Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Opening Multiple Windows. Unsure why. Suspect Virus of some kind


  • This topic is locked This topic is locked
11 replies to this topic

#1 wild.fire.darkness

wild.fire.darkness

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 07 February 2014 - 04:49 PM

When I open firefox, it opens by browser, plus an additional 3 firefox windows. The other 3 are all to the same webpage, and it is a webpage I go to on occasion. When I close the windows, they open again. I now have tried this with google chrome, and the same things happens, only with a different webpage that I also visit. A spybot scan showed browsefox, and it took some work to get it removed, but I think I got it, but the windows keep coming back up. No system settings show a request for this, and even if they did, they would not come right back up after closing them.

 

Opening the task manager and ending the process tree will help for a little bit, but then it happens again. I have also uninstalled firefox and re-installed it.

 

Here is the dds log

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16750  BrowserJavaVersion: 10.9.2
Run by Phoenix at 15:35:33 on 2014-02-07
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3037.1745 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=US&userid=2e3d40a1-d9f7-2da9-cf4d-dbcf2785cdc4&searchtype=hp&installDate=06/11/2013
uSearch Bar = hxxp://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=US&userid=2e3d40a1-d9f7-2da9-cf4d-dbcf2785cdc4&searchtype=ds&q={searchTerms}&installDate=06/11/2013
uSearch Page = hxxp://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=US&userid=2e3d40a1-d9f7-2da9-cf4d-dbcf2785cdc4&searchtype=ds&q={searchTerms}&installDate=06/11/2013
uDefault_Page_URL = hxxp://emachines.msn.com
uSearchAssistant = hxxp://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=US&userid=2e3d40a1-d9f7-2da9-cf4d-dbcf2785cdc4&searchtype=ds&q={searchTerms}&installDate=06/11/2013
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: LinkSwift: {323420b6-65e5-4657-8106-a27392d4d4aa} - C:\Program Files (x86)\LinkSwift\LinkSwiftbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: ArcPluginIEBHO Class: {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} - C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\ArcPluginIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Google Update] "C:\Users\Phoenix\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Overwolf] C:\Program Files (x86)\Overwolf\Overwolf.exe -silent
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Phoenix\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Windows\System32\RunDll32.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0E2DDD56-9260-416B-9C5A-EDCDBAFB73A3} : NameServer = 68.29.65.7 68.29.73.7
TCP: Interfaces\{D6990049-7FC7-4450-8F68-30193E93CAA4} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Phoenix\AppData\Roaming\Mozilla\Firefox\Profiles\vwji8hwv.default\
FF - prefs.js: browser.startup.homepage - hxxps://fetlife.com/home/v4#everything
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\npArcPluginFF.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Phoenix\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: C:\Users\Phoenix\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_43.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R2 GREGService;GREGService;C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [2011-5-29 36456]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2013-6-5 1153368]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-7-13 291328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 ArcService;Arc Service;C:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [2014-1-21 88400]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\System32\GameMon.des -service --> C:\Windows\System32\GameMon.des -service [?]
S3 OverwolfUpdaterService;Overwolf Updater Service;C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe --> C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-4 1255736]
S4 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S4 Live Updater Service;Live Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2011-7-13 244624]
S4 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080]
S4 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-9-26 2754984]
S4 Update LinkSwift;Update LinkSwift;C:\Program Files (x86)\LinkSwift\updateLinkSwift.exe [2013-11-2 65312]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-02-05 00:16:34 93808 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2014-02-05 00:16:34 91552 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
2014-02-05 00:16:34 91552 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
2014-02-05 00:16:34 28272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2014-02-05 00:16:34 272496 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2014-02-05 00:16:34 184248 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2014-02-05 00:16:34 170960 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2014-01-31 20:51:31 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7BF601F9-196C-4314-A108-4AB77C691B0F}\mpengine.dll
2014-01-28 23:07:39 -------- d-----w- C:\Program Files (x86)\TERA
2014-01-28 23:07:38 -------- d-----w- C:\Users\Phoenix\AppData\Local\TERA
2014-01-28 06:28:34 -------- d-----w- C:\Windows\screenshots
2014-01-28 06:28:34 -------- d-----w- C:\Windows\RoleSettings
2014-01-28 06:28:34 -------- d-----w- C:\Windows\cache
2014-01-27 22:55:25 -------- d-----w- C:\Users\Phoenix\AppData\Local\{FBCC60A8-64AB-4BB9-AA9C-BE5A49F45094}
2014-01-27 09:23:18 -------- d-----w- C:\Program Files (x86)\TeamSpeak 3 Client
2014-01-09 02:22:22 -------- d-----w- C:\Users\Phoenix\AppData\Roaming\Arc
.
==================== Find3M  ====================
.
2014-01-25 23:42:54 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-25 23:42:54 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-12-23 11:50:20 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-12-18 12:13:56 270496 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-12 02:23:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-11-12 02:07:29 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
.
============= FINISH: 15:36:04.18 ===============
 
 
The "attach" file is attached
 
Thank you for you help. I really appreciate it. 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 11 February 2014 - 11:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Download correct version for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 wild.fire.darkness

wild.fire.darkness
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 11 February 2014 - 01:48 PM

Hello Nasdaq, I do want to take a brief moment to say that I truly and totally appreciate your help. Because I know your time is valuable I will try and stick to responding exactly as you have requested. I just don't want you to think I am ungrateful, when I really am very grateful for the help.  

