Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove proxy server 127.0.0.1:5050 - popups, etc


  • This topic is locked This topic is locked
11 replies to this topic

#1 btqf1973

btqf1973

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 21 September 2014 - 12:38 PM

Hi - I've already run combofix, TDSSkiller, and all the rest - they identified zero access but failed to remove it completely.

 

Here are the FRST logs

 

Thanks in advance for any help

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 21 September 2014 - 12:47 PM

Hello btqf1973 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

 

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
 

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

 

  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

---------------------------------------------------------------------------------------------------------

 

I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

 

:hello:

 

Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 21 September 2014 - 02:06 PM

Hi btqf1973,

 

Please send C:\ComboFix.txt fileLog

 

-----------------------------------------------------------

 

Please uninstall the following via Start->(or Computer)->Control Panel->(Programs)->Programs and Features if it still exists:
Please uninstall the following applications:

 

Conduit

Google Update Helper
C:\Program Files (x86)\FestiveBar_3g

----------------------------------------------------------------

 

Step 1:

 

I would suggest you to go through the following steps and check.

 

İE Proxy reset:
a ) Under "Tools" in the browser tool bar select "Internet Options".
b ) In the "Internet Options" Window that pops up, click the "Connections" tab at the top.
c ) Click "LAN Settings" near the bottom of the "Connections" section.
d ) If the "Proxy server" checkbox is marked with a check, click it to deselect/uncheck it.
e ) Click "Ok" to close the "Local Area Network (LAN) Settings" window.
f ) Click "Ok" to close the "Internet Options" Window.
 
Now check if you are able to connect to Internet Explorer.

 

Firefox proxy reset:

http://How to reset the proxy infirefox

 

 To check your Firefox proxy settings:

  1. Click the menu button and choose Options

  2. Select the Advanced panel.
  3. Select the Network tab.
  4. In the Connection section, click Settings....
  5. Change your proxy settings:
    • If you don't connect to the Internet through a proxy (or don't know whether you connect through a proxy), select No Proxy.
  6. Click OK to close the Connection Settings window.
  7. Click OK to close