Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qone8 infection


  • This topic is locked This topic is locked
55 replies to this topic

#1 goofyrp

goofyrp

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 15 November 2013 - 10:27 AM

My son's computer has become infected with Qone8.  I have done a Microsoft Security Essentials scan as well as a safemode Rkill and Malwarebytes scan but the infection continues.

 

What should we do next?

 

Here are the logs from RKill and Malwarebytes:

 

----------------------------

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/15/2013 07:03:59 AM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Possibly Patched Files.

 * C:\Windows\Explorer.EXE

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * C:\Windows\System32\UxTheme.dll : 332,288 : 10/19/2013 09:32 PM : 8bf20c54ffb37cfb960f708ffa813fa7 [NoSig]
 +-> C:\Windows\SysWOW64\uxtheme.dll : 245,760 : 07/13/2009 05:11 PM : 43964fa89ccf97ba6be34d69455ac65f [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-uxtheme_31bf3856ad364e35_6.1.7600.16385_none_01d98c7b2040a1b9\uxtheme.dll : 332,288 : 07/13/2009 05:41 PM : d29e998e8277666982b4f0303bf4e7af [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-uxtheme_31bf3856ad364e35_6.1.7600.16385_none_0c2e36cd54a163b4\uxtheme.dll : 245,760 : 07/13/2009 05:11 PM : 43964fa89ccf97ba6be34d69455ac65f [Pos Repl]

 * C:\Windows\explorer.exe : 2,388,992 : 02/24/2011 10:19 PM : 94a63cb472c37d70b7577afffab8c2ad [NoSig]
 +-> C:\Windows\SysWOW64\explorer.exe : 2,616,320 : 02/24/2011 09:30 PM : 8b88ebbb05a0e56b7dcc708498c02b3e [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe : 2,868,224 : 07/13/2009 05:39 PM : c235a51cb740e45ffa0ebfb9bafcda64 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe : 2,868,224 : 08/02/2009 10:17 PM : f170b4a061c9e026437b193b4d571799 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe : 2,870,272 : 10/30/2009 10:34 PM : 9aaaec8dac27aa17b053e6352ad233ae [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25\explorer.exe : 2,870,272 : 02/25/2011 10:23 PM : 0862495e0c825893db75ef44faea8e93 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe : 2,868,224 : 08/02/2009 10:19 PM : 700073016dac1c3d2e7e2ce4223334b6 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe : 2,870,272 : 10/30/2009 10:38 PM : b8ec4bd49ce8f6fc457721bfc210b67f [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9\explorer.exe : 2,870,784 : 02/25/2011 10:26 PM : e38899074d4951d31b4040e994dd7c8d [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe : 2,872,320 : 11/20/2010 05:24 AM : ac4c51eb24aa95b77f705ab159189e24 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe : 2,871,808 : 02/24/2011 10:19 PM : 332feab1435662fc6c672e25beb37be3 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe : 2,871,808 : 02/25/2011 10:14 PM : 3b69712041f3d63605529bd66dc00c48 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe : 2,613,248 : 07/13/2009 05:14 PM : 15bc38a7492befe831966adb477cf76f [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe : 2,613,248 : 08/02/2009 09:35 PM : b95eeb0f4e5efbf1038a35b3351cf047 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe : 2,614,272 : 10/30/2009 09:45 PM : 2626fc9755be22f805d3cfa0ce3ee727 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_b816eb59c7bb4020\explorer.exe : 2,614,784 : 02/25/2011 09:33 PM : 2af58d15edc06ec6fdacce1f19482bbf [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe : 2,613,248 : 08/02/2009 09:49 PM : 9ff6c4c91a3711c0a3b18f87b08b518d [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe : 2,614,272 : 10/30/2009 10:00 PM : c76153c7eca00fa852bb0c193378f917 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_b8ce9756e0b786a4\explorer.exe : 2,614,784 : 02/25/2011 09:51 PM : 255cf508d7cfb10e0794d6ac93280bd8 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe : 2,616,320 : 11/20/2010 04:17 AM : 40d777b7a95e00593eb1568c68514493 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe : 2,616,320 : 02/24/2011 09:30 PM : 8b88ebbb05a0e56b7dcc708498c02b3e [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe : 2,616,320 : 02/25/2011 09:19 PM : 0fb9c74046656d1579a64660ad67b746 [Pos Repl]

Checking HOSTS File:

 * No issues found.

Program finished at: 11/15/2013 07:09:01 AM
Execution time: 0 hours(s), 5 minute(s), and 2 seconds(s)

-----------------------------

Malwarebytes

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.15.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16736
Nathan :: NATHAN-PC [administrator]

11/15/2013 6:49:24 AM
mbam-log-2013-11-15 (06-49-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 267290
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} (PUP.Optional.OptimzerPro.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\SProtector (PUP.Optional.SProtector.A) -> Quarantined and deleted successfully.
HKCU\Software\Conduit\FF (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\BabylonToolbar (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\qone8Software (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} (PUP.Optional.Qone8) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: zr2X2X1G1S1F2V1S2Q0V -> Quarantined and deleted successfully.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search|Default_Search_URL (PUP.Optional.Snapdo) -> Bad: (http://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=f7dd1450-9194-4f9b-b84f-5f2eb296c8aa&searchtype=ds&q={searchTerms}) Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search|SearchAssistant (PUP.Optional.Snapdo) -> Bad: (http://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=f7dd1450-9194-4f9b-b84f-5f2eb296c8aa&searchtype=ds&q={searchTerms}) Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (PUP.Optional.Qone8) -> Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX) Good: (iexplore.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (Hijack.StartPage) -> Bad: (http://start.qone8.com/?type=hp&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX) Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|DefaultScope (PUP.Optional.Qone8) -> Bad: ({33BB0A4E-99AF-4226-BDF6-49120163DE86}) Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}) -> Quarantined and repaired successfully.

Folders Detected: 9
C:\Users\Nathan\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\OpenCandy\4CA113584DC847B28A27EF8E47913C31 (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\OpenCandy\A14FF8E9712D42C68343449F0DA93D3D (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\DefaultTab\DefaultTab (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\xpi\defaults (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\xpi\defaults\preferences (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 67
C:\ProgramData\VisualBee\VisualBeeSoftware.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-3032422492-1220116893-1521701072-1001\$R09Z4CT.exe (PUP.Optional.InstallMonetizer) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\awh4511.tmp (PUP.Optional.InstallMonetizer.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\bitool.dll (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ElectroLyrics_1060-4030_v122.exe (PUP.Optional.AdLyrics) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\FastFreeConverter_Somoto2.exe (PUP.Optional.FastFreeConverter.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\IminentSetup.exe (PUP.Optional.Iminent.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsb1A8.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsbB609.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsdBBF9.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsdEAF3.tmp (PUP.Optional.Somoto.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsg3816.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsg959D.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsj67DF.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsjB90C.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsl1A56.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsl596B.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nslABF.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsq4F91.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsq5719.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsq9D7C.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsqA95F.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nst1022.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nswADC4.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsy1300.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\OptimizerPro.exe (PUP.Optional.OptimizePro.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\Optimizer_Pro.exe (PUP.Optional.PCOptimizerPro) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\setup.exe (PUP.Optional.InstallMonetizer) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\sp-downloader.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\SPStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ToolbarHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\UpdateCheckerSetup.exe (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\wajam_download.exe (PUP.Optional.Wajam) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\00294823\LQnb6SFi3fC.exe (PUP.Optional.MultiPlug.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\00294823\tyF_SaTxd_.dll (PUP.Optional.MultiPlug.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\Conduit\checktbexist.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\Conduit\mism.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\chLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\ctbe.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\ffLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\ieLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\spch.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\spff.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\statisticsStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\stub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\is-O1LD1.tmp\setup__1206.exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\is-O1LD1.tmp\setup__1328.exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\is-O1LD1.tmp\setup__1381.exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\is1615585457\167062329_stp.EXE (PUP.Optional.OptimizerPro.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\is1615585457\167062259_stp\BuzzSearchSetup.exe (PUP.Optional.BuzzSearch.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nso7716.tmp-2\APN_ATU3_.exe (PUP.Optional.Spigot.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\nsx2A9D.tmp-2\APN_ATU3_.exe (PUP.Optional.Spigot.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\qone8.xml (PUP.Optional.Qone8.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\OpenCandy\4CA113584DC847B28A27EF8E47913C31\TrustWorthy_p1v2.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Roaming\OpenCandy\A14FF8E9712D42C68343449F0DA93D3D\TuneUpUtilities2013-2200318_en-US.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\conduit.xml (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\CT2998365.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\CT2998365.xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\initData.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\manifest.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\version.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\xpi\install.rdf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Nathan\AppData\Local\Temp\ct2998365\xpi\defaults\preferences\defaults.js (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 15 November 2013 - 10:34 PM



Hello goofyrp

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.