 

All instructions completed. 

 

AdwCleaner Log:

 

# AdwCleaner v3.018 - Report created 11/02/2014 at 12:24:44

# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Phoenix - E-MACHINE
# Running from : C:\Users\Phoenix\Downloads\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\Program Files (x86)\LinkSwift
Folder Deleted : C:\Users\Phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\amfclgbdpgndipgoegfpkkgobahigbcl
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SnapDo_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SnapDo_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{323420B6-65E5-4657-8106-A27392D4D4AA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{323420B6-65E5-4657-8106-A27392D4D4AA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{323420B6-65E5-4657-8106-A27392D4D4AA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{323420B6-65E5-4657-8106-A27392D4D4AA}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKCU\Software\LinkSwift
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKLM\Software\LinkSwift
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LinkSwift
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16750
 
 
-\\ Mozilla Firefox v27.0 (en-US)
 
[ File : C:\Users\Phoenix\AppData\Roaming\Mozilla\Firefox\Profiles\vwji8hwv.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Phoenix\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2672 octets] - [11/02/2014 12:17:15]
AdwCleaner[R1].txt - [2732 octets] - [11/02/2014 12:22:23]
AdwCleaner[S0].txt - [2503 octets] - [11/02/2014 12:24:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2563 octets] ##########
 
 
 
 
JRT text:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Windows 7 Home Premium x64
Ran by Phoenix on Tue 02/11/2014 at 12:31:29.58
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
Successfully stopped: [Service] update linkswift 
Successfully deleted: [Service] update linkswift 
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-17097986-3119282332-1496160801-1000\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\Default_Search_URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\\Default
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\searchURL\\Default
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npmozcouponprinter.dll"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\big fish games"
Successfully deleted: [Folder] "C:\Users\Phoenix\appdata\locallow\mefeediatest"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"
Successfully deleted: [Folder] "C:\Program Files (x86)\mefeediatest"
Successfully deleted: [Empty Folder] C:\Users\Phoenix\appdata\local\{35C26CEC-E5EB-4C2C-8937-49BED16D6524}
Successfully deleted: [Empty Folder] C:\Users\Phoenix\appdata\local\{54F0CAC2-1779-4086-989A-95A31C917461}
Successfully deleted: [Empty Folder] C:\Users\Phoenix\appdata\local\{BAB9CB45-85D6-48BF-B7E4-44CA1CF847C2}
Successfully deleted: [Empty Folder] C:\Users\Phoenix\appdata\local\{FBCC60A8-64AB-4BB9-AA9C-BE5A49F45094}
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Users\Phoenix\appdata\local\Google\Chrome\User Data\Default\Extensions\amfclgbdpgndipgoegfpkkgobahigbcl
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/11/2014 at 12:36:38.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
FRST.txt
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-02-2014 01
Ran by Phoenix (administrator) on E-MACHINE on 11-02-2014 12:39:50
Running from C:\Users\Phoenix\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Acer Incorporated) C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler64.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) c:\program files\windows defender\MpCmdRun.exe
(Farbar) C:\Users\Phoenix\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060320 2010-02-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-06] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-06] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [Google Update] - C:\Users\Phoenix\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-23] (Google Inc.)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [GoogleDriveSync] - C:\Program Files (x86)\Google\Drive\googledrivesync.exe [20203904 2013-12-06] (Google)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [Overwolf] - C:\Program Files (x86)\Overwolf\Overwolf.exe -silent
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\MountPoints2: {aa77e903-b9e3-11e2-9058-c89cdcb0cc9a} - E:\LiteAuto.exe
Startup: C:\Users\Phoenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk -> C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://emachines.msn.com
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: ArcPluginIEBHO Class - {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} - C:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\ArcPluginIE.dll (Perfect World Entertainment Inc)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0E2DDD56-9260-416B-9C5A-EDCDBAFB73A3}: [NameServer]68.29.65.7 68.29.73.7
 
FireFox:
========
FF ProfilePath: C:\Users\Phoenix\AppData\Roaming\Mozilla\Firefox\Profiles\vwji8hwv.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_43.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.9.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.9.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin - C:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\npArcPluginFF.dll (Perfect World Entertainment Inc)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @leeuu.com/npgboxruner;version= - C:\Users\Phoenix\AppData\Roaming\gbox\npgboxruner.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Phoenix\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Phoenix\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Phoenix\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKCU: thehappycloud.com/HappyCloudPlugin - C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll (The Happy Cloud)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2014-02-04]
 
