
S1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\DRIVERS\CSVirtualDiskDrv.sys;c:\windows\SYSNATIVE\DRIVERS\CSVirtualDiskDrv.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]
S2 CSObjectsSrv;CryptoStorage control service;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [x]
S2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [x]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys;c:\windows\SYSNATIVE\DRIVERS\rimspe64.sys [x]
S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys;c:\windows\SYSNATIVE\DRIVERS\rixdpe64.sys [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys;c:\windows\SYSNATIVE\DRIVERS\AMPPAL.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys;c:\windows\SYSNATIVE\DRIVERS\WDKMD.sys [x]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-17 07:47    1185744    ----a-w-    c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-05 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-09-28 09:46]
.
2013-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-26 22:50]
.
2013-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-26 22:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2012-12-20 17:22    492040    ----a-w-    c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\shellex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayAdd]
@="{D4DD7FC6-066F-442a-A200-DD21649CF378}"
[HKEY_CLASSES_ROOT\CLSID\{D4DD7FC6-066F-442a-A200-DD21649CF378}]
2011-08-18 01:45    292144    ----a-w-    c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayControlled]
@="{EFF5DF4C-7662-4ed7-B533-837D3319D311}"
[HKEY_CLASSES_ROOT\CLSID\{EFF5DF4C-7662-4ed7-B533-837D3319D311}]
2011-08-18 01:45    292144    ----a-w-    c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayEdit]
@="{FF529703-3398-4c98-B88D-13F784CB10A2}"
[HKEY_CLASSES_ROOT\CLSID\{FF529703-3398-4c98-B88D-13F784CB10A2}]
2011-08-18 01:45    292144    ----a-w-    c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayLock]
@="{EAB6FC01-3462-4dc9-8C94-75582E3DC3CA}"
[HKEY_CLASSES_ROOT\CLSID\{EAB6FC01-3462-4dc9-8C94-75582E3DC3CA}]
2011-08-18 01:45    292144    ----a-w-    c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayRename]
@="{F15E94B9-9522-42bd-8A73-569BCBE5A5EA}"
[HKEY_CLASSES_ROOT\CLSID\{F15E94B9-9522-42bd-8A73-569BCBE5A5EA}]
2011-08-18 01:45    292144    ----a-w-    c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-12-08 710040]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2011-01-21 328048]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2012-01-04 1935120]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ie_banner_deny.htm
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://localhost:1174/Reserved.ReportViewerWebControl.axd?ReportSession=ixsziryxdes4om55pjyakbmk&Culture=2057&CultureOverrides=True&UICulture=1033&UICultureOverrides=True&ReportStack=1&ControlID=cc341fe14be44ff08558f3470216e7c0&OpType=PrintCab&Arch=X86
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\xsady6k7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
"Key"="ActionsPane3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0\Solutions\http://schemas.microsoft.com/office/smartdocuments/2003\0]
"Key"="http://schemas.microsoft.com/office/smartdocuments/2003"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0\Solutions\http://schemas.microsoft.com/office/smartdocuments/2003\0\{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}\Alias]
"0"="Microsoft Actions Pane 3"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-11-05  13:41:03
ComboFix-quarantined-files.txt  2013-11-05 13:40
ComboFix2.txt  2013-10-29 22:09
ComboFix3.txt  2013-10-29 10:24
ComboFix4.txt  2013-06-06 08:00
.
Pre-Run: 118,070,849,536 bytes free
Post-Run: 117,750,796,288 bytes free
.
- - End Of File - - AD05E79A64EC632183596CD5E40033C6
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 06 November 2013 - 10:49 AM

Has the problem been solved?

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#6 gobbers

gobbers
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 06 November 2013 - 07:57 PM

The problem still remains.

 

Any non fqdn in the address bar still reverts to www.boardgames.co.uk.

 

Thanks for your help and here's the report.

