Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Excessive internet popups and multiple virus detected


  • This topic is locked This topic is locked
10 replies to this topic

#1 namod65

namod65

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 28 April 2014 - 08:36 PM

Hello I've been getting a ton of pop up adds while browsing and my AVG software keeps detecting various Trojans/viruses, etc... Here is my log, thanks,

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041
Run by Nathaniel at 21:14:45 on 2014-04-28
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4095.2489 [GMT -4:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
c:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\PasswordBox\pbbtnService.exe
C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe
C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\loggingserver.exe
C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_0214b.exe
C:\Windows\Explorer.EXE
C:\Users\Nathaniel\AppData\Roaming\Yontoo\YontooDesktop.exe
C:\Users\Nathaniel\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\AVG\AVG2014\avgui.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Users\Nathaniel\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: PasswordBox Helper: {5DB69B97-934B-451D-94DB-32EF802A01CD} - C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll
BHO: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.0.443\AVG SafeGuard toolbar_toolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: SearchNewTab: {DD7AC7DC-6100-1999-D082-42A4D0309046} - C:\ProgramData\SearchNewTab\520991cdd7f77.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
TB: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.0.443\AVG SafeGuard toolbar_toolbar.dll
uRun: [Yontoo Desktop] "C:\Users\Nathaniel\AppData\Roaming\Yontoo\YontooDesktop.exe"
uRun: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" -automount
uRun: [Akamai NetSession Interface] "C:\Users\Nathaniel\AppData\Local\Akamai\netsession_win.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NCDOWN~1.LNK - C:\Program Files (x86)\Solibo Ltd\NCdownloader\NCdownloader.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{65496E0F-3933-4D3B-A818-13CAE76BF25E} : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{A8037C49-4F61-493F-B959-2B3B14535194} : DHCPNameServer = 192.168.254.254
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.0\ViProtocol.dll
AppInit_DLLs=   c:\progra~2\browse~1\sprote~1.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://mysearch.avg.com?cid={C4EF2D30-69E1-4D1E-9C37-9B41EC5C05A0}&mid=d70fb4e050c347d0a08fd16b53d25aed-7d5c14fbf47395b050a0bed849e1effe8c90eb73&lang=en&ds=co011&coid=avgtbdisco&cmpid=&pr=sa&d=2013-08-26 21:33:23&v=18.0.5.292&pid=safeguard&sg=0&sap=hp
FF - plugin: C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - fa1674f7-2742-4de1-a1e5-0afe92856399
FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,buzzdock,YontooNewOffers
.
FF - user.js: extensions.autoDisableScopes - 14
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2014-3-27 192792]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2014-3-27 324376]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2014-3-31 130840]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2014-3-27 32536]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2014-3-27 153368]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2014-4-18 237336]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2014-3-27 236824]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2014-3-31 274200]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2013-3-9 50464]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2014-4-18 3645456]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2014-3-27 291912]
R2 PasswordBox;PasswordBox;C:\Program Files (x86)\PasswordBox\pbbtnService.exe [2013-11-1 67584]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
R2 vToolbarUpdater18.1.0;vToolbarUpdater18.1.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [2014-4-27 1801240]
R2 Yontoo Desktop Updater;Yontoo Desktop Updater;C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe [2013-3-9 23552]
R3 ATSwpWDF;AuthenTec TruePrint WBF Driver;C:\Windows\System32\drivers\ATSwpWDF.sys [2012-8-30 1109296]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-1-5 75624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-2-28 99384]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-22 111616]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2012-10-1 178824]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-2-28 203320]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-16 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-15 1255736]
.
=============== Created Last 30 ================
.
2014-04-28 22:55:38 -------- d-sh--w- C:\Users\Nathaniel\AppData\Local\EmieUserList
2014-04-28 22:55:38 -------- d-sh--w- C:\Users\Nathaniel\AppData\Local\EmieSiteList
2014-04-27 22:50:24 -------- d-----w- C:\ProgramData\AVG Secure Search
2014-04-18 19:01:56 237336 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2014-04-09 22:34:41 27584 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2014-04-09 22:34:41 274880 ----a-w- C:\Windows\System32\drivers\msiscsi.sys
2014-04-09 22:34:41 2048 ----a-w- C:\Windows\SysWow64\iologmsg.dll
2014-04-09 22:34:41 2048 ----a-w- C:\Windows\System32\iologmsg.dll
2014-04-09 22:34:41 190912 ----a-w- C:\Windows\System32\drivers\storport.sys
2014-04-09 22:33:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2014-04-09 22:33:44 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2014-04-09 22:33:44 243712 ----a-w- C:\Windows\System32\wow64.dll
2014-04-09 22:33:44 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2014-04-09 22:33:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2014-04-09 22:33:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2014-04-09 22:33:43 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2014-04-09 22:33:43 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2014-04-09 22:33:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
2014-04-09 22:33:42 1684928 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2014-03-31 20:20:54 274200 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2014-03-31 20:06:26 130840 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
.
==================== Find3M  ====================
.
2014-04-29 00:04:56 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-29 00:04:55 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-27 22:50:09 50464 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2014-03-28 02:14:26 192792 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2014-03-28 02:14:24 153368 ----a-w- C:\Windows\System32\drivers\avgdiska.sys
2014-03-28 02:07:10 236824 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2014-03-28 02:05:02 324376 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2014-03-28 02:03:16 32536 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2014-03-06 09:32:16 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:32:07 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll
2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-03-04 09:17:05 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:22 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:22 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
.
============= FINISH: 21:15:33.41 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:55 AM