Chrome: 
=======
CHR DefaultSearchKeyword: search.snapdo.com
CHR DefaultSearchProvider: Web
CHR DefaultNewTabURL: 
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\32.0.1700.107\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\32.0.1700.107\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\32.0.1700.107\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Unity Player) - C:\Users\Phoenix\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Google Update) - C:\Users\Phoenix\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (Google Drive) - C:\Users\Phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-06]
CHR Extension: (Google Wallet) - C:\Users\Phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-15]
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Phoenix\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-12-20]
CHR HKLM-x32\...\Chrome\Extension: [odpccdgkmiicgocepijnaeihjnjnomca] - C:\Program Files (x86)\LinkSwift\odpccdgkmiicgocepijnaeihjnjnomca.crx [2013-12-20]
CHR StartMenuInternet: Google Chrome - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
S3 ArcService; C:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [88400 2014-01-21] (Perfect World Entertainment Inc)
R2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [36456 2011-05-29] (Acer Incorporated)
S4 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-04-22] (Acer Incorporated)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [4784312 2013-04-23] (INCA Internet Co., Ltd.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S3 OverwolfUpdaterService; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-02-11 12:39 - 2014-02-11 12:40 - 00012545 _____ () C:\Users\Phoenix\Downloads\FRST.txt
2014-02-11 12:39 - 2014-02-11 12:39 - 02151424 _____ (Farbar) C:\Users\Phoenix\Downloads\FRST64.exe
2014-02-11 12:39 - 2014-02-11 12:39 - 02151424 _____ (Farbar) C:\Users\Phoenix\Downloads\FRST64 (1).exe
2014-02-11 12:39 - 2014-02-11 12:39 - 00000000 ____D () C:\FRST
2014-02-11 12:36 - 2014-02-11 12:36 - 00003242 _____ () C:\Users\Phoenix\Desktop\JRT.txt
2014-02-11 12:31 - 2014-02-11 12:31 - 00000000 ____D () C:\Windows\ERUNT
2014-02-11 12:30 - 2014-02-11 12:30 - 01037530 _____ (Thisisu) C:\Users\Phoenix\Downloads\JRT.exe
2014-02-11 12:30 - 2014-02-11 12:30 - 00002647 _____ () C:\Users\Phoenix\Desktop\AdwCleaner[S0].txt
2014-02-11 12:15 - 2014-02-11 12:24 - 00000000 ____D () C:\AdwCleaner
2014-02-11 12:14 - 2014-02-11 12:15 - 01166132 _____ () C:\Users\Phoenix\Downloads\adwcleaner.exe
2014-02-10 14:10 - 2014-02-10 14:10 - 00001792 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iTunes
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iPod
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-10 13:51 - 2014-02-10 13:51 - 00013259 _____ () C:\Users\Phoenix\Desktop\Phoenix Chores.ods
2014-02-10 13:44 - 2014-02-10 13:46 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\TS3Client
2014-02-07 21:13 - 2014-02-07 21:13 - 00003718 _____ () C:\Windows\System32\Tasks\{9351EF46-5167-4D44-B712-F581B605F0BE}
2014-02-07 21:13 - 2014-02-07 21:13 - 00000000 ____D () C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2014-02-07 15:36 - 2014-02-07 15:37 - 00013072 _____ () C:\Users\Phoenix\Desktop\dds.txt
2014-02-07 15:36 - 2014-02-07 15:37 - 00005736 _____ () C:\Users\Phoenix\Desktop\attach.txt
2014-02-07 15:34 - 2014-02-07 15:34 - 00688992 ____R (Swearware) C:\Users\Phoenix\Downloads\dds.com
2014-02-06 15:08 - 2014-02-06 15:09 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Mozilla
2014-02-06 15:08 - 2014-02-06 15:08 - 00282960 _____ (Mozilla) C:\Users\Phoenix\Downloads\Firefox Setup Stub 27.0.exe
2014-02-06 15:08 - 2014-02-06 15:08 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-04 18:16 - 2014-02-06 15:08 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-04 03:09 - 2014-02-04 03:09 - 00029960 _____ () C:\Users\Phoenix\Downloads\Unamused.jpeg
2014-01-28 17:07 - 2014-01-28 20:09 - 00000000 ____D () C:\Program Files (x86)\TERA
2014-01-28 17:07 - 2014-01-28 17:08 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\TERA
2014-01-28 17:07 - 2014-01-28 17:07 - 00001666 _____ () C:\Users\Public\Desktop\TERA-Launcher.lnk
2014-01-28 05:03 - 2014-01-28 05:03 - 29265824 _____ (En Masse Entertainment) C:\Users\Phoenix\Downloads\TERA-Setup.exe
2014-01-28 05:00 - 2014-01-28 05:00 - 10458976 _____ () C:\Users\Phoenix\Downloads\TERA-Setup-HC.exe
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\screenshots
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\RoleSettings
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\cache
2014-01-27 03:24 - 2014-01-27 03:24 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Overwolf
2014-01-27 03:23 - 2014-01-27 03:23 - 00001171 _____ () C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
2014-01-27 03:23 - 2014-01-27 03:23 - 00000000 ____D () C:\Program Files (x86)\TeamSpeak 3 Client
2014-01-27 03:18 - 2014-01-27 03:19 - 30095736 _____ (TeamSpeak Systems GmbH) C:\Users\Phoenix\Downloads\TeamSpeak3-Client-win32-3.0.13.1.exe
 