-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 goofyrp

goofyrp
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 16 November 2013 - 07:03 PM

DDS.txt

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16736
Run by Nathan at 15:56:33 on 2013-11-16
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8103.6496 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\AppleOSSMgr.exe
C:\Windows\system32\AppleTimeSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\ehome\mcupdate.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = Preserve
uSearch Page = hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
mStart Page = hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40
mSearch Page = hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
mDefault_Page_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
uSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [LiveSupport] "C:\Program Files (x86)\LiveSupport\LiveSupport.exe" /noshow /log
uRun: [Google Update] "C:\Users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [D3DOverrider] "C:\Users\Nathan\Desktop\D3DOverrider\D3DOverrider\D3DOverriderWrapper.exe" /s
mRun: [ITSecMng] C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
StartupFolder: C:\Users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
uPolicies-Explorer: HideSCAHealth = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001040-0002-0040-ABCDEFFEDCBC} - <orphaned>
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
TCP: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{32FD004A-2FB4-4959-BC4B-42AA97275649} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{3E1FC29A-6BFA-40CC-B560-2FA559DD28E2} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{5A986ACE-93BF-4A41-BD71-E342CA9F1F51} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{63D9E44D-D1EC-4CCA-9F58-ED3C75F26C15} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{63D9E44D-D1EC-4CCA-9F58-ED3C75F26C15} : DHCPNameServer = 10.211.55.1
TCP: Interfaces\{6E8A8662-4D08-48C4-8018-E73C11A3C377} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{88F02973-95C5-4166-B70E-13AF4C90D2C4} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{D437C980-F188-4A3F-9C1B-7479C13DCDAE} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{D437C980-F188-4A3F-9C1B-7479C13DCDAE}\255637964656E63656F594E6E6F5D4F6277616E6F58496C6C6 : DHCPNameServer = 8.8.8.8 4.2.2.1
TCP: Interfaces\{D437C980-F188-4A3F-9C1B-7479C13DCDAE}\8686F6E6F62737 : DHCPNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://start.qone8.com/?type=hp&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX
x64-mSearch Page = hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
x64-mDefault_Search_URL = hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\Bootcamp.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\hgux3hc8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40&l=1&q=
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Vizzed\Vizzed Retro Game Room\NpVizzedRgr.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Nathan\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Users\Nathan\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Nathan\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Nathan\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: extensions.enabledAddons - sp2@sp.com:1.0
FF - user.js: extensions.shownSelectionUI - true
FF - user.js: extensions.enabledScopes - 15
user_pref(extensions.newAddons,false);
.
.
.
.
.
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;C:\Windows\System32\drivers\AppleHFS.sys [2013-1-16 73016]
R0 AppleMNT;AppleMNT;C:\Windows\System32\drivers\AppleMNT.sys [2013-1-16 16696]
R0 BtHidBus;Bluetooth HID Bus Service;C:\Windows\System32\drivers\BtHidBus.sys [2011-12-21 25056]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\System32\AppleOSSMgr.exe [2013-1-16 226144]
R2 AppleTimeSrv;Apple Time Service;C:\Windows\System32\AppleTimeSrv.exe [2013-1-16 94560]
R2 KeyAgent;KeyAgent;C:\Windows\System32\drivers\KeyAgent.sys [2013-1-16 18232]
R2 MacHALDriver;Mac HAL;C:\Windows\System32\drivers\MacHALDriver.sys [2013-1-16 23352]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 139616]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-22 363800]
R3 bScsiSDa;bScsiSDa;C:\Windows\System32\drivers\bScsiSDa.sys [2013-10-18 70744]
R3 CirrusFilter;CS420xLowerFilter;C:\Windows\System32\drivers\CS420x64.sys [2011-12-22 18432]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2013-10-18 169752]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-12-10 342528]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\System32\drivers\IRFilter.sys [2011-12-22 18432]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-8-12 366600]
R3 vjoy;vJoy Device;C:\Windows\System32\drivers\vjoy.sys [2013-11-10 36824]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 AppleBtBc;Apple Broadcom Built-in Bluetooth;C:\Windows\System32\drivers\AppleBtBc.sys [2012-12-10 20480]
S3 AppleDisplayFlt;Apple Display Driver;C:\Windows\System32\drivers\aaplmonf.sys [2011-12-22 10752]
S3 AppleODD;Apple ODD;C:\Windows\System32\drivers\AppleODD.sys [2011-12-22 8704]
S3 IvtAudioBusSrv;IvtAudioBusSrv;C:\Windows\System32\drivers\IvtBtBus.sys [2012-12-24 27256]
S3 IvtPanBusSrv;IvtPanBusSrv;C:\Windows\System32\drivers\btnetBus.sys [2012-12-24 31480]
S3 KeyMagic;USB Keyboard HID Filter;C:\Windows\System32\drivers\KeyMagic.sys [2011-12-22 32256]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-10-26 115272]
S3 prl_dd;Parallels Display Adapter (WDDM);C:\Windows\System32\drivers\prl_kmdd.sys [2013-7-17 157952]
S3 pspdisp;pspdisp;C:\Windows\System32\drivers\pspdisp_x64.sys [2010-9-16 4608]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-12-29 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2013-4-12 117520]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-28 1255736]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2052-06-12 08:29:24 4263 --sh--w- C:\Windows\windllreg1c.sys
2013-11-15 05:26:15 10280728 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63E6C831-36A2-40A6-B25D-F80D2B3BAAC3}\mpengine.dll
2013-11-14 12:06:30 -------- d-----w- C:\Windows\rescache
2013-11-14 03:13:04 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-11-14 03:13:03 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-11-14 00:31:39 -------- d-----w- C:\Program Files (x86)\Paint XP
2013-11-13 22:06:59 10280728 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-12 20:19:44 40960 ----a-r- C:\Users\Nathan\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2013-11-12 20:19:44 40960 ----a-r- C:\Users\Nathan\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2013-11-12 20:19:42 -------- d-----w- C:\Program Files (x86)\Project64 1.6
2013-11-12 20:18:49 -------- d-----w- C:\Users\Nathan\AppData\Roaming\0S1F1O2Z0S2Y1H1T
2013-11-11 00:31:25 -------- d-----w- C:\Program Files\Adobe Flash Professional CS6
2013-11-10 21:54:49 36824 ----a-w- C:\Windows\System32\drivers\vjoy.sys
2013-11-10 21:54:48 11968 ----a-w- C:\Windows\System32\drivers\hidkmdf.sys
2013-11-10 21:54:48 -------- d-----w- C:\Program Files\vJoy
2013-11-10 21:48:02 -------- d-----w- C:\Users\Nathan\AppData\Local\Toshiba
2013-11-09 04:05:18 40832 ----a-w- C:\Windows\System32\drivers\TosBtCi.dll
2013-11-09 04:04:53 -------- d-----w- C:\Program Files (x86)\Toshiba
2013-11-08 05:33:15 -------- d-----w- C:\Users\Nathan\AppData\Roaming\.technic
2013-11-07 02:03:20 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EEAD1376-FAE5-488F-A6F7-E78326344CB4}\gapaengine.dll
2013-11-06 05:48:08 736952 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2013-11-05 22:38:47 -------- d-----w- C:\ProgramData\easetech
2013-11-05 22:38:45 -------- d-----w- C:\Program Files (x86)\EaseAudioConverter
2013-11-05 14:59:41 839680 ----a-w- C:\Windows\SysWow64\lameACM.acm
2013-11-05 14:56:03 -------- d-----w- C:\ProgramData\WinterSoft
2013-11-05 14:55:41 -------- d-----w- C:\Program Files (x86)\WebSearch
2013-11-05 14:55:34 -------- d-----w- C:\Program Files (x86)\ss helper
2013-11-05 14:55:22 -------- d-----w- C:\Users\Nathan\AppData\Local\Packages
2013-11-05 14:55:22 -------- d-----w- C:\ProgramData\Downaload keeper
2013-11-05 14:55:22 -------- d-----w- C:\ProgramData\63e6cd2baa65d3ff
2013-11-05 04:28:07 -------- d-----w- C:\Program Files (x86)\Pegasys Inc
2013-11-04 02:05:11 -------- d-----w- C:\ProgramData\Pivot Animator
2013-11-04 02:04:12 -------- d-----w- C:\Program Files (x86)\Pivot Animator
2013-10-30 22:44:13 -------- d-----w- C:\Program Files (x86)\sp
2013-10-28 23:49:15 -------- d-----w- C:\Program Files\Common Files\VST2
2013-10-28 03:37:33 255552 ----a-w- C:\Windows\System32\drivers\mcdbus.sys
2013-10-27 23:58:40 73728 ----a-w- C:\Windows\system\vdremote.dll
2013-10-27 23:58:34 65536 ----a-w- C:\Windows\system\vdsvrlnk.dll
2013-10-27 23:10:19 -------- d-----w- C:\Users\Nathan\AppData\Roaming\PSPdisp
2013-10-27 22:21:45 -------- d-----w- C:\Users\Nathan\New folder
2013-10-27 04:34:40 -------- d-----w- C:\Users\Nathan\AppData\Roaming\GameMaker-Studio
2013-10-27 04:34:11 -------- d-----w- C:\Program Files\GameMaker-Studio 1.2
2013-10-27 04:23:09 -------- d-----w- C:\Users\Nathan\GameMaker-Studio 1.1
2013-10-27 04:03:41 -------- d-----w- C:\Users\Nathan\AppData\Local\Studio
2013-10-27 03:08:29 -------- d-----w- C:\Users\Nathan\Desltop
2013-10-27 02:46:15 115272 ----a-w- C:\Windows\System32\drivers\MijXfilt.sys
2013-10-26 22:24:10 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-10-26 22:24:10 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-10-26 22:24:10 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-10-26 22:24:10 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-10-26 22:24:10 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-10-26 22:24:10 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-10-26 22:24:10 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2013-10-26 01:51:45 -------- d-----w- C:\Program Files (x86)\ReadPlease 2003
2013-10-25 02:43:08 251664 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2013-10-25 02:42:45 126736 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2013-10-25 02:42:37 -------- d-----w- C:\Program Files\Oracle
2013-10-24 22:29:00 -------- d-----w- C:\Users\Nathan\AppData\Local\Bundled software uninstaller
2013-10-20 04:21:30 -------- d-----w- C:\Program Files (x86)\Vizzed
2013-10-19 04:41:46 -------- d-----w- C:\Program Files\Boot Camp
2013-10-19 04:41:18 20992 ----a-w- C:\Windows\System32\OpenCL.dll
2013-10-19 04:41:18 144896 ----a-w- C:\Windows\System32\IntelOpenCL64.dll
2013-10-19 04:41:16 17920 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2013-10-19 04:41:16 104448 ----a-w- C:\Windows\SysWow64\IntelOpenCL32.dll
2013-10-19 04:37:40 60184 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2013-10-19 04:35:38 75152 ----a-w- C:\Windows\System32\CirrusAPO_x64.dll
2013-10-19 04:34:27 70744 ----a-w- C:\Windows\System32\drivers\bScsiSDa.sys
2013-10-19 04:34:03 433976 ----a-w- C:\Windows\System32\drivers\b57nd60a.sys
2013-10-19 04:33:28 95584 ----a-w- C:\Windows\System32\bcmwlcoi.dll
2013-10-19 04:33:28 4884072 ----a-w- C:\Windows\System32\drivers\BCMWL664.SYS
2013-10-19 04:33:28 3906448 ----a-w- C:\Windows\System32\bcmihvsrv64.dll
2013-10-19 04:33:28 3572112 ----a-w- C:\Windows\System32\bcmihvui64.dll
2013-10-19 02:47:45 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2013-10-19 02:47:45 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2013-10-19 02:47:45 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2013-10-19 02:47:45 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2013-10-19 02:47:45 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2013-10-18 02:29:14 -------- d--h--w- C:\.Trashes
2013-10-18 01:22:30 -------- d-----w- C:\Windows\System32\cfg
.
==================== Find3M  ====================
.