Posted 03 May 2014 - 09:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 namod65

namod65
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 04 May 2014 - 05:51 PM

Ok so I ran all the scans. The popups and other annoying adds that really slowed down my web browsing seem to be gone now. But my AVG is still detecting a threat labeled "HackTool.AHDG" every time I start up. Here are my logs:

 

Malwarebytes:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/4/2014
Scan Time: 5:45:46 PM
Logfile: mbamlog.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.04.09
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Nathaniel

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 269564
Time Elapsed: 18 min, 55 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 2
PUP.Optional.MultiPlug.A, C:\ProgramData\SearchNewTab\520991cdd7f77.dll, Delete-on-Reboot, [ee12fe02c23e2fd1758925de38c955ab],
PUP.Optional.MultiPlug.A, C:\ProgramData\SearchNewTab\520991cdd7f77.dll, Delete-on-Reboot, [ee12fe02c23e2fd1758925de38c955ab],

Registry Keys: 15
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{DD7AC7DC-6100-1999-D082-42A4D0309046}, Quarantined, [ee12fe02c23e2fd1758925de38c955ab],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DD7AC7DC-6100-1999-D082-42A4D0309046}, Quarantined, [ee12fe02c23e2fd1758925de38c955ab],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-2955413446-3879675591-2903648236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DD7AC7DC-6100-1999-D082-42A4D0309046}, Quarantined, [ee12fe02c23e2fd1758925de38c955ab],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-2955413446-3879675591-2903648236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DD7AC7DC-6100-1999-D082-42A4D0309046}, Quarantined, [ee12fe02c23e2fd1758925de38c955ab],
PUP.Optional.SilentInstall.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{C3F3165C-74D3-6FDB-3274-14FDA8698CFA}, Quarantined, [ab554eb2a65aa95751d3907604fd639d],
PUP.Optional.SilentInstall.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}, Quarantined, [778980804ab6c43c64c0a4625ba607f9],
PUP.Optional.SProtector.A, HKU\S-1-5-21-2955413446-3879675591-2903648236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SProtector, Quarantined, [9b65728e3dc38977e2f8a9fc5ca7df21],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-2955413446-3879675591-2903648236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, Quarantined, [31cfe71925db2bd5a589286508fad729],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-2955413446-3879675591-2903648236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, Quarantined, [758ba858d8287987054f0d96cd36b050],
PUP.Optional.SearchNewTab, HKLM\SOFTWARE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, Quarantined, [89773dc345bb1de306f1c5a27c863fc1],
PUP.Optional.SearchNewTab, HKLM\SOFTWARE\CLASSES\INTERFACE\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}, Quarantined, [89773dc345bb1de306f1c5a27c863fc1],
PUP.Optional.SearchNewTab, HKLM\SOFTWARE\CLASSES\INTERFACE\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}, Quarantined, [89773dc345bb1de306f1c5a27c863fc1],
PUP.Optional.SearchNewTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}, Quarantined, [89773dc345bb1de306f1c5a27c863fc1],
PUP.Optional.SearchNewTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}, Quarantined, [89773dc345bb1de306f1c5a27c863fc1],
PUP.Optional.SearchNewTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, Quarantined, [89773dc345bb1de306f1c5a27c863fc1],

Registry Values: 1
PUP.Optional.InstallCore.A, HKU\S-1-5-21-2955413446-3879675591-2903648236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0G2Y1R2X0G1M2S1M0G1S1H, Quarantined, [758ba858d8287987054f0d96cd36b050]

Registry Data: 0
(No malicious items detected)

Folders: 9
PUP.Optional.SearchNewTab, C:\ProgramData\SearchNewTab, Delete-on-Reboot, [89773dc345bb1de306f1c5a27c863fc1],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\content, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\defaults, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\defaults\preferences, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\locale, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\locale\en-US, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\META-INF, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\skin, Quarantined, [827ece326799867ad67b2c427f832ad6],