==================== One Month Modified Files and Folders =======
 
2014-02-11 12:40 - 2014-02-11 12:39 - 00012545 _____ () C:\Users\Phoenix\Downloads\FRST.txt
2014-02-11 12:39 - 2014-02-11 12:39 - 02151424 _____ (Farbar) C:\Users\Phoenix\Downloads\FRST64.exe
2014-02-11 12:39 - 2014-02-11 12:39 - 02151424 _____ (Farbar) C:\Users\Phoenix\Downloads\FRST64 (1).exe
2014-02-11 12:39 - 2014-02-11 12:39 - 00000000 ____D () C:\FRST
2014-02-11 12:37 - 2009-07-13 22:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-11 12:37 - 2009-07-13 22:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-11 12:36 - 2014-02-11 12:36 - 00003242 _____ () C:\Users\Phoenix\Desktop\JRT.txt
2014-02-11 12:31 - 2014-02-11 12:31 - 00000000 ____D () C:\Windows\ERUNT
2014-02-11 12:30 - 2014-02-11 12:30 - 01037530 _____ (Thisisu) C:\Users\Phoenix\Downloads\JRT.exe
2014-02-11 12:30 - 2014-02-11 12:30 - 00002647 _____ () C:\Users\Phoenix\Desktop\AdwCleaner[S0].txt
2014-02-11 12:30 - 2009-07-13 23:13 - 00726316 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-11 12:29 - 2011-11-17 22:08 - 02006187 _____ () C:\Windows\WindowsUpdate.log
2014-02-11 12:26 - 2013-12-20 18:58 - 00000000 ___RD () C:\Users\Phoenix\Google Drive
2014-02-11 12:26 - 2013-12-20 18:56 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-11 12:25 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-11 12:25 - 2009-07-13 22:51 - 00118989 _____ () C:\Windows\setupact.log
2014-02-11 12:24 - 2014-02-11 12:15 - 00000000 ____D () C:\AdwCleaner
2014-02-11 12:15 - 2014-02-11 12:14 - 01166132 _____ () C:\Users\Phoenix\Downloads\adwcleaner.exe
2014-02-11 12:10 - 2013-12-20 18:56 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-11 11:51 - 2012-07-23 01:03 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-17097986-3119282332-1496160801-1000UA.job
2014-02-11 11:48 - 2012-07-22 13:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-10 20:51 - 2012-07-23 01:03 - 00000864 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-17097986-3119282332-1496160801-1000Core.job
2014-02-10 14:10 - 2014-02-10 14:10 - 00001792 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iTunes
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iPod
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-10 14:08 - 2013-12-20 05:33 - 00000000 ____D () C:\ProgramData\Apple
2014-02-10 13:51 - 2014-02-10 13:51 - 00013259 _____ () C:\Users\Phoenix\Desktop\Phoenix Chores.ods
2014-02-10 13:46 - 2014-02-10 13:44 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\TS3Client
2014-02-08 22:52 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-08 22:45 - 2013-11-27 22:57 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\TERA-Diagnostic
2014-02-07 21:13 - 2014-02-07 21:13 - 00003718 _____ () C:\Windows\System32\Tasks\{9351EF46-5167-4D44-B712-F581B605F0BE}
2014-02-07 21:13 - 2014-02-07 21:13 - 00000000 ____D () C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2014-02-07 15:37 - 2014-02-07 15:36 - 00013072 _____ () C:\Users\Phoenix\Desktop\dds.txt
2014-02-07 15:37 - 2014-02-07 15:36 - 00005736 _____ () C:\Users\Phoenix\Desktop\attach.txt
2014-02-07 15:34 - 2014-02-07 15:34 - 00688992 ____R (Swearware) C:\Users\Phoenix\Downloads\dds.com
2014-02-07 11:58 - 2010-11-20 21:47 - 00846604 _____ () C:\Windows\PFRO.log
2014-02-06 15:09 - 2014-02-06 15:08 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Mozilla
2014-02-06 15:08 - 2014-02-06 15:08 - 00282960 _____ (Mozilla) C:\Users\Phoenix\Downloads\Firefox Setup Stub 27.0.exe
2014-02-06 15:08 - 2014-02-06 15:08 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-06 15:08 - 2014-02-04 18:16 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-06 15:07 - 2013-02-10 01:16 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\BitTorrent
2014-02-05 23:54 - 2013-12-27 23:09 - 00000000 ____D () C:\Program Files (x86)\Perfect World Entertainment
2014-02-05 23:18 - 2013-11-27 17:54 - 00000000 ____D () C:\ProgramData\HappyCloud
2014-02-04 03:09 - 2014-02-04 03:09 - 00029960 _____ () C:\Users\Phoenix\Downloads\Unamused.jpeg
2014-01-28 20:09 - 2014-01-28 17:07 - 00000000 ____D () C:\Program Files (x86)\TERA
2014-01-28 17:08 - 2014-01-28 17:07 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\TERA
2014-01-28 17:07 - 2014-01-28 17:07 - 00001666 _____ () C:\Users\Public\Desktop\TERA-Launcher.lnk
2014-01-28 16:42 - 2012-08-04 18:17 - 00000000 ____D () C:\Perfect World Entertainment
2014-01-28 16:39 - 2013-11-02 12:04 - 00000000 ____D () C:\Games
2014-01-28 05:03 - 2014-01-28 05:03 - 29265824 _____ (En Masse Entertainment) C:\Users\Phoenix\Downloads\TERA-Setup.exe
2014-01-28 05:00 - 2014-01-28 05:00 - 10458976 _____ () C:\Users\Phoenix\Downloads\TERA-Setup-HC.exe
2014-01-28 00:40 - 2012-07-24 21:27 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\Overwolf
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\screenshots
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\RoleSettings
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\cache
2014-01-27 03:24 - 2014-01-27 03:24 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Overwolf
2014-01-27 03:23 - 2014-01-27 03:23 - 00001171 _____ () C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
2014-01-27 03:23 - 2014-01-27 03:23 - 00000000 ____D () C:\Program Files (x86)\TeamSpeak 3 Client
2014-01-27 03:19 - 2014-01-27 03:18 - 30095736 _____ (TeamSpeak Systems GmbH) C:\Users\Phoenix\Downloads\TeamSpeak3-Client-win32-3.0.13.1.exe
2014-01-25 17:43 - 2012-08-12 23:10 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\Adobe
2014-01-25 17:42 - 2012-07-22 13:04 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-01-25 17:42 - 2012-07-02 23:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-01-25 17:42 - 2011-07-13 14:54 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-01-12 07:32 - 2012-07-22 14:01 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\CrashDumps
 