2013-10-20 05:38:45 44544 ----a-w- C:\Windows\System32\themeservice.dll
2013-10-20 05:32:03 332288 ----a-w- C:\Windows\System32\uxtheme.dll
2013-10-20 05:32:01 2851840 ----a-w- C:\Windows\System32\themeui.dll
2013-10-15 19:38:24 154896 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2013-10-15 19:38:24 140560 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2013-10-15 19:35:12 204048 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
2013-10-12 08:45:20 2241536 ----a-w- C:\Windows\System32\wininet.dll
2013-10-12 08:43:37 3959808 ----a-w- C:\Windows\System32\jscript9.dll
2013-10-12 08:43:32 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-10-12 08:43:32 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-10-12 07:03:50 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-10-12 07:02:33 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-10-12 07:02:29 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-10-12 07:02:29 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-10-12 06:35:26 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-10-12 06:08:58 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-10-12 05:44:38 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-10-12 05:15:39 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-09 12:14:21 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-09 12:14:21 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll
2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-09-28 01:09:10 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll
2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll
2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2013-09-25 01:58:17 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-09-25 01:57:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe
2013-09-24 03:22:26 925184 ----a-w- C:\Windows\expstart.exe
2013-09-13 01:36:38 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-09-13 01:36:35 973736 ----a-w- C:\Windows\System32\deployJava1.dll
2013-09-13 01:36:35 1095080 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-09-11 03:22:51 868264 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-09-11 03:22:51 790440 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-09-11 02:56:16 0 ----a-w- C:\Windows\SysWow64\RENCFF5.tmp
2013-09-11 02:56:16 0 ----a-w- C:\Windows\SysWow64\RENCFE4.tmp
2013-09-11 02:56:16 0 ----a-w- C:\Windows\SysWow64\RENCFE3.tmp
2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll
2013-08-29 02:17:48 5549504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-29 02:16:35 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-29 02:16:28 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-29 02:16:14 859648 ----a-w- C:\Windows\System32\tdh.dll
2013-08-29 02:13:28 878080 ----a-w- C:\Windows\System32\advapi32.dll
2013-08-29 01:51:45 3969472 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-29 01:50:30 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-29 01:50:16 619520 ----a-w- C:\Windows\SysWow64\tdh.dll
2013-08-29 01:48:17 640512 ----a-w- C:\Windows\SysWow64\advapi32.dll
2013-08-29 01:48:15 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-08-29 00:49:53 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-29 00:49:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-29 00:49:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-28 01:21:06 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-08-28 01:12:33 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2013-08-22 17:09:56 217176 ----a-w- C:\Windows\SysWow64\unrar.dll
2013-05-15 03:27:23 134470 ----a-w- C:\Program Files (x86)\Uninstal.exe
2008-06-23 19:41:03 17574665 ----a-w- C:\Program Files (x86)\powerpuffz.exe
2008-02-13 22:32:42 1060864 ----a-w- C:\Program Files (x86)\MFC71.dll
2008-12-21 21:46:54 351744 --sha-w- C:\Windows\SysWOW64\avisynth.dll
2005-07-14 19:31:20 32256 --sh--w- C:\Windows\SysWOW64\AVSredirect.dll
2004-01-25 07:00:00 70656 --sh--w- C:\Windows\SysWOW64\i420vfw.dll
.
============= FINISH: 15:59:56.06 ===============
attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume4
Install Date: 12/22/2011 1:30:50 PM
System Uptime: 11/16/2013 3:49:51 PM (0 hours ago)
.
Motherboard: Apple Inc. |  | Mac-8ED6AF5B48C039E1
Processor: Intel® Core™ i5-2415M CPU @ 2.30GHz | U2E1 | 782/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 141 GiB total, 1.306 GiB free.
D: is FIXED (HFS) - 324 GiB total, 25.704 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {7240100f-6512-4548-8418-9ebb5c6a1a94}
Description: Bluetooth RFCOMM
Device ID: ROOT\BLUETOOTH\0001
Manufacturer: TOSHIBA
Name: Bluetooth RFCOMM
PNP Device ID: ROOT\BLUETOOTH\0001
Service: tosrfcom
.
==== System Restore Points ===================
.
RP527: 11/14/2013 10:03:54 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.20
7-Zip 9.20 (x64 edition)
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player 11.6
Any Video Converter 5.0.9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AviSynth 2.5
Bandicam
Bandisoft MPEG-1 Decoder
Bluetooth Stack for Windows by Toshiba
Bonjour
Boot Camp Services
D3DX10
Epson Event Manager
EPSON NX510 Series Printer Uninstall
EPSON Scan
EpsonNet Print
EpsonNet Setup
FL Studio 11
GameMaker-Studio 1.2
Google Chrome
Google Talk Plugin
Google Update Helper
iCloud
IL Download Manager
IL DrumSynth Live
IL Shared Libraries
ImgBurn
Intel® Management Engine Components
Intel® Processor Graphics
Intel® SDK for OpenCL - CPU Only Runtime Package
iTunes
Java 7 Update 40 (64-bit)
K-Lite Codec Pack 4.6.2 (Full)
Malwarebytes Anti-Malware version 1.75.0.1300
MediaHuman YouTube to MP3 Converter version 3.1.7
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft XNA Framework Redistributable 4.0
Movie Maker
Mozilla Firefox 25.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT Redists
MSVCRT110
MSVCRT110_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenAL
Oracle VM VirtualBox 4.3.0
Paint XP version 1.2
Photo Common
Photo Gallery
Pivot Animator version 4.1.10
Project64 1.6
Project64 Packages
QuickTime
ReadPlease 2003/ReadPlease PLUS 2003
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Skype™ 6.10
SlimDX Runtime .NET 2.0 (January 2012)
Steam
Strongvault Online Backup
swMSM
Trainz Simulator 12
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2836939v3)
Vegas Pro 12.0 (64-bit)
Vizzed Retro Game Room
vJoy Device Driver version 2.0.2
Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net  (02/01/2008 3.10.3.10)
Windows Driver Package - Apple Inc. Apple Bluetooth (03/01/2010 3.0.0.5)
Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1)
Windows Driver Package - Apple Inc. Apple Broadcom Bluetooth (04/27/2011 4.0.0.1)
Windows Driver Package - Apple Inc. Apple Broadcom Bluetooth (10/29/2012 5.0.1.0)
Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0)
Windows Driver Package - Apple Inc. Apple Display (01/23/2009 3.0.0.0)
Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0)
Windows Driver Package - Apple Inc. Apple Keyboard (05/05/2011 4.0.0.1)
Windows Driver Package - Apple Inc. Apple Keyboard (10/29/2012 5.0.3.0)
Windows Driver Package - Apple Inc. Apple Multitouch (05/05/2011 4.0.0.1)
Windows Driver Package - Apple Inc. Apple Multitouch (09/11/2012 4.0.3.0)
Windows Driver Package - Apple Inc. Apple Multitouch Mouse (05/05/2011 4.0.0.1)
Windows Driver Package - Apple Inc. Apple Multitouch Mouse (09/11/2012 4.0.3.0)
Windows Driver Package - Apple Inc. Apple ODD (05/17/2010 3.1.0.0)
Windows Driver Package - Apple Inc. Apple System Device (04/05/2011 3.2.0.8)
Windows Driver Package - Apple Inc. Apple System Device (08/28/2012 5.0.0.0)
Windows Driver Package - Apple Inc. Apple Trackpad (07/13/2009 3.0.0.1)
Windows Driver Package - Apple Inc. Apple Trackpad Enabler (07/13/2009 3.0.0.1)
Windows Driver Package - Apple Inc. Apple Wireless Mouse (06/01/2011 4.0.0.1)
Windows Driver Package - Apple Inc. Apple Wireless Trackpad (01/17/2011 3.2.0.0)
Windows Driver Package - Apple Inc. Apple Wireless Trackpad (10/29/2011 5.0.0.0)
Windows Driver Package - Atheros Communications Inc. (athr) Net  (11/13/2010 9.2.0.113)
Windows Driver Package - Broadcom (b57nd60a) Net  (09/04/2012 15.4.0.17)
Windows Driver Package - Broadcom (b57nd60a) Net  (12/02/2010 14.4.2.2)
Windows Driver Package - Broadcom (B57ports) Net  (06/16/2009 1.0.0.1)
Windows Driver Package - Broadcom (BCM43XX) Net  (06/16/2011 5.100.98.78)
Windows Driver Package - Broadcom (BCM43XX) Net  (11/13/2012 5.106.199.1)
Windows Driver Package - Broadcom Corporation (bScsiSDa) SDHost  (01/18/2011 1.0.0.220)
Windows Driver Package - Broadcom Corporation (bScsiSDa) SDHost  (08/14/2012 1.0.0.243)
Windows Driver Package - Cirrus Logic, Inc. (CirrusFilter) MEDIA  (04/14/2011 6.6001.1.32)
Windows Driver Package - Cirrus Logic, Inc. (CirrusFilter) MEDIA  (11/09/2012 6.6001.1.38)
Windows Driver Package - Intel (e1express) Net  (03/26/2010 9.13.41.0)
Windows Driver Package - Intel (e1kexpress) Net  (04/12/2010 11.6.92.0)
Windows Driver Package - Intel (e1qexpress) Net  (12/04/2009 11.4.7.0)
Windows Driver Package - Intel (e1rexpress) Net  (01/07/2010 11.4.16.0)
Windows Driver Package - Intel (e1yexpress) Net  (04/07/2010 10.1.9.0)
Windows Driver Package - Intel System  (07/20/2007 1.2.76.0)
Windows Driver Package - Marvell (yukonx64) Net  (12/06/2007 10.51.1.3)
Windows Driver Package - NVIDIA Corporation (NVHDA) MEDIA  (07/03/2012 1.3.18.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
.
==== Event Viewer Messages From Past Week ========
.
11/16/2013 3:52:00 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
11/15/2013 8:25:33 AM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 7:24:24 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11/15/2013 7:04:12 AM, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 7:03:07 AM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 7:02:53 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/15/2013 7:02:53 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/15/2013 7:02:48 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/15/2013 7:02:40 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/15/2013 7:02:28 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21
11/15/2013 7:02:12 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  cdrom discache MpFilter spldr Tosrfcom VBoxDrv VBoxUSBMon Wanarpv6
11/15/2013 7:02:08 AM, Error: Service Control Manager [7001]  - The Microsoft Network Inspection System service depends on the Microsoft Malware Protection Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/15/2013 6:37:43 AM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 6:34:25 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
11/15/2013 6:34:25 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/15/2013 6:33:22 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Tosrfcom VBoxDrv VBoxUSBMon vwififlt Wanarpv6 WfpLwf
11/15/2013 6:33:22 AM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 6:33:22 AM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
11/15/2013 6:33:22 AM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 6:33:22 AM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 6:33:22 AM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 6:33:22 AM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/15/2013 6:33:18 AM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/15/2013 6:33:18 AM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
11/15/2013 6:33:18 AM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/15/2013 6:33:18 AM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
11/14/2013 4:11:06 AM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
11/12/2013 12:20:33 PM, Error: Service Control Manager [7031]  - The Update BuzzSearch service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/10/2013 1:29:30 PM, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.
.
==== End Of File ===========================
 