Files: 36
PUP.Optional.MultiPlug.A, C:\ProgramData\SearchNewTab\520991cdd7f77.dll, Delete-on-Reboot, [ee12fe02c23e2fd1758925de38c955ab],
PUP.Optional.SilentInstall.A, C:\ProgramData\Browse22save\uninstall.exe, Quarantined, [ab554eb2a65aa95751d3907604fd639d],
PUP.Optional.SilentInstall.A, C:\ProgramData\ByrrowSe2suave\uninstall.exe, Quarantined, [38c8ed138d7340c06fb5ef1751b0a55b],
Adware.Agent, C:\ProgramData\InstallMate\{9C04F03D-75D3-405A-A2B1-3DF147E7D2CB}\Custom.dll, Quarantined, [05fbce324eb26e92d77be26a629f6898],
PUP.Optional.SilentInstall.A, C:\ProgramData\SearchNewTab\uninstall.exe, Quarantined, [778980804ab6c43c64c0a4625ba607f9],
PUP.Optional.InstallCore.A, C:\Users\Nathaniel\AppData\Local\Temp\2sRoeHNe.exe.part, Quarantined, [1ee2728e18e8857bc39e9d6f1fe228d8],
PUP.Optional.InstalleRex, C:\Users\Nathaniel\AppData\Local\Temp\ggVuEKwl.exe.part, Quarantined, [de22f40cc838a15fba807faace333cc4],
PUP.Optional.Installex, C:\Users\Nathaniel\AppData\Local\Temp\HGqLUTdo.exe.part, Quarantined, [936dee1229d70cf47075c0428a77649c],
PUP.Optional.InstalleRex, C:\Users\Nathaniel\AppData\Local\Temp\jNtMG5hr.exe.part, Quarantined, [e31d926e916fd927ec4eee3bbc45a55b],
PUP.Optional.Installex, C:\Users\Nathaniel\AppData\Local\Temp\MDwGz71W.exe.part, Quarantined, [3cc451afd22e47b97471689aff026b95],
PUP.Optional.InstalleRex, C:\Users\Nathaniel\AppData\Local\Temp\B8hBMdfv.exe.part, Quarantined, [b44ca15f08f817e9a8920a1ff110619f],
PUP.Optional.Installrex, C:\Users\Nathaniel\AppData\Local\Temp\tLgXQaar.exe.part, Quarantined, [41bfc9370af69e62735e7499c23f916f],
PUP.Optional.InstalleRex, C:\Users\Nathaniel\Downloads\ESPN 30 for 30 Survive and Advance 1080i HDTV AC3 x264-anjaklama.exe, Quarantined, [0000619f43bd649c1f2488ae6899c53b],
PUP.Optional.SearchNewTab, C:\ProgramData\SearchNewTab\520991cdd7f77.tlb, Quarantined, [89773dc345bb1de306f1c5a27c863fc1],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\build.sh, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\chrome.manifest, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\config_build.sh, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\install.rdf, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\readme.txt, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\content\about.xul, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\content\firefoxOverlay.xul, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\content\options.xul, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\content\overlay.js, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\content\y2layers.jpg, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\defaults\preferences\y2layers.js, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\locale\en-US\about.dtd, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\locale\en-US\prefwindow.dtd, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\locale\en-US\y2layers.dtd, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\locale\en-US\y2layers.properties, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\META-INF\manifest.mf, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\META-INF\zigbert.rsa, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\META-INF\zigbert.sf, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\skin\overlay.css, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Yontoo.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\extensions\plugin@yontoo.com\skin\toolbar-button.png, Quarantined, [827ece326799867ad67b2c427f832ad6],
PUP.Optional.Babylon.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\prefs.js, Good: (), Bad: (user_pref("extensions.BabylonToolbar.prtkDS", 0);), Replaced,[d729f60a9a66a858356a0065798b18e8]
PUP.Optional.Babylon.A, C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\prefs.js, Good: (), Bad: (user_pref("extensions.BabylonToolbar.prtkHmpg", 0);), Replaced,[f709ce3216ea2fd1732ce77eac589868]

Physical Sectors: 0
(No malicious items detected)

(end)

 

AdwCleaner:

 

# AdwCleaner v3.206 - Report created 04/05/2014 at 18:18:18
# Updated 04/05/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Nathaniel - NATHANIEL-PC
# Running from : C:\Users\Nathaniel\Downloads\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : Yontoo Desktop Updater

***** [ Files / Folders ] *****

File Found : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml
File Found : C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\user.js
Folder Found : C:\Program Files (x86)\AVG SafeGuard toolbar
Folder Found : C:\Program Files (x86)\BrowseToSave
Folder Found : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Found : C:\Program Files (x86)\Yontoo
Folder Found : C:\ProgramData\AVG SafeGuard toolbar
Folder Found : C:\ProgramData\AVG Secure Search
Folder Found : C:\ProgramData\Browse22save
Folder Found : C:\ProgramData\ByrrowSe2suave
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Browse22save
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByrrowSe2suave
Folder Found : C:\ProgramData\SoftSafe
Folder Found : C:\ProgramData\StarApp
Folder Found : C:\ProgramData\Tarma Installer
Folder Found : C:\Users\Nathaniel\AppData\Local\AVG SafeGuard toolbar
Folder Found : C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfhglhhdiimlhdjbbfhmgjneniolflj
Folder Found : C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfbafidfelnpaimgliecojkihbifbiep
Folder Found : C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\omfhjnfpeieepfemapebehnpmbohniam
Folder Found : C:\Users\Nathaniel\AppData\LocalLow\AVG SafeGuard toolbar
Folder Found : C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\Extensions\5_yiua@ya-.net
Folder Found : C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\Extensions\fxhzgfiau@cwrrbjqg.org
Folder Found : C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\Extensions\zceorp@zfgxtr.edu
Folder Found : C:\Users\Nathaniel\AppData\Roaming\NCdownloader
Folder Found : C:\Users\Nathaniel\AppData\Roaming\vghd
Folder Found : C:\Users\Nathaniel\AppData\Roaming\Yontoo

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\browse~1\sprote~1.dll
Key Found : HKCU\Software\AVG SafeGuard toolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : [x64] HKCU\Software\AVG SafeGuard toolbar
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\Software\AVG SafeGuard toolbar
Key Found : HKLM\Software\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Found : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI
Key Found : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI.1
Key Found : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.PugiObj
Key Found : HKLM\SOFTWARE\Classes\AVG SafeGuard toolbar.PugiObj.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Layers
Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_f2a323db
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found : HKLM\Software\SP Global
Key Found : HKLM\Software\SProtector
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Found : [x64] HKLM\SOFTWARE\Tarma Installer
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Yontoo Desktop]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\prefs.js ]