Some content of TEMP:
====================
C:\Users\Phoenix\AppData\Local\Temp\hcuninstaller_20140205_231827_3772.exe
C:\Users\Phoenix\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-08 23:12
 
==================== End Of Log ============================
 
 
"attach" attached. 
 
 
Thank you.
 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 12 February 2014 - 08:20 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

HKLM-x32\...\Run: [] - [X]
FF Plugin HKCU: @leeuu.com/npgboxruner;version= - C:\Users\Phoenix\AppData\Roaming\gbox\npgboxruner.dll No File
CHR DefaultSearchKeyword: search.snapdo.com
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Google Update) - C:\Users\Phoenix\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR HKLM-x32\...\Chrome\Extension: [odpccdgkmiicgocepijnaeihjnjnomca] - C:\Program Files (x86)\LinkSwift\odpccdgkmiicgocepijnaeihjnjnomca.crx [2013-12-20]
C:\Program Files (x86)\LinkSwift

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please let me know what problem persists.

#5 wild.fire.darkness

wild.fire.darkness
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 14 February 2014 - 02:05 PM

Sorry for the delay we did our holiday a day early.

 

I don't know that the fixlist.txt worked. It had some issues.

 

checkup.txt; contents:

 

 Results of screen317's Security Check version 0.99.79  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 Java™ 6 Update 33  
 Java 7 Update 9  
 Java version out of Date! 
  Adobe Flash Player 12.0.0.43 Flash Player out of Date!  
 Adobe Reader 10.1.4 Adobe Reader out of Date!  
 Mozilla Firefox (27.0) 
 Google Chrome 32.0.1700.102  
 Google Chrome 32.0.1700.107  
 Google Chrome plugins...  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 15 February 2014 - 09:14 AM

Save the files as fixlist.txt in to the same folder as FRST

Did you save the fixlist.txt file in the same folder as FRST?

Run FRST normally and I will check the log.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u51 was released on Oct. 15. 2013.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 6 Update 33
Java 7 Update 9


===

Flash 11.9.900.170 was released Dec 10, 2013.

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Summary: Adobe has released security updates for Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.327 and earlier versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Flash test site:
http://www.adobe.com/software/flash/about/

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

===
Adobe is planning to release security updates on Tuesday, January 14, 2014 for Adobe Reader and Acrobat XI (11.0.05) and earlier versions for Windows and Macintosh


Adobe Reader/Acrobat v11.0.05 was released Oct 8, 2013

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Please let me know if the problem persists.

#7 wild.fire.darkness

wild.fire.darkness
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 15 February 2014 - 05:26 PM

Yes I saved it to the same folder, and I checked it over and over, but every time I tried to fix it, it said the log was not there. I triple checked the location and the notepad name, but it was the same each time.

 

I also notice that although I have reset my homepage on google chrome, it has been reset again to snapdoo or something like that.