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 18 November 2013 - 12:36 PM



Hello goofyrp

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 goofyrp

goofyrp
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 18 November 2013 - 09:58 PM

ADWCleaner ran but would not clean anything.  Created log but when you clicked Clean just closed out. I ran it 4 times trying to get it to work.

 

# AdwCleaner v3.012 - Report created 18/11/2013 at 18:36:38
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Nathan - NATHAN-PC
# Running from : D:\Users\nathanparrish\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\END
File Found : C:\Program Files (x86)\Mozilla Firefox\nsprotector.js
File Found : C:\Users\Nathan\AppData\Local\Temp\Uninstall.exe
File Found : C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\hgux3hc8.default\searchplugins\bingp.xml
File Found : C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\hgux3hc8.default\searchplugins\Conduit.xml
File Found : C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\hgux3hc8.default\searchplugins\WebSearch.xml
File Found : C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\hgux3hc8.default\user.js
Folder Found : C:\Users\Nathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo
Folder Found : C:\Users\Nathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kheelobnibmchifldedamogdmhemfjio
Folder Found : C:\Users\Nathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kheelobnibmchifldedamogdmhemfjio
Folder Found C:\Program Files (x86)\MyPC Backup
Folder Found C:\Program Files (x86)\Nation Toolbar
Folder Found C:\Program Files (x86)\NCH Software
Folder Found C:\Program Files (x86)\WebSearch
Folder Found C:\ProgramData\Ask
Folder Found C:\ProgramData\Babylon
Folder Found C:\ProgramData\Downaload keeper
Folder Found C:\ProgramData\NCH Software
Folder Found C:\ProgramData\siaavensshhare
Folder Found C:\ProgramData\Tarma Installer
Folder Found C:\ProgramData\VisualBee
Folder Found C:\Users\Nathan\AppData\Local\Bundled software uninstaller
Folder Found C:\Users\Nathan\AppData\Local\Conduit
Folder Found C:\Users\Nathan\AppData\Local\Temp\AirInstaller
Folder Found C:\Users\Nathan\AppData\Local\Temp\Conduit
Folder Found C:\Users\Nathan\AppData\Local\TempDir
Folder Found C:\Users\Nathan\AppData\Local\visualbeeexe
Folder Found C:\Users\Nathan\AppData\LocalLow\Conduit
Folder Found C:\Users\Nathan\AppData\LocalLow\PriceGong
Folder Found C:\Users\Nathan\AppData\Roaming\DefaultTab
Folder Found C:\Users\Nathan\AppData\Roaming\SendSpace
Folder Found C:\Users\Nathan\AppData\Roaming\strongvault

***** [ Shortcuts ] *****

Shortcut Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\Users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\Users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\Users\Nathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\Users\Nathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\Users\Nathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\Users\Nathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )
Shortcut Found : C:\Users\Nathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk ( hxxp://start.qone8.com/?type=sc&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX )

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\smartbar
Key Found : HKCU\Software\BI
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Cr_Installer
Key Found : HKCU\Software\Google\Chrome\Extensions\kheelobnibmchifldedamogdmhemfjio
Key Found : HKCU\Software\Google\Chrome\Extensions\kheelobnibmchifldedamogdmhemfjio
Key Found : HKCU\Software\InstalledThirdPartyPrograms
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FC36B0BD-27F0-4CDD-8AB1-50651EFC3EFD}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC36B0BD-27F0-4CDD-8AB1-50651EFC3EFD}
Key Found : HKCU\Software\Nation Toolbar
Key Found : HKCU\Software\NCH Software
Key Found : HKCU\Software\smartbar
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\visualbee
Key Found : HKCU\Software\WEDLMNGR
Key Found : [x64] HKCU\Software\BI
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Cr_Installer
Key Found : [x64] HKCU\Software\InstalledThirdPartyPrograms
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : [x64] HKCU\Software\Nation Toolbar
Key Found : [x64] HKCU\Software\NCH Software
Key Found : [x64] HKCU\Software\smartbar
Key Found : [x64] HKCU\Software\Softonic
Key Found : [x64] HKCU\Software\visualbee
Key Found : [x64] HKCU\Software\WEDLMNGR
Key Found : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Found : HKLM\SOFTWARE\Classes\AppID\{3A188115-B81B-48F2-A958-F974C8F3F309}
Key Found : HKLM\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}
Key Found : HKLM\SOFTWARE\Classes\AppID\SMBarBroker.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FC36B0BD-27F0-4CDD-8AB1-50651EFC3EFD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{78CE34FD-F6D4-4866-B79C-A37268D06A04}
Key Found : HKLM\SOFTWARE\Classes\Interface\{80904944-C726-4C7D-A452-3FFF2A882095}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2998365
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\kheelobnibmchifldedamogdmhemfjio
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\kheelobnibmchifldedamogdmhemfjio
Key Found : HKLM\Software\InfoAtoms
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SnapDo_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SnapDo_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_mario-paint-composer_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_mario-paint-composer_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasmancs
Key Found : HKLM\Software\Nation Toolbar
Key Found : HKLM\Software\NCH Software
Key Found : HKLM\Software\SP Global
Key Found : HKLM\Software\SProtector
Key Found : HKLM\Software\visualbee
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{78CE34FD-F6D4-4866-B79C-A37268D06A04}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{80904944-C726-4C7D-A452-3FFF2A882095}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Found : [x64] HKLM\SOFTWARE\InstalledThirdPartyPrograms
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1
Key Found : [x64] HKLM\SOFTWARE\Tarma Installer
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Value Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Search Page] - hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
Setting Found : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default] - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=f7dd1450-9194-4f9b-b84f-5f2eb296c8aa&searchtype=ds&q={searchTerms}
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [Default] - hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=f7dd1450-9194-4f9b-b84f-5f2eb296c8aa&searchtype=ds&q={searchTerms}
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://start.qone8.com/?type=hp&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}

-\\ Mozilla Firefox v25.0 (en-US)

[ File : C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\hgux3hc8.default\prefs.js ]

Line Found : user_pref("aol_toolbar.default.homepage.check", false);
Line Found : user_pref("aol_toolbar.default.search.check", false);
Line Found : user_pref("browser.search.defaultenginename,S", "WebSearch");
Line Found : user_pref("browser.search.defaulturl", "hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40&l=1&q=");
Line Found : user_pref("browser.search.order.1", "WebSearch");
Line Found : user_pref("browser.search.order.1,S", "WebSearch");
Line Found : user_pref("browser.search.selectedEngine,S", "WebSearch");
Line Found : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Line Found : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Line Found : user_pref("extensions.CEp_HpzIIDU.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if (window.self.location.protocol.indexOf('hxxp') > -1 && window.self == win[...]
Line Found : user_pref("extensions.TjQI5f_SwZBo.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self==window.top){var script=document.createElement(\"script\");s[...]
Line Found : user_pref("extensions.crossrider.bic", "142265bc58f4eb3f89feefa9295c0a9d");
Line Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "WebSearch");
Line Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "WebSearch");
Line Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40");
Line Found : user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40&l=1&q=");
Line Found : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Line Found : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v31.0.1650.57

[ File : C:\Users\Nathan\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [17711 octets] - [19/11/2013 02:21:09]
AdwCleaner[R1].txt - [17772 octets] - [19/11/2013 02:26:22]
AdwCleaner[R2].txt - [17833 octets] - [18/11/2013 18:31:08]
AdwCleaner[R3].txt - [17894 octets] - [18/11/2013 18:33:53]
AdwCleaner[R4].txt - [17629 octets] - [18/11/2013 18:36:38]

########## EOF - C:\AdwCleaner\AdwCleaner[R4].txt - [17690 octets] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by Nathan on Mon 11/18/2013 at 18:38:42.30
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\livesupport
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113}
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\\Default
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\searchURL\\Default

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\smbarbroker.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\bi
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\cr_installer
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\livesupport
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\visualbee
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\crossrider
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\babylon
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\visualbee
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mybabylontb_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mybabylontb_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\snapdo_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\snapdo_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\wajam_install_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\wajam_install_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\wajamupdater_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\wajamupdater_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\sp global
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\sprotector
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2998365
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111251155}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\SoftonicDownloader_for_mario-paint-composer_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\SoftonicDownloader_for_mario-paint-composer_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\VisualBeeClientSilent-softonic_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\VisualBeeClientSilent-softonic_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110111251155}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\SoftonicDownloader_for_mario-paint-composer_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\SoftonicDownloader_for_mario-paint-composer_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\VisualBeeClientSilent-softonic_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\VisualBeeClientSilent-softonic_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

 

~~~ Files

Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\nsprotector.js"
Successfully deleted: [File] "C:\end"

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\babylon"
Successfully deleted: [Folder] "C:\ProgramData\strongvault online backup"
Successfully deleted: [Folder] "C:\ProgramData\tarma installer"
Successfully deleted: [Folder] "C:\ProgramData\visualbee"
Successfully deleted: [Folder] "C:\Users\Nathan\AppData\Roaming\defaulttab"
Successfully deleted: [Folder] "C:\Users\Nathan\AppData\Roaming\strongvault"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\local\cre"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\local\stronghold_llc"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\local\strongvault online backup"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\local\tempdir"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\local\visualbeeexe"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\Nathan\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Program Files (x86)\mypc backup"
Successfully deleted: [Folder] "C:\Program Files (x86)\websearch"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
Successfully deleted: [Folder] "C:\ProgramData\ask"

 

~~~ FireFox

Successfully deleted: [File] C:\user.js
Successfully deleted: [File] C:\Users\Nathan\AppData\Roaming\mozilla\firefox\profiles\hgux3hc8.default\user.js
Successfully deleted: [File] C:\Users\Nathan\AppData\Roaming\mozilla\firefox\profiles\hgux3hc8.default\searchplugins\conduit.xml
Successfully deleted: [File] C:\Users\Nathan\AppData\Roaming\mozilla\firefox\profiles\hgux3hc8.default\searchplugins\websearch.xml
Successfully deleted the following from C:\Users\Nathan\AppData\Roaming\mozilla\firefox\profiles\hgux3hc8.default\prefs.js

user_pref("browser.search.defaultenginename,S", "WebSearch");
user_pref("browser.search.defaulturl", "hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40&l=1&q=");
user_pref("browser.search.order.1", "WebSearch");
user_pref("browser.search.order.1,S", "WebSearch");
user_pref("browser.search.selectedEngine,S", "WebSearch");
user_pref("extensions.BabylonToolbar.prtkDS", 0);
user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
user_pref("extensions.CEp_HpzIIDU.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if (window.self.location.protocol.indexOf('hxxp') >
user_pref("extensions.TjQI5f_SwZBo.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self==window.top){var script=document.cr
user_pref("extensions.crossrider.bic", "142265bc58f4eb3f89feefa9295c0a9d");
user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "WebSearch");
user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "WebSearch");
user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40");
user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://websearch.search-guide.info/?pid=34&r=2013/11/05&hid=7164085650025430402&lg=EN&cc=US&unqvl=40&l=1&q=");
user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
user_pref("sweetim.toolbar.searchguard.enable", "");
Emptied folder: C:\Users\Nathan\AppData\Roaming\mozilla\firefox\profiles\hgux3hc8.default\minidumps [62 files]