Line Found : user_pref("aol_toolbar.default.homepage.check", false);
Line Found : user_pref("aol_toolbar.default.search.check", false);
Line Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Line Found : user_pref("browser.search.selectedEngine", "AVG Secure Search");
Line Found : user_pref("extensions.514f8b24ca0e5.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"sumorobo.net\")>-1||url.indexOf(\"mindr[...]
Line Found : user_pref("extensions.5158fb49491d1.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"sumorobo.net\")>-1||url.indexOf(\"mindr[...]
Line Found : user_pref("extensions.520991cdd7e8f.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"sumorobo.net\")>-1||url.indexOf(\"mindr[...]
Line Found : user_pref("extentions.y2layers.defaultEnableAppsList", "DropDownDeals,buzzdock,YontooNewOffers");
Line Found : user_pref("extentions.y2layers.installId", "fa1674f7-2742-4de1-a1e5-0afe92856399");
Line Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Line Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Line Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Line Found : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Line Found : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Line Found : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Line Found : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v

[ File : C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Extension] : jpfhglhhdiimlhdjbbfhmgjneniolflj
Found [Extension] : omfhjnfpeieepfemapebehnpmbohniam
Found [Extension] : mfbafidfelnpaimgliecojkihbifbiep

*************************

AdwCleaner[R0].txt - [12212 octets] - [04/05/2014 18:18:18]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [12273 octets] ##########

 

Farbar:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-05-2014
Ran by Nathaniel (administrator) on NATHANIEL-PC on 04-05-2014 18:34:28
Running from C:\Users\Nathaniel\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(StarWind Software) C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Akamai Technologies, Inc.) C:\Users\Nathaniel\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\Nathaniel\AppData\Local\Akamai\netsession_win.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] => C:\Windows\system32\NvCpl.dll [16330272 2009-07-02] (NVIDIA Corporation)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [5180432 2014-04-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKU\S-1-5-21-2955413446-3879675591-2903648236-1000\...\Run: [AlcoholAutomount] => C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [75624 2012-01-05] (Alcohol Soft Development Team)
HKU\S-1-5-21-2955413446-3879675591-2903648236-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Nathaniel\AppData\Local\Akamai\netsession_win.exe [4672920 2014-04-17] (Akamai Technologies, Inc.)
HKU\S-1-5-21-2955413446-3879675591-2903648236-1000\...\MountPoints2: {456ce97b-81fb-11e2-aae4-00221536b31e} - H:\VZW_Software_upgrade_assistant_installer.exe
HKU\S-1-5-21-2955413446-3879675591-2903648236-1000\...\MountPoints2: {5f920c40-891d-11e2-bd5f-806e6f6e6963} - F:\SETUP.EXE
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NCdownloader.lnk
ShortcutTarget: NCdownloader.lnk -> C:\Program Files (x86)\Solibo Ltd\NCdownloader\NCdownloader.exe (SOLIBO Ltd.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xE63821684AF4CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: PasswordBox Helper - {5DB69B97-934B-451D-94DB-32EF802A01CD} - C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

FireFox:
========
FF ProfilePath: C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default
FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");
FF Homepage: hxxp://mysearch.avg.com?cid={C4EF2D30-69E1-4D1E-9C37-9B41EC5C05A0}&mid=d70fb4e050c347d0a08fd16b53d25aed-7d5c14fbf47395b050a0bed849e1effe8c90eb73&lang=en&ds=co011&coid=avgtbdisco&cmpid=&pr=sa&d=2013-08-26 21:33:23&v=18.0.5.292&pid=safeguard&sg=0&sap=hp
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_206.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_206.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 - C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\jc58fw3q.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-01-22]
FF HKLM-x32\...\Firefox\Extensions: [firefox@passwordbox.com] - C:\Program Files (x86)\PasswordBox\Firefox
FF Extension: PasswordBox - C:\Program Files (x86)\PasswordBox\Firefox [2013-11-21]

Chrome:
=======
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfhglhhdiimlhdjbbfhmgjneniolflj [2013-03-31]
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfbafidfelnpaimgliecojkihbifbiep [2013-08-12]
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\omfhjnfpeieepfemapebehnpmbohniam [2013-03-24]

==================== Services (Whitelisted) =================

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3645456 2014-04-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [291912 2014-03-27] (AVG Technologies CZ, s.r.o.)
S2 AxAutoMntSrv; C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [75624 2012-01-05] (Alcohol Soft Development Team)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation)
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
R2 StarWindServiceAE; C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [370688 2009-12-23] (StarWind Software)
S2 vToolbarUpdater18.1.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [X]