 

I turned off anti virus before the scan btw

 

 Results of screen317's Security Check version 0.99.76  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Kaspersky PURE 3.0   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 45  
 JavaScript Tooling    
 Visual Studio Extensions for Windows Library for JavaScript
 Adobe Flash Player 11.9.900.117  
 Adobe Reader 10.1.1 Adobe Reader out of Date!  
 Google Chrome 30.0.1599.101  
 Google Chrome 30.0.1599.69  
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled!
 Kaspersky Lab Kaspersky PURE 3.0 avp.exe  
 Kaspersky Lab Kaspersky PURE 3.0 x64 wmi64.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 07 November 2013 - 09:15 AM

Kaspersky PURE 3.0
Antivirus out of date!

You should take immediate care of this.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/

Let me know if the problem persists.
<<<>>>

#8 gobbers

gobbers
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 07 November 2013 - 07:08 PM

Still the same unfortunately.

 

Thanks for the help by the way.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 08 November 2013 - 07:46 AM

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
 

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
=================

If that fails to fix the problem lets look at your registry settings in the URL/prefixes hive.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.[/*
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.


#10 gobbers

gobbers
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 08 November 2013 - 07:26 PM

Sadly the fixreg didnt work....

 

SystemLook 30.07.11 by jpshortstuff
Log created at 00:29 on 09/11/2013 by Dad
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"


-= EOF =-



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 09 November 2013 - 08:33 AM

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
===

Launch Notepad, and copy and paste the Bolded text below into a new text file.
Save it as file name: fixme.reg. Save as file type: All files (*.*) and save it on your Desktop.
Just save the file do not run it yet. I will tell you when later.


REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000


Close all Browsers and Windows.
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

How is it now?

#12 gobbers

gobbers
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 10 November 2013 - 08:16 PM

Thanks for your help its appreciated.

 

I ran the script normally and in safe mode and got the following error.

 

"Cannot import c:\*** etc. Not all data was successful"ly written to the registry. Some keys are open by the system or other processes"

 

Tricky little bugger this one :~



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 11 November 2013 - 09:22 AM



I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with changes we are trying to make.

TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshot was taken. This happens primarily when you reboot the system. To refresh TeaTimer's snapshot files:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.

When all is well restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.
===

Now run the Fixme.reg file.

If that fails to run execute thi.

Run the System tools one more time and paste this in the main text field.

:reg
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults


Post the log for my review.

#14 gobbers

gobbers
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 11 November 2013 - 11:51 AM

Hi.

 

I disabled both the anti virus and S&D but I was still getting the "Cannot import" error.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 16:49 on 11/11/2013 by Dad
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
(No values found)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"file"= 0x0000000003 (3)
"ftp"= 0x0000000003 (3)
"http"= 0x0000000003 (3)
"https"= 0x0000000003 (3)
"@ivt"= 0x0000000001 (1)
"shell"= 0x0000000000 (0)
"ldap"= 0x0000000004 (4)
"news"= 0x0000000004 (4)
"snews"= 0x0000000004 (4)
"nntp"= 0x0000000004 (4)
"oecmd"= 0x0000000004 (4)
"knownfolder"= 0x0000000000 (0)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"= 0x0000000003 (3)
"https"= 0x0000000003 (3)
"ftp"= 0x0000000003 (3)
"file"= 0x0000000003 (3)
"@ivt"= 0x0000000001 (1)
"shell"= 0x0000000000 (0)


-= EOF =-



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 11 November 2013 - 01:15 PM

Make sure you close all browsers and windows before running this .reg file.

Launch Notepad, and copy and paste the Bolded text below into a new text file.
Save it as file name: fixme.reg. Save as file type: All files (*.*) and save it on your Desktop.
 
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"file"= 0x0000000003 (3)
"ftp"= 0x0000000003 (3)
"http"= 0x0000000003 (3)
"https"= 0x0000000003 (3)
"@ivt"= 0x0000000001 (1)
"shell"= 0x0000000000 (0)
"ldap"= 0x0000000004 (4)
"news"= 0x0000000004 (4)
"snews"= 0x0000000004 (4)
"nntp"= 0x0000000004 (4)
"oecmd"= 0x0000000004 (4)
"knownfolder"= 0x0000000000 (0)
Close all Browsers and Windows.
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users