 

~~~ Chrome

Successfully deleted: [Folder] C:\Users\Nathan\appdata\local\Google\Chrome\User Data\Default\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/18/2013 at 18:47:01.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 18 November 2013 - 10:15 PM


Hello goofyrp

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 goofyrp

goofyrp
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 19 November 2013 - 02:26 AM

Ran Combofix as asked.  I am still seeing the browser hijack in IE and other browsers even after running Combofix.

 

ComboFix 13-11-18.01 - Nathan 11/18/2013  22:29:52.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8103.7096 [GMT -8:00]
Running from: c:\users\Nathan\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Nathan\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpB769.tmp
c:\users\Nathan\AppData\Local\Temp\3BE5.tmp
c:\users\Nathan\AppData\Roaming\result.db
c:\windows\SysWow64\FlashPlayerApp.exe
c:\windows\SysWow64\frapsvid.dll
c:\windows\SysWow64\server.log
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-19 to 2013-11-19  )))))))))))))))))))))))))))))))
.
.
2052-06-12 08:29 . 2052-06-12 08:29 4263 --sh--w- c:\windows\windllreg1c.sys
2013-11-19 10:21 . 2013-11-19 02:36 -------- d-----w- C:\AdwCleaner
2013-11-19 06:46 . 2013-11-19 06:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-19 06:45 . 2013-11-19 06:45 -------- d-----w- c:\users\Rick\AppData\Local\temp
2013-11-19 02:38 . 2013-11-19 02:38 -------- d-----w- c:\windows\ERUNT
2013-11-15 05:26 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63E6C831-36A2-40A6-B25D-F80D2B3BAAC3}\mpengine.dll
2013-11-14 12:06 . 2013-11-14 12:07 -------- d-----w- c:\windows\rescache
2013-11-14 11:07 . 2013-10-12 08:43 2648576 ----a-w- c:\windows\system32\iertutil.dll
2013-11-14 03:13 . 2013-10-05 20:25 1474048 ----a-w- c:\windows\system32\crypt32.dll
2013-11-14 03:13 . 2013-10-05 19:57 1168384 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-11-14 00:31 . 2013-11-14 00:31 -------- d-----w- c:\program files (x86)\Paint XP
2013-11-13 22:06 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-13 00:30 . 2013-11-13 00:30 -------- d-----w- c:\program files (x86)\7-Zip
2013-11-12 20:19 . 2013-11-12 20:19 40960 ----a-r- c:\users\Nathan\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2013-11-12 20:19 . 2013-11-12 20:19 40960 ----a-r- c:\users\Nathan\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2013-11-12 20:19 . 2013-11-12 20:26 -------- d-----w- c:\program files (x86)\Project64 1.6
2013-11-12 20:18 . 2013-11-12 20:18 -------- d-----w- c:\users\Nathan\AppData\Roaming\0S1F1O2Z0S2Y1H1T
2013-11-11 00:31 . 2013-11-11 00:31 -------- d-----w- c:\program files\Adobe Flash Professional CS6
2013-11-10 21:54 . 2012-10-31 19:54 36824 ----a-w- c:\windows\system32\drivers\vjoy.sys
2013-11-10 21:54 . 2013-11-10 22:00 -------- d-----w- c:\program files\vJoy
2013-11-10 21:54 . 2012-03-20 17:52 11968 ----a-w- c:\windows\system32\drivers\hidkmdf.sys
2013-11-10 21:48 . 2013-11-10 21:48 -------- d-----w- c:\users\Nathan\AppData\Local\Toshiba
2013-11-10 21:48 . 2013-11-10 21:48 -------- d-----w- c:\programdata\TOSHIBA
2013-11-09 04:05 . 2009-06-19 05:42 40832 ----a-w- c:\windows\system32\drivers\TosBtCi.dll
2013-11-09 04:04 . 2013-11-09 04:04 -------- d-----w- c:\program files (x86)\Toshiba
2013-11-08 05:33 . 2013-11-08 05:35 -------- d-----w- c:\users\Nathan\AppData\Roaming\.technic
2013-11-07 02:03 . 2013-10-19 03:11 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EEAD1376-FAE5-488F-A6F7-E78326344CB4}\gapaengine.dll
2013-11-06 05:48 . 2013-11-06 05:48 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2013-11-05 22:38 . 2013-11-05 22:38 -------- d-----w- c:\programdata\easetech
2013-11-05 22:38 . 2013-11-12 23:21 -------- d-----w- c:\program files (x86)\EaseAudioConverter
2013-11-05 14:59 . 2008-09-24 18:41 839680 ----a-w- c:\windows\SysWow64\lameACM.acm
2013-11-05 14:56 . 2013-11-05 14:56 -------- d-----w- c:\programdata\WinterSoft
2013-11-05 14:55 . 2013-11-14 11:28 -------- d-----w- c:\program files (x86)\ss helper
2013-11-05 14:55 . 2013-11-14 11:28 -------- d-----w- c:\programdata\Downaload keeper
2013-11-05 14:55 . 2013-11-12 20:21 -------- d-----w- c:\programdata\63e6cd2baa65d3ff
2013-11-05 14:55 . 2013-11-05 14:55 -------- d-----w- c:\users\Nathan\AppData\Local\Packages
2013-11-05 04:28 . 2013-11-05 04:28 -------- d-----w- c:\program files (x86)\Pegasys Inc
2013-11-04 02:05 . 2013-11-04 02:05 -------- d-----w- c:\programdata\Pivot Animator
2013-11-04 02:04 . 2013-11-04 02:04 -------- d-----w- c:\program files (x86)\Pivot Animator
2013-10-30 22:44 . 2013-10-30 22:44 -------- d-----w- c:\program files (x86)\sp
2013-10-28 23:49 . 2013-10-28 23:49 -------- d-----w- c:\program files\Common Files\VST2
2013-10-28 03:37 . 2009-02-25 01:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2013-10-27 23:58 . 2013-10-27 23:58 73728 ----a-w- c:\windows\system\vdremote.dll
2013-10-27 23:58 . 2013-10-27 23:58 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2013-10-27 23:10 . 2013-11-07 00:46 -------- d-----w- c:\users\Nathan\AppData\Roaming\PSPdisp
2013-10-27 22:21 . 2013-10-27 22:21 -------- d-----w- c:\users\Nathan\New folder
2013-10-27 04:34 . 2013-10-27 04:58 -------- d-----w- c:\users\Nathan\AppData\Roaming\GameMaker-Studio
2013-10-27 04:34 . 2013-10-27 04:34 -------- d-----w- c:\program files\GameMaker-Studio 1.2
2013-10-27 04:23 . 2013-10-27 04:23 -------- d-----w- c:\users\Nathan\GameMaker-Studio 1.1
2013-10-27 04:03 . 2013-10-27 04:03 -------- d-----w- c:\users\Nathan\AppData\Local\Studio
2013-10-27 03:08 . 2013-10-27 03:08 -------- d-----w- c:\users\Nathan\Desltop
2013-10-27 02:46 . 2012-03-25 17:26 115272 ----a-w- c:\windows\system32\drivers\MijXfilt.sys
2013-10-26 22:24 . 2013-09-04 12:12 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-10-26 22:24 . 2013-09-04 12:11 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-10-26 22:24 . 2013-09-04 12:11 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-10-26 22:24 . 2013-09-04 12:11 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-10-26 22:24 . 2013-09-04 12:11 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-10-26 22:24 . 2013-09-04 12:11 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-10-26 22:24 . 2013-09-04 12:11 7808 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-10-26 01:51 . 2013-10-26 01:52 -------- d-----w- c:\program files (x86)\ReadPlease 2003
2013-10-25 02:43 . 2013-10-15 19:41 251664 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2013-10-25 02:42 . 2013-10-15 19:38 126736 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2013-10-25 02:42 . 2013-10-25 02:42 -------- d-----w- c:\program files\Oracle
2013-10-24 22:29 . 2013-11-14 11:28 -------- d-----w- c:\users\Nathan\AppData\Local\Bundled software uninstaller
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-14 11:02 . 2011-12-29 04:55 82896128 ----a-w- c:\windows\system32\MRT.exe
2013-11-10 22:16 . 2012-01-21 21:41 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2013-11-10 22:16 . 2012-01-21 21:41 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2013-11-10 22:16 . 2012-01-21 21:41 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2013-10-20 05:38 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2013-10-20 05:32 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2013-10-20 05:32 . 2011-12-30 02:59 2851840 ----a-w- c:\windows\system32\themeui.dll
2013-10-19 03:11 . 2012-02-11 01:39 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-10-15 19:38 . 2013-10-15 19:38 154896 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2013-10-15 19:38 . 2013-10-15 19:38 140560 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2013-10-15 19:35 . 2013-10-15 19:35 204048 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2013-10-09 12:14 . 2011-12-29 17:49 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-24 03:22 . 2013-09-24 03:22 925184 ----a-w- c:\windows\expstart.exe