==================== Drivers (Whitelisted) ====================

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-03-27] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [237336 2014-04-18] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [192792 2014-03-27] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [236824 2014-03-27] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [324376 2014-03-27] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [130840 2014-03-31] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [32536 2014-03-27] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-03-31] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50464 2014-04-27] (AVG Technologies)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-04-03] (Malwarebytes Corporation)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [119512 2014-05-04] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63192 2014-04-03] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ATK64AMD.sys [13680 2007-08-09] ()
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-03-09] (Duplex Secure Ltd.)
U3 ag2fm1h8; C:\Windows\System32\Drivers\ag2fm1h8.sys [0 ] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-05-04 18:34 - 2014-05-04 18:34 - 00011670 _____ () C:\Users\Nathaniel\Downloads\FRST.txt
2014-05-04 18:34 - 2014-05-04 18:34 - 00000000 ____D () C:\FRST
2014-05-04 18:33 - 2014-05-04 18:33 - 02062336 _____ (Farbar) C:\Users\Nathaniel\Downloads\FRST64.exe
2014-05-04 18:31 - 2014-05-04 18:31 - 00000000 ____D () C:\Users\Nathaniel\AppData\Roaming\NCdownloader
2014-05-04 18:28 - 2014-05-04 18:28 - 00012402 _____ () C:\Users\Nathaniel\Desktop\AdwCleaner[R0].txt
2014-05-04 18:18 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-05-04 18:17 - 2014-05-04 18:28 - 00000000 ____D () C:\AdwCleaner
2014-05-04 18:17 - 2014-05-04 18:17 - 01313617 _____ () C:\Users\Nathaniel\Downloads\adwcleaner.exe
2014-05-04 17:23 - 2014-05-04 18:31 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-04 17:23 - 2014-05-04 17:23 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-04 17:23 - 2014-05-04 17:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-04 17:23 - 2014-05-04 17:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-04 17:23 - 2014-05-04 17:23 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-04 17:23 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-04 17:23 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-05-04 17:23 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-05-04 17:22 - 2014-05-04 17:22 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Nathaniel\Downloads\mbam-setup-2.0.1.1004.exe
2014-05-03 03:00 - 2014-04-29 10:01 - 23547904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-03 03:00 - 2014-04-29 09:40 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-03 03:00 - 2014-04-29 08:48 - 17384448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-03 03:00 - 2014-04-29 08:34 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-28 21:15 - 2014-04-28 21:21 - 00017237 _____ () C:\Users\Nathaniel\Desktop\dds.txt
2014-04-28 21:15 - 2014-04-28 21:21 - 00006911 _____ () C:\Users\Nathaniel\Desktop\attach.txt
2014-04-28 21:12 - 2014-04-28 21:12 - 00688992 ____R (Swearware) C:\Users\Nathaniel\Downloads\dds.com
2014-04-28 18:55 - 2014-04-28 18:55 - 00000000 __SHD () C:\Users\Nathaniel\AppData\Local\EmieUserList
2014-04-28 18:55 - 2014-04-28 18:55 - 00000000 __SHD () C:\Users\Nathaniel\AppData\Local\EmieSiteList
2014-04-22 23:03 - 2014-03-06 05:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-04-22 23:03 - 2014-03-06 04:59 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-04-22 23:03 - 2014-03-06 04:57 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-22 23:03 - 2014-03-06 04:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-04-22 23:03 - 2014-03-06 04:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-22 23:03 - 2014-03-06 04:40 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-22 23:03 - 2014-03-06 04:39 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-04-22 23:03 - 2014-03-06 04:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-22 23:03 - 2014-03-06 04:29 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-22 23:03 - 2014-03-06 04:29 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-04-22 23:03 - 2014-03-06 04:28 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-04-22 23:03 - 2014-03-06 04:15 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-04-22 23:03 - 2014-03-06 04:11 - 05784064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-22 23:03 - 2014-03-06 04:09 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-04-22 23:03 - 2014-03-06 04:03 - 00586240 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-04-22 23:03 - 2014-03-06 04:02 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-04-22 23:03 - 2014-03-06 04:02 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-22 23:03 - 2014-03-06 04:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-04-22 23:03 - 2014-03-06 03:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-04-22 23:03 - 2014-03-06 03:48 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-04-22 23:03 - 2014-03-06 03:47 - 02178048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-22 23:03 - 2014-03-06 03:46 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-22 23:03 - 2014-03-06 03:46 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-22 23:03 - 2014-03-06 03:45 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-22 23:03 - 2014-03-06 03:42 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-04-22 23:03 - 2014-03-06 03:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-22 23:03 - 2014-03-06 03:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-04-22 23:03 - 2014-03-06 03:36 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-04-22 23:03 - 2014-03-06 03:22 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-04-22 23:03 - 2014-03-06 03:21 - 00628736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-22 23:03 - 2014-03-06 03:13 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-04-22 23:03 - 2014-03-06 03:11 - 02043904 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-22 23:03 - 2014-03-06 03:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-22 23:03 - 2014-03-06 03:01 - 00244224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-04-22 23:03 - 2014-03-06 02:53 - 13551104 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-22 23:03 - 2014-03-06 02:46 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-22 23:03 - 2014-03-06 02:40 - 01967104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-04-22 23:03 - 2014-03-06 02:36 - 11745792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-22 23:03 - 2014-03-06 02:22 - 02260480 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-22 23:03 - 2014-03-06 01:58 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-22 23:03 - 2014-03-06 01:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-04-22 23:03 - 2014-03-06 01:43 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-04-22 23:03 - 2014-03-06 01:41 - 01789440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-22 23:03 - 2014-03-06 01:36 - 01143808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-18 15:01 - 2014-04-18 15:01 - 00237336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
2014-04-09 18:34 - 2014-02-03 22:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-09 18:34 - 2014-02-03 22:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-09 18:34 - 2014-02-03 22:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-09 18:34 - 2014-02-03 22:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-09 18:34 - 2014-02-03 22:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-09 18:33 - 2014-03-04 05:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-09 18:33 - 2014-03-04 05:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-09 18:33 - 2014-03-04 05:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-09 18:33 - 2014-03-04 05:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-09 18:33 - 2014-03-04 05:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-09 18:33 - 2014-03-04 05:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-09 18:33 - 2014-03-04 05:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-09 18:33 - 2014-03-04 05:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-09 18:33 - 2014-03-04 05:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-09 18:33 - 2014-03-04 04:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-09 18:33 - 2014-03-04 04:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-09 18:33 - 2014-01-23 22:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys

==================== One Month Modified Files and Folders =======

2014-05-04 18:34 - 2014-05-04 18:34 - 00011670 _____ () C:\Users\Nathaniel\Downloads\FRST.txt
2014-05-04 18:34 - 2014-05-04 18:34 - 00000000 ____D () C:\FRST
2014-05-04 18:34 - 2013-01-15 01:20 - 01933614 _____ () C:\Windows\WindowsUpdate.log
2014-05-04 18:33 - 2014-05-04 18:33 - 02062336 _____ (Farbar) C:\Users\Nathaniel\Downloads\FRST64.exe
2014-05-04 18:33 - 2013-03-09 22:11 - 00000000 ____D () C:\Program Files\KMSpico
2014-05-04 18:31 - 2014-05-04 18:31 - 00000000 ____D () C:\Users\Nathaniel\AppData\Roaming\NCdownloader
2014-05-04 18:31 - 2014-05-04 17:23 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-04 18:31 - 2014-02-05 19:18 - 00000374 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_0214b_rmv.job
2014-05-04 18:31 - 2014-02-05 19:18 - 00000372 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_0214b_rel.job
2014-05-04 18:30 - 2013-01-14 22:41 - 00205160 _____ () C:\Windows\PFRO.log
2014-05-04 18:30 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-04 18:30 - 2009-07-14 00:51 - 00042330 _____ () C:\Windows\setupact.log
2014-05-04 18:28 - 2014-05-04 18:28 - 00012402 _____ () C:\Users\Nathaniel\Desktop\AdwCleaner[R0].txt
2014-05-04 18:28 - 2014-05-04 18:17 - 00000000 ____D () C:\AdwCleaner
2014-05-04 18:18 - 2009-07-14 00:45 - 00013456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-04 18:18 - 2009-07-14 00:45 - 00013456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-04 18:17 - 2014-05-04 18:17 - 01313617 _____ () C:\Users\Nathaniel\Downloads\adwcleaner.exe
2014-05-04 18:04 - 2013-01-15 22:02 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-05-04 17:48 - 2013-01-20 18:27 - 00000000 ____D () C:\Program Files\PeerBlock
2014-05-04 17:23 - 2014-05-04 17:23 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-04 17:23 - 2014-05-04 17:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-04 17:23 - 2014-05-04 17:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-04 17:23 - 2014-05-04 17:23 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-04 17:22 - 2014-05-04 17:22 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Nathaniel\Downloads\mbam-setup-2.0.1.1004.exe
2014-05-04 17:17 - 2013-01-14 23:06 - 00000000 ____D () C:\ProgramData\MFAData
2014-05-03 22:23 - 2013-01-14 23:44 - 00000000 ____D () C:\Users\Nathaniel\AppData\Roaming\vlc
2014-05-03 22:19 - 2013-01-20 18:40 - 00000000 ____D () C:\Users\Nathaniel\AppData\Roaming\uTorrent
2014-05-02 18:57 - 2014-03-31 21:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-05-02 18:57 - 2013-10-25 18:11 - 00000000 ____D () C:\Users\Nathaniel\AppData\Local\Avg2014
2014-05-02 18:57 - 2013-10-25 18:05 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-05-01 17:52 - 2009-07-14 01:08 - 00032552 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-29 18:29 - 2013-01-14 23:30 - 00112288 _____ () C:\Users\Nathaniel\AppData\Local\GDIPFONTCACHEV1.DAT
2014-04-29 18:13 - 2009-07-14 00:45 - 00443544 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-04-29 10:01 - 2014-05-03 03:00 - 23547904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-29 09:40 - 2014-05-03 03:00 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-29 08:48 - 2014-05-03 03:00 - 17384448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-29 08:34 - 2014-05-03 03:00 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-28 22:56 - 2013-03-09 21:55 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-28 22:56 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\System
2014-04-28 22:56 - 2009-07-13 22:34 - 00000478 _____ () C:\Windows\win.ini
2014-04-28 22:51 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-04-28 21:21 - 2014-04-28 21:15 - 00017237 _____ () C:\Users\Nathaniel\Desktop\dds.txt
2014-04-28 21:21 - 2014-04-28 21:15 - 00006911 _____ () C:\Users\Nathaniel\Desktop\attach.txt
2014-04-28 21:12 - 2014-04-28 21:12 - 00688992 ____R (Swearware) C:\Users\Nathaniel\Downloads\dds.com
2014-04-28 20:04 - 2013-01-15 22:02 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-04-28 20:04 - 2013-01-15 22:02 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-04-28 20:04 - 2013-01-15 22:02 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-04-28 18:55 - 2014-04-28 18:55 - 00000000 __SHD () C:\Users\Nathaniel\AppData\Local\EmieUserList
2014-04-28 18:55 - 2014-04-28 18:55 - 00000000 __SHD () C:\Users\Nathaniel\AppData\Local\EmieSiteList
2014-04-28 18:12 - 2009-07-14 01:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-27 18:50 - 2013-06-26 22:28 - 00003749 _____ () C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
2014-04-27 18:50 - 2013-03-09 20:55 - 00050464 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
2014-04-27 17:18 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-04-26 23:55 - 2013-10-25 18:04 - 00000000 ____D () C:\ProgramData\AVG2014
2014-04-26 17:19 - 2013-06-06 22:32 - 00000000 ____D () C:\Users\Nathaniel\AppData\Local\Akamai
2014-04-23 18:31 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-04-23 17:54 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-04-20 14:39 - 2013-11-21 22:38 - 00000000 ____D () C:\Program Files (x86)\PasswordBox
2014-04-18 15:01 - 2014-04-18 15:01 - 00237336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
2014-04-09 22:33 - 2013-03-09 21:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2014-04-09 22:30 - 2013-08-14 23:04 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-09 22:29 - 2013-01-14 23:15 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-04-06 21:47 - 2009-07-14 01:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD

Some content of TEMP:
====================
C:\Users\Nathaniel\AppData\Local\Temp\AskSLib.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna2444661129880804997.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna2569033896926181093.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3016603315306730205.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3250271612492775854.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3651557141970460593.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna6011081330158069965.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna6761562350081240957.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna7055833619744016572.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna7523973389735070536.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8137199739732461381.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8213377824872166701.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8773121101690277446.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna9172784618078173238.dll
C:\Users\Nathaniel\AppData\Local\Temp\oi_{ECFF54AB-5C51-4E2E-AB14-07A643EFE276}.exe
C:\Users\Nathaniel\AppData\Local\Temp\ose00000.exe
C:\Users\Nathaniel\AppData\Local\Temp\Quarantine.exe
C:\Users\Nathaniel\AppData\Local\Temp\Tsu270F0455.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-04-29 19:32

==================== End Of Log ============================

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:55 AM

Posted 05 May 2014 - 07:56 AM


If not already done, please run the AdwCleaner tool and clean everything that is found.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start
ShortcutTarget: NCdownloader.lnk -> C:\Program Files (x86)\Solibo Ltd\NCdownloader\NCdownloader.exe (SOLIBO Ltd.)
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfhglhhdiimlhdjbbfhmgjneniolflj [2013-03-31]
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfbafidfelnpaimgliecojkihbifbiep [2013-08-12]
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\omfhjnfpeieepfemapebehnpmbohniam [2013-03-24]
S2 vToolbarUpdater18.1.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [X]
U3 ag2fm1h8; C:\Windows\System32\Drivers\ag2fm1h8.sys [0 ] (Microsoft Corporation)
C:\Users\Nathaniel\AppData\Local\Temp\AskSLib.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna2444661129880804997.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna2569033896926181093.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3016603315306730205.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3250271612492775854.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3651557141970460593.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna6011081330158069965.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna6761562350081240957.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna7055833619744016572.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna7523973389735070536.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8137199739732461381.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8213377824872166701.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8773121101690277446.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna9172784618078173238.dll
C:\Users\Nathaniel\AppData\Local\Temp\oi_{ECFF54AB-5C51-4E2E-AB14-07A643EFE276}.exe
C:\Users\Nathaniel\AppData\Local\Temp\ose00000.exe
C:\Users\Nathaniel\AppData\Local\Temp\Tsu270F0455.dll

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Let me know what problem persists.

#5 namod65

namod65
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 08 May 2014 - 08:13 PM

Ok I ran those scans. My AVG is still detecting a threat "HackTool.AHDG". Object name: "c:\program files\KMSpico\S062Q16ZWIV".

 

Here are my logs:

 

fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-05-2014 02
Ran by Nathaniel at 2014-05-08 20:52:44 Run:1
Running from C:\Users\Nathaniel\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
ShortcutTarget: NCdownloader.lnk -> C:\Program Files (x86)\Solibo Ltd\NCdownloader\NCdownloader.exe (SOLIBO Ltd.)
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfhglhhdiimlhdjbbfhmgjneniolflj [2013-03-31]
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfbafidfelnpaimgliecojkihbifbiep [2013-08-12]
CHR Extension: (No Name) - C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\omfhjnfpeieepfemapebehnpmbohniam [2013-03-24]
S2 vToolbarUpdater18.1.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [X]
U3 ag2fm1h8; C:\Windows\System32\Drivers\ag2fm1h8.sys [0 ] (Microsoft Corporation)
C:\Users\Nathaniel\AppData\Local\Temp\AskSLib.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna2444661129880804997.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna2569033896926181093.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3016603315306730205.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3250271612492775854.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna3651557141970460593.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna6011081330158069965.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna6761562350081240957.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna7055833619744016572.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna7523973389735070536.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8137199739732461381.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8213377824872166701.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna8773121101690277446.dll
C:\Users\Nathaniel\AppData\Local\Temp\jna9172784618078173238.dll
C:\Users\Nathaniel\AppData\Local\Temp\oi_{ECFF54AB-5C51-4E2E-AB14-07A643EFE276}.exe
C:\Users\Nathaniel\AppData\Local\Temp\ose00000.exe
C:\Users\Nathaniel\AppData\Local\Temp\Tsu270F0455.dll

End
*****************

C:\Program Files (x86)\Solibo Ltd\NCdownloader\NCdownloader.exe => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfhglhhdiimlhdjbbfhmgjneniolflj => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfbafidfelnpaimgliecojkihbifbiep => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\omfhjnfpeieepfemapebehnpmbohniam => Moved successfully.
vToolbarUpdater18.1.0 => Service deleted successfully.
ag2fm1h8 => Service not found.
C:\Users\Nathaniel\AppData\Local\Temp\AskSLib.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna2444661129880804997.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna2569033896926181093.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna3016603315306730205.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna3250271612492775854.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna3651557141970460593.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna6011081330158069965.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna6761562350081240957.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna7055833619744016572.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna7523973389735070536.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna8137199739732461381.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna8213377824872166701.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna8773121101690277446.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\jna9172784618078173238.dll => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\oi_{ECFF54AB-5C51-4E2E-AB14-07A643EFE276}.exe => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Nathaniel\AppData\Local\Temp\Tsu270F0455.dll => Moved successfully.