 

The new FRST Log

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-02-2014 01
Ran by Phoenix (administrator) on E-MACHINE on 15-02-2014 16:15:09
Running from C:\Users\Phoenix\Desktop\Fixing computer
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Acer Incorporated) C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060320 2010-02-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-06] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-06] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [Google Update] - C:\Users\Phoenix\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-23] (Google Inc.)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [GoogleDriveSync] - C:\Program Files (x86)\Google\Drive\googledrivesync.exe [20203904 2013-12-06] (Google)
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\Run: [Overwolf] - C:\Program Files (x86)\Overwolf\Overwolf.exe -silent
HKU\S-1-5-21-17097986-3119282332-1496160801-1000\...\MountPoints2: {aa77e903-b9e3-11e2-9058-c89cdcb0cc9a} - E:\LiteAuto.exe
Startup: C:\Users\Phoenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk -> C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://emachines.msn.com
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: ArcPluginIEBHO Class - {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} - C:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\ArcPluginIE.dll (Perfect World Entertainment Inc)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0E2DDD56-9260-416B-9C5A-EDCDBAFB73A3}: [NameServer]68.29.65.7 68.29.73.7
 
FireFox:
========
FF ProfilePath: C:\Users\Phoenix\AppData\Roaming\Mozilla\Firefox\Profiles\vwji8hwv.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_43.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.9.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.9.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin - C:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\npArcPluginFF.dll (Perfect World Entertainment Inc)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Phoenix\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Phoenix\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Phoenix\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKCU: thehappycloud.com/HappyCloudPlugin - C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll (The Happy Cloud)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2014-02-14]
 
Chrome: 
=======
CHR DefaultSearchKeyword: search.snapdo.com
CHR DefaultSearchProvider: Web
CHR DefaultNewTabURL: 
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\32.0.1700.107\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\32.0.1700.107\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\32.0.1700.107\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Unity Player) - C:\Users\Phoenix\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Google Update) - C:\Users\Phoenix\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (Google Drive) - C:\Users\Phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-06]
CHR Extension: (Google Wallet) - C:\Users\Phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-15]
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Phoenix\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-12-20]
CHR StartMenuInternet: Google Chrome - C:\Users\Phoenix\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
S3 ArcService; C:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [88400 2014-01-21] (Perfect World Entertainment Inc)
R2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [36456 2011-05-29] (Acer Incorporated)
S4 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-04-22] (Acer Incorporated)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [4784312 2013-04-23] (INCA Internet Co., Ltd.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S3 OverwolfUpdaterService; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-02-14 20:28 - 2014-02-14 20:28 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-14 13:02 - 2014-02-14 13:02 - 00987425 _____ () C:\Users\Phoenix\Downloads\SecurityCheck.exe
2014-02-14 12:59 - 2014-02-15 16:15 - 00000000 ____D () C:\Users\Phoenix\Desktop\Fixing computer
2014-02-14 12:54 - 2014-02-14 12:57 - 00000000 ____D () C:\Users\Phoenix\Downloads\FRST-OlderVersion
2014-02-11 12:40 - 2014-02-11 12:40 - 00022287 _____ () C:\Users\Phoenix\Downloads\Addition.txt
2014-02-11 12:39 - 2014-02-15 16:15 - 00000000 ____D () C:\FRST
2014-02-11 12:31 - 2014-02-11 12:31 - 00000000 ____D () C:\Windows\ERUNT
2014-02-11 12:30 - 2014-02-11 12:30 - 01037530 _____ (Thisisu) C:\Users\Phoenix\Downloads\JRT.exe
2014-02-11 12:15 - 2014-02-11 12:24 - 00000000 ____D () C:\AdwCleaner
2014-02-11 12:14 - 2014-02-11 12:15 - 01166132 _____ () C:\Users\Phoenix\Downloads\adwcleaner.exe
2014-02-10 14:10 - 2014-02-10 14:10 - 00001792 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iTunes
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iPod
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-10 13:51 - 2014-02-13 12:23 - 00011491 _____ () C:\Users\Phoenix\Desktop\Phoenix Chores.ods
2014-02-10 13:44 - 2014-02-10 13:46 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\TS3Client
2014-02-07 21:13 - 2014-02-07 21:13 - 00003718 _____ () C:\Windows\System32\Tasks\{9351EF46-5167-4D44-B712-F581B605F0BE}
2014-02-07 21:13 - 2014-02-07 21:13 - 00000000 ____D () C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2014-02-07 15:34 - 2014-02-07 15:34 - 00688992 ____R (Swearware) C:\Users\Phoenix\Downloads\dds.com
2014-02-06 15:08 - 2014-02-15 13:17 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-06 15:08 - 2014-02-06 15:09 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Mozilla
2014-02-06 15:08 - 2014-02-06 15:08 - 00282960 _____ (Mozilla) C:\Users\Phoenix\Downloads\Firefox Setup Stub 27.0.exe
2014-02-04 03:09 - 2014-02-04 03:09 - 00029960 _____ () C:\Users\Phoenix\Downloads\Unamused.jpeg
2014-01-28 17:07 - 2014-01-28 20:09 - 00000000 ____D () C:\Program Files (x86)\TERA
2014-01-28 17:07 - 2014-01-28 17:08 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\TERA
2014-01-28 17:07 - 2014-01-28 17:07 - 00001666 _____ () C:\Users\Public\Desktop\TERA-Launcher.lnk
2014-01-28 05:03 - 2014-01-28 05:03 - 29265824 _____ (En Masse Entertainment) C:\Users\Phoenix\Downloads\TERA-Setup.exe
2014-01-28 05:00 - 2014-01-28 05:00 - 10458976 _____ () C:\Users\Phoenix\Downloads\TERA-Setup-HC.exe
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\screenshots
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\RoleSettings
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\cache
2014-01-27 03:24 - 2014-01-27 03:24 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Overwolf
2014-01-27 03:23 - 2014-01-27 03:23 - 00001171 _____ () C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
2014-01-27 03:23 - 2014-01-27 03:23 - 00000000 ____D () C:\Program Files (x86)\TeamSpeak 3 Client
2014-01-27 03:18 - 2014-01-27 03:19 - 30095736 _____ (TeamSpeak Systems GmbH) C:\Users\Phoenix\Downloads\TeamSpeak3-Client-win32-3.0.13.1.exe
 