2013-09-13 01:36 . 2013-09-13 01:37 108968 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-09-13 01:36 . 2013-09-13 01:37 312744 ----a-w- c:\windows\system32\javaws.exe
2013-09-13 01:36 . 2013-09-13 01:37 189352 ----a-w- c:\windows\system32\javaw.exe
2013-09-13 01:36 . 2013-09-13 01:37 189352 ----a-w- c:\windows\system32\java.exe
2013-09-13 01:36 . 2013-01-28 04:37 1095080 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-09-13 01:36 . 2012-01-02 00:10 973736 ----a-w- c:\windows\system32\deployJava1.dll
2013-09-11 03:22 . 2012-10-02 00:31 868264 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-09-11 03:22 . 2011-12-29 18:35 790440 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-09-11 02:56 . 2013-09-11 02:56 0 ----a-w- c:\windows\SysWow64\RENCFF5.tmp
2013-09-11 02:56 . 2013-09-11 02:56 0 ----a-w- c:\windows\SysWow64\RENCFE4.tmp
2013-09-11 02:56 . 2013-09-11 02:56 0 ----a-w- c:\windows\SysWow64\RENCFE3.tmp
2013-09-08 02:30 . 2013-10-11 22:58 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:27 . 2013-10-11 22:58 327168 ----a-w- c:\windows\system32\mswsock.dll
2013-09-08 02:03 . 2013-10-11 22:58 231424 ----a-w- c:\windows\SysWow64\mswsock.dll
2013-09-02 19:36 . 2013-09-02 19:36 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2013-09-02 19:35 . 2013-09-02 19:35 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2013-08-29 02:17 . 2013-10-11 22:57 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-29 02:16 . 2013-10-11 22:57 1732032 ----a-w- c:\windows\system32\ntdll.dll
2013-08-29 02:16 . 2013-10-11 22:57 243712 ----a-w- c:\windows\system32\wow64.dll
2013-08-29 02:16 . 2013-10-11 22:57 859648 ----a-w- c:\windows\system32\tdh.dll
2013-08-29 02:13 . 2013-10-11 22:57 878080 ----a-w- c:\windows\system32\advapi32.dll
2013-08-29 01:51 . 2013-10-11 22:57 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-11 22:57 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-11 22:57 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-08-29 01:50 . 2013-10-11 22:57 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll
2013-08-29 01:50 . 2013-10-11 22:57 619520 ----a-w- c:\windows\SysWow64\tdh.dll
2013-08-29 01:48 . 2013-10-11 22:57 640512 ----a-w- c:\windows\SysWow64\advapi32.dll
2013-08-29 01:48 . 2013-10-11 22:57 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-08-29 00:49 . 2013-10-11 22:57 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-08-29 00:49 . 2013-10-11 22:57 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-08-29 00:49 . 2013-10-11 22:57 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-08-29 00:49 . 2013-10-11 22:57 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-08-28 01:21 . 2013-10-11 22:57 3155968 ----a-w- c:\windows\system32\win32k.sys
2013-08-28 01:12 . 2013-10-11 22:57 461312 ----a-w- c:\windows\system32\scavengeui.dll
2013-08-22 17:09 . 2013-09-14 01:58 217176 ----a-w- c:\windows\SysWow64\unrar.dll
2013-05-15 03:27 . 2013-05-15 03:26 134470 ----a-w- c:\program files (x86)\Uninstal.exe
2008-06-23 19:41 . 2008-04-29 20:12 17574665 ----a-w- c:\program files (x86)\powerpuffz.exe
2008-02-13 22:32 . 2008-04-29 20:12 1060864 ----a-w- c:\program files (x86)\MFC71.dll
2008-12-21 21:46 351744 --sha-w- c:\windows\SysWOW64\avisynth.dll
2005-07-14 19:31 32256 --sh--w- c:\windows\SysWOW64\AVSredirect.dll
2004-01-25 07:00 70656 --sh--w- c:\windows\SysWOW64\i420vfw.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-02-26 . E38899074D4951D31B4040E994DD7C8D . 2870784 . . [6.1.7600.20910] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9\explorer.exe
[7] 2011-02-26 . 0862495E0C825893DB75EF44FAEA8E93 . 2870272 . . [6.1.7600.16768] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25\explorer.exe
[7] 2011-02-26 . 3B69712041F3D63605529BD66DC00C48 . 2871808 . . [6.1.7601.21669] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[-] 2011-02-25 . 94A63CB472C37D70B7577AFFFAB8C2AD . 2388992 . . [6.1.7600.16385] .. c:\windows\explorer.exe
[7] 2011-02-25 . 332FEAB1435662FC6C672E25BEB37BE3 . 2871808 . . [6.1.7601.17567] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[7] 2010-11-20 . AC4C51EB24AA95B77F705AB159189E24 . 2872320 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
[7] 2009-10-31 . B8EC4BD49CE8F6FC457721BFC210B67F . 2870272 . . [6.1.7600.20563] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[7] 2009-10-31 . 9AAAEC8DAC27AA17B053E6352AD233AE . 2870272 . . [6.1.7600.16450] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[7] 2009-08-03 . 700073016DAC1C3D2E7E2CE4223334B6 . 2868224 . . [6.1.7600.20500] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[7] 2009-08-03 . F170B4A061C9E026437B193B4D571799 . 2868224 . . [6.1.7600.16404] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
[7] 2009-07-14 . C235A51CB740E45FFA0EBFB9BAFCDA64 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-10-21 20549280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-09-18 152392]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2011-04-02 80840]
.
c:\users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2013-8-4 0]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2011-5-9 2750376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe;c:\windows\SYSNATIVE\AppleOSSMgr.exe [x]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe;c:\windows\SYSNATIVE\AppleTimeSrv.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys;c:\windows\SYSNATIVE\drivers\KeyAgent.sys [x]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys;c:\windows\SYSNATIVE\drivers\MacHALDriver.sys [x]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys;c:\windows\SYSNATIVE\DRIVERS\AppleBtBc.sys [x]
R3 AppleDisplayFlt;Apple Display Driver;c:\windows\system32\DRIVERS\aaplmonf.sys;c:\windows\SYSNATIVE\DRIVERS\aaplmonf.sys [x]
R3 AppleODD;Apple ODD;c:\windows\system32\DRIVERS\AppleODD.sys;c:\windows\SYSNATIVE\DRIVERS\AppleODD.sys [x]
R3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiSDa.sys [x]
R3 BTCOM;Bluetooth Serial port driver;c:\windows\system32\DRIVERS\btcomport.sys;c:\windows\SYSNATIVE\DRIVERS\btcomport.sys [x]
R3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys;c:\windows\SYSNATIVE\DRIVERS\CS420x64.sys [x]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 IvtAudioBusSrv;IvtAudioBusSrv;c:\windows\system32\Drivers\IvtBtBus.sys;c:\windows\SYSNATIVE\Drivers\IvtBtBus.sys [x]
R3 IvtComBusSrv;IvtComBusSrv;c:\windows\system32\Drivers\btcombus.sys;c:\windows\SYSNATIVE\Drivers\btcombus.sys [x]
R3 IvtPanBusSrv;IvtPanBusSrv;c:\windows\system32\Drivers\btnetBus.sys;c:\windows\SYSNATIVE\Drivers\btnetBus.sys [x]
R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys;c:\windows\SYSNATIVE\DRIVERS\KeyMagic.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 prl_dd;Parallels Display Adapter (WDDM);c:\windows\system32\DRIVERS\prl_kmdd.sys;c:\windows\SYSNATIVE\DRIVERS\prl_kmdd.sys [x]
R3 pspdisp;pspdisp;c:\windows\system32\DRIVERS\pspdisp_x64.sys;c:\windows\SYSNATIVE\DRIVERS\pspdisp_x64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys;c:\windows\SYSNATIVE\drivers\WSDScan.sys [x]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\System32\Drivers\BtHidBus.sys;c:\windows\SYSNATIVE\Drivers\BtHidBus.sys [x]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys;c:\windows\SYSNATIVE\DRIVERS\IRFilter.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
S3 vjoy;vJoy Device;c:\windows\system32\DRIVERS\vjoy.sys;c:\windows\SYSNATIVE\DRIVERS\vjoy.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-14 20:59 1210320 ----a-w- c:\program files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 12:14]
.
2013-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-10-30 22:12]
.
2013-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-10-30 22:12]
.