==== End of Fixlog ====

 

checkup:

 

 Results of screen317's Security Check version 0.99.82 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
AVG AntiVirus Free Edition 2014  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player 13.0.0.206 
 Adobe Reader XI 
 Mozilla Firefox (28.0)
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 AVG avgwdsvc.exe
 Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:55 AM

Posted 09 May 2014 - 07:57 AM

My AVG is still detecting a threat "HackTool.AHDG". Object name: "c:\program files\KMSpico\S062Q16ZWIV".

Did you install this KMSpico software?

Let find out more.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:

    :regfind
    KMSpico
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.


#7 namod65

namod65
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 09 May 2014 - 07:50 PM

No I don't remember installing it or what it is for. Here is the log:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 20:48 on 09/05/2014 by Nathaniel
Administrator - Elevation successful

========== regfind ==========

Searching for "KMSpico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7d7b1089_0]
@="{0.0.0.00000000}.{8f9270c0-9825-436e-8139-a50009da2d93}|\Device\HarddiskVolume2\Program Files\KMSpico\7J2X6T.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\FKC40B.exe"="KMS GUI ELDI"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\4N3ZC1.exe"="KMS GUI ELDI"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
"Inno Setup: App Path"="C:\Program Files\KMSpico"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
"InstallLocation"="C:\Program Files\KMSpico\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
"Inno Setup: Icon Group"="KMSpico"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
"DisplayName"="KMSpico 3.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
"DisplayIcon"="C:\Program Files\KMSpico\RandomFile.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
"UninstallString"=""C:\Program Files\KMSpico\unins000.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico v3.1_is1]
"QuietUninstallString"=""C:\Program Files\KMSpico\unins000.exe" /SILENT"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7d7b1089_0]
@="{0.0.0.00000000}.{8f9270c0-9825-436e-8139-a50009da2d93}|\Device\HarddiskVolume2\Program Files\KMSpico\7J2X6T.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\FKC40B.exe"="KMS GUI ELDI"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\4N3ZC1.exe"="KMS GUI ELDI"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\FKC40B.exe"="KMS GUI ELDI"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\4N3ZC1.exe"="KMS GUI ELDI"

-= EOF =-



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:55 AM

Posted 10 May 2014 - 08:43 AM

Before we go any further try to remove KMSpico 3.1 (HKLM\...\KMSpico v3.1_is1) (Version: 3.1 - ) using the add/remove programs.

http://windows.microsoft.com/en-ca/windows/uninstall-change-program#uninstall-change-program=windows-7
===

Run the SystemLook.exe tool again as suggested in post no. 6 and post a fresh log.

Let me know if the problem persists.

#9 namod65

namod65
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 10 May 2014 - 08:49 PM

Ok well I removed it. When I restarted my AVG is no longer popping up with a threat detection. It appears to be gone. Here is the log:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 21:46 on 10/05/2014 by Nathaniel
Administrator - Elevation successful

========== regfind ==========

Searching for "KMSpico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7d7b1089_0]
@="{0.0.0.00000000}.{8f9270c0-9825-436e-8139-a50009da2d93}|\Device\HarddiskVolume2\Program Files\KMSpico\7J2X6T.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\FKC40B.exe"="KMS GUI ELDI"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\4N3ZC1.exe"="KMS GUI ELDI"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files\KMSpico\KIJGTXMEQLL.exe|Name=CODYQX4 Emulator|"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7d7b1089_0]
@="{0.0.0.00000000}.{8f9270c0-9825-436e-8139-a50009da2d93}|\Device\HarddiskVolume2\Program Files\KMSpico\7J2X6T.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\FKC40B.exe"="KMS GUI ELDI"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\4N3ZC1.exe"="KMS GUI ELDI"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\FKC40B.exe"="KMS GUI ELDI"
[HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\4N3ZC1.exe"="KMS GUI ELDI"

-= EOF =-



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:55 AM

Posted 11 May 2014 - 08:40 AM

; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7d7b1089_0]
@=-
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\FKC40B.exe"=-
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files\KMSpico\4N3ZC1.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2CCB1B95-31F0-4D70-AA08-22803FC45C8F}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{46D64840-E2C6-486C-8B8D-8F86E903C58B}"=-
[-HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7d7b1089_0]
[-HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
[-HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
[-HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
[-HKEY_USERS\S-1-5-21-2955413446-3879675591-2903648236-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

On a Vista or Windows 7 operating system, right click the Fix.reg and run as Administrator.

Restart the computer normally to reset the registry.

Delete the Fix.reg file when done.

How is it now?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:55 AM

Posted 18 May 2014 - 08:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users