==================== One Month Modified Files and Folders =======
 
2014-02-15 16:15 - 2014-02-14 12:59 - 00000000 ____D () C:\Users\Phoenix\Desktop\Fixing computer
2014-02-15 16:15 - 2014-02-11 12:39 - 00000000 ____D () C:\FRST
2014-02-15 15:57 - 2012-07-23 01:03 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-17097986-3119282332-1496160801-1000UA.job
2014-02-15 15:57 - 2012-07-23 01:03 - 00000864 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-17097986-3119282332-1496160801-1000Core.job
2014-02-15 15:48 - 2012-07-22 13:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-15 15:17 - 2013-12-20 18:56 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-15 13:41 - 2011-11-17 22:08 - 01056590 _____ () C:\Windows\WindowsUpdate.log
2014-02-15 13:17 - 2014-02-06 15:08 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-15 13:16 - 2009-07-13 22:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-15 13:16 - 2009-07-13 22:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-15 13:13 - 2009-07-13 23:13 - 00726316 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-15 13:09 - 2013-12-20 18:58 - 00000000 ___RD () C:\Users\Phoenix\Google Drive
2014-02-15 13:09 - 2013-12-20 18:56 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-15 13:09 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-15 13:09 - 2009-07-13 22:51 - 00119381 _____ () C:\Windows\setupact.log
2014-02-14 20:28 - 2014-02-14 20:28 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-14 13:02 - 2014-02-14 13:02 - 00987425 _____ () C:\Users\Phoenix\Downloads\SecurityCheck.exe
2014-02-14 12:57 - 2014-02-14 12:54 - 00000000 ____D () C:\Users\Phoenix\Downloads\FRST-OlderVersion
2014-02-13 20:12 - 2013-12-20 18:56 - 00003896 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-13 20:12 - 2013-12-20 18:56 - 00003644 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-02-13 12:23 - 2014-02-10 13:51 - 00011491 _____ () C:\Users\Phoenix\Desktop\Phoenix Chores.ods
2014-02-12 19:51 - 2011-07-13 14:45 - 00045037 _____ () C:\Windows\DirectX.log
2014-02-12 09:51 - 2009-07-13 23:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-02-11 15:52 - 2012-07-23 01:03 - 00003890 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-17097986-3119282332-1496160801-1000UA
2014-02-11 15:52 - 2012-07-23 01:03 - 00003494 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-17097986-3119282332-1496160801-1000Core
2014-02-11 12:40 - 2014-02-11 12:40 - 00022287 _____ () C:\Users\Phoenix\Downloads\Addition.txt
2014-02-11 12:31 - 2014-02-11 12:31 - 00000000 ____D () C:\Windows\ERUNT
2014-02-11 12:30 - 2014-02-11 12:30 - 01037530 _____ (Thisisu) C:\Users\Phoenix\Downloads\JRT.exe
2014-02-11 12:24 - 2014-02-11 12:15 - 00000000 ____D () C:\AdwCleaner
2014-02-11 12:15 - 2014-02-11 12:14 - 01166132 _____ () C:\Users\Phoenix\Downloads\adwcleaner.exe
2014-02-10 14:10 - 2014-02-10 14:10 - 00001792 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iTunes
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files\iPod
2014-02-10 14:10 - 2014-02-10 14:10 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-10 14:08 - 2013-12-20 05:33 - 00000000 ____D () C:\ProgramData\Apple
2014-02-10 13:46 - 2014-02-10 13:44 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\TS3Client
2014-02-08 22:52 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-08 22:45 - 2013-11-27 22:57 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\TERA-Diagnostic
2014-02-07 21:13 - 2014-02-07 21:13 - 00003718 _____ () C:\Windows\System32\Tasks\{9351EF46-5167-4D44-B712-F581B605F0BE}
2014-02-07 21:13 - 2014-02-07 21:13 - 00000000 ____D () C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2014-02-07 15:34 - 2014-02-07 15:34 - 00688992 ____R (Swearware) C:\Users\Phoenix\Downloads\dds.com
2014-02-07 11:58 - 2010-11-20 21:47 - 00846604 _____ () C:\Windows\PFRO.log
2014-02-06 15:09 - 2014-02-06 15:08 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Mozilla
2014-02-06 15:08 - 2014-02-06 15:08 - 00282960 _____ (Mozilla) C:\Users\Phoenix\Downloads\Firefox Setup Stub 27.0.exe
2014-02-06 15:07 - 2013-02-10 01:16 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\BitTorrent
2014-02-05 23:54 - 2013-12-27 23:09 - 00000000 ____D () C:\Program Files (x86)\Perfect World Entertainment
2014-02-05 23:18 - 2013-11-27 17:54 - 00000000 ____D () C:\ProgramData\HappyCloud
2014-02-04 03:09 - 2014-02-04 03:09 - 00029960 _____ () C:\Users\Phoenix\Downloads\Unamused.jpeg
2014-01-28 20:09 - 2014-01-28 17:07 - 00000000 ____D () C:\Program Files (x86)\TERA
2014-01-28 17:08 - 2014-01-28 17:07 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\TERA
2014-01-28 17:07 - 2014-01-28 17:07 - 00001666 _____ () C:\Users\Public\Desktop\TERA-Launcher.lnk
2014-01-28 16:42 - 2012-08-04 18:17 - 00000000 ____D () C:\Perfect World Entertainment
2014-01-28 16:39 - 2013-11-02 12:04 - 00000000 ____D () C:\Games
2014-01-28 05:03 - 2014-01-28 05:03 - 29265824 _____ (En Masse Entertainment) C:\Users\Phoenix\Downloads\TERA-Setup.exe
2014-01-28 05:00 - 2014-01-28 05:00 - 10458976 _____ () C:\Users\Phoenix\Downloads\TERA-Setup-HC.exe
2014-01-28 00:40 - 2012-07-24 21:27 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\Overwolf
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\screenshots
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\RoleSettings
2014-01-28 00:28 - 2014-01-28 00:28 - 00000000 ____D () C:\Windows\cache
2014-01-27 03:24 - 2014-01-27 03:24 - 00000000 ____D () C:\Users\Phoenix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Overwolf
2014-01-27 03:23 - 2014-01-27 03:23 - 00001171 _____ () C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
2014-01-27 03:23 - 2014-01-27 03:23 - 00000000 ____D () C:\Program Files (x86)\TeamSpeak 3 Client
2014-01-27 03:19 - 2014-01-27 03:18 - 30095736 _____ (TeamSpeak Systems GmbH) C:\Users\Phoenix\Downloads\TeamSpeak3-Client-win32-3.0.13.1.exe
2014-01-25 17:43 - 2012-08-12 23:10 - 00000000 ____D () C:\Users\Phoenix\AppData\Local\Adobe
2014-01-25 17:42 - 2012-07-22 13:04 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-01-25 17:42 - 2012-07-02 23:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-01-25 17:42 - 2011-07-13 14:54 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
 