2013-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3032422492-1220116893-1521701072-1001Core.job
- c:\users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe [2013-10-17 22:12]
.
2013-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3032422492-1220116893-1521701072-1001UA.job
- c:\users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe [2013-10-17 22:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 1356240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-11 171064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-11 399416]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-11 441912]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2013-01-17 743776]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mDefault_Search_URL = hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://start.qone8.com/web/?type=ds&ts=1383622684&from=amt&uid=HitachiXHTS547550A9E384_J2250050HPAU3DHPAU3DX&q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
Trusted Zone: vizzed.com\www
TCP: Interfaces\{32FD004A-2FB4-4959-BC4B-42AA97275649}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{3E1FC29A-6BFA-40CC-B560-2FA559DD28E2}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{5A986ACE-93BF-4A41-BD71-E342CA9F1F51}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{63D9E44D-D1EC-4CCA-9F58-ED3C75F26C15}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{6E8A8662-4D08-48C4-8018-E73C11A3C377}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{88F02973-95C5-4166-B70E-13AF4C90D2C4}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{D437C980-F188-4A3F-9C1B-7479C13DCDAE}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\hgux3hc8.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-ROC_roc_ssl_v12 - c:\program files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe
Wow6432Node-HKLM-Run-D3DOverrider - c:\users\Nathan\Desktop\D3DOverrider\D3DOverrider\D3DOverriderWrapper.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ w"*]
@=multi:"\04\00\00\00À\08'\04€MZ\00\03\00\00\00\04\00\00\00ÿÿ\00\00¸\00\00\00\00\00\00\00@\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00è\00\00\00\0e\1fº\0e\00´\09Í!¸\01LÍ!This program cannot be run in DOS mode.\0d\0d\0a$\00\00\00\00\00\00\00«\1büÌïz’Ÿïz’Ÿïz’Ÿ€\0c\0cŸòz’Ÿ€\0c8Ÿfz’Ÿ€\0c9ŸÕz’Ÿæ\02\01Ÿâz’Ÿïz“ŸJz’Ÿ€\0c=Ÿüz’Ÿ€\0c\09Ÿîz’Ÿ€\0c\08Ÿîz’Ÿ€\0c\0fŸîz’ŸRichïz’Ÿ\00\00\00\00\00\00\00\00PE\00\00L\01\04\00\0eÕaO\00\00\00\00\00\00\00\00à\00\"!\0b\01\0a\00\00Š\03\00\00¤\00\00\00\00\00\00Ù\07\02\00\00\10\00\00\00 \03\00\00\00\00\10\00\10\00\00\00\02\00\00\05\00\01\00\0a\00\00\00\05\00\01\00\00\00\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ð;*]
@=multi:"\00\00ÀP™\04€MZ\00\03\00\00\00\04\00\00\00ÿÿ\00\00¸\00\00\00\00\00\00\00@\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00ð\00\00\00\0e\1fº\0e\00´\09Í!¸\01LÍ!This program cannot be run in DOS mode.\0d\0d\0a$\00\00\00\00\00\00\00Q\"ô”\15CšÇ\15CšÇ\15CšÇz51Ç#CšÇz50ÇjCšÇz5\04Ç\19CšÇr51Ç\10CšÇ\1c;\09Ç\18CšÇ\15C›Ç²CšÇr55Ç\06CšÇr5\01Ç\14CšÇr5\00Ç\14CšÇr5\07Ç\14CšÇRich\15CšÇ\00\00\00\00\00\00\00\00PE\00\00d†\08\00\1f:¢K\00\00\00\00\00\00\00\00ð\00\" \0b\02\0a\00\00¤\02\00\00\06\02\00\00\00\00\00\14=\01\00\00\10\00\00\00\00\00€\01\00\00\00\00\10\00\00\00\02\00\00\05\00\02\00\0a\00\00\00\05\00\02\00\00\00\00\00\00ð\04\00\00\04\00\00\0f@\05\00\02\00@\01\00\00\10\00\00\00\00\00\00\10\00\00\00\00\00\00\00\00\10\00\00\00\00\00\00\10\00\00\00\00\00\00\00\00\00\00\10\00\00\00€\08\04\00Å\03\00\00\08ú\03\00Œ\00\00\00\00 \04\00 7\00\00\00`\04\00ø\19\00\00\00‚\04\00P\17\00\00\00à\04\00ˆ\03\00\00PÅ\02\00\1c\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00À\02\00Ø\04\00\00Œø\03\00`\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00.text\00\00\00Ú¢\02\00\00\10\00\00\00¤\02\00\00\04\00\00\00\00\00\00\00\00\00\00\00\00\00\00 \00\00`.rdata\00\00EL\01\00\00À\02\00\00N\01\00\00¨\02\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00@.data\00\00\00\10G\00\00\00\10\04\00\00\1c\00\00\00ö\03\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00À.pdata\00\00ø\19\00\00\00`\04\00\00\1a\00\00\00\12\04\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00@text\00\00\00\00=\08\00\00\00€\04\00\00\0a\00\00\00,\04\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00 data\00\00\00\000\0b\00\00\00\04\00\00\0c\00\00\006\04\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00@.rsrc\00\00\00 7\00\00\00 \04\00\008\00\00\00B\04\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00@.reloc\00\00‚\07\00\00\00à\04\00\00\08\00\00\00z\04\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00B\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00Hƒì(‹\09…Ét\06ÿ\15°´\02\00HƒÄ(ÃÌÌÌÌÌÌÌH\05•µ\02\00H‰\01é=1\01\00ÌÌÌÌÌÌÌÌÌH‰\\$\08WHƒì H\05sµ\02\00‹ÚH‹ùH‰\01è\161\01\00öÃ\01t\08H‹Ïèu7\01\00H‹ÇH‹\\$0HƒÄ _ÃÌÌÌÌÌÌÌH‰\\$\08H‰l$\10H‰t$\18WHƒì I‹ðH‹ùM…Àt@LcÂH\05›\12\04\00½\00\04\00\00N‹\04À‹ÕHƒÁ\08èG9\01\00HO\08IƒÉÿL‹Æ‹Õèå7\01\00HW\08HO\08D‹Åè™ë\01\00‹\0fLG\083Òÿ\15³\02\00‹\0fE3ÀAP\01ÿ\15`³\02\00D‹\07‹O\04º\00\00\00\04H‹\\$0H‹l$8H‹t$@HƒÄ _Hÿ%\1a³\02\00ÌÌÌÌÌÌH‹ÄH‰X\08H‰h\10H‰p\18H‰x ATHƒì A‹èH‹òH‹ùH…Òt<L‹\05\06\12\04\00A¼\00\04\00\00HƒÁ\08A‹Ôèœ8\01\00HO\08IƒÉÿL‹ÆA‹Ôè97\01\00HW\08HO\08E‹Äèíê\01\00‹\0fLG\083Òÿ\15Ó²\02\00‹\0fE3ÀAP\01‰¯\08\08\00\00ÿ\15®²\02\00D‹\07‹O\04º\00\00\00\04H‹\\$0H‹l$8H‹t$@H‹|$HHƒÄ A\\Hÿ%b²\02\00ÌÌÌÌÌÌH‹ÄH‰X\08H‰h\10H‰p\18H‰x ATHƒì A‹éI‹ðH‹ùM…ÀtCLcÂH\053\11\04\00A¼\00\04\00\00N‹\04ÀA‹ÔHƒÁ\08èÝ7\01\00HO\08IƒÉÿL‹ÆA‹Ôèz6\01\00HW\00\00"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-11-18  22:50:06
ComboFix-quarantined-files.txt  2013-11-19 06:50
.
Pre-Run: 4,254,687,232 bytes free
Post-Run: 32,636,620,800 bytes free
.
- - End Of File - - F4FCFD442CF15351562F9EC5F578115D
A36C5E4F47E84449FF07ED3517B43A31
 



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 19 November 2013 - 02:54 AM

Hello

Please download this and let me know if it worked - http://www.bleepingcomputer.com/download/shortcut-cleaner/


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 goofyrp

goofyrp
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 19 November 2013 - 10:42 AM

No shortcuts found.  Default webpage still Qone8 in IE, Firefox and Chrome.

 

Shortcut Cleaner 1.2.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 http://www.bleepingcomputer.com/download/shortcut-cleaner/

Windows Version: Windows 7 Home Premium Service Pack 1
Program started at: 11/19/2013 03:39:59 PM.

Scanning for registry hijacks:

 * No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

Searching C:\Users\Nathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

Searching C:\Users\Public\Desktop\

Searching C:\Users\Nathan\Desktop

0 bad shortcuts found.

Program finished at: 11/19/2013 03:40:13 PM
Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 19 November 2013 - 08:17 PM

Hello

I want you to right click on one of the shortcuts for one of the browsers and then click on properties and look at the target and see if Qone8 is part of it - if it is the remove it and close the menu

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 22 November 2013 - 01:09 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 goofyrp

goofyrp
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 22 November 2013 - 12:36 PM

My apologies.  Work's been a little crazy as of late.  I will do this tonight.



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 23 November 2013 - 02:45 PM

I will be looking for you

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 goofyrp

goofyrp
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 23 November 2013 - 05:39 PM

The browsers are still linking to the qone8.com website as the default page even though the default web page is google.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:58 AM

Posted 23 November 2013 - 08:31 PM

did you check the properties of the shortcuts?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users