Some content of TEMP:
====================
C:\Users\Phoenix\AppData\Local\Temp\hcuninstaller_20140205_231827_3772.exe
C:\Users\Phoenix\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-08 23:12
 
==================== End Of Log ============================
 
 
 
Jave 6 and 7 removed
 
New Java Installed
 
Both Adobe programs installed 
 
Old Adobe flash uninstalled


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 16 February 2014 - 09:28 AM

Open your Chrome Settings
Under On Startup > set page
Remove the Snapdo link if listed.
Close Chrome and restart it.

Then run this is fix.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
CHR DefaultSearchKeyword: search.snapdo.com
CHR DefaultSearchURL: http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=US&userid=2e3d40a1-d9f7-2da9-cf4d-dbcf2785cdc4&searchtype=ds&q={searchTerms}&installDate=06/11/2013

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.

=================

Keep me posted.

#9 wild.fire.darkness

wild.fire.darkness
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 16 February 2014 - 10:50 PM

Worked that time

 

 

Fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-02-2014
Ran by Phoenix at 2014-02-16 21:49:05 Run:3
Running from C:\Users\Phoenix\Desktop\Fixing computer
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CHR DefaultSearchKeyword: search.snapdo.com
 
end
*****************
 
CHR DefaultSearchKeyword: search.snapdo.com ==> The Chrome "Settings" can be used to fix the entry.
CHR DefaultSearchURL: http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=US&userid=2e3d40a1-d9f7-2da9-cf4d-dbcf2785cdc4&searchtype=ds&q={searchTerms}&installDate=06/11/2013 ==> The Chrome "Settings" can be used to fix the entry.
 
==== End of Fixlog ====


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 17 February 2014 - 10:46 AM



If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
Ignore if ComboFix was not used.
===


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#11 wild.fire.darkness

wild.fire.darkness
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 17 February 2014 - 04:55 PM

It seems to be fixed. Thank you very much for all your help. 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 18 February 2014 - 08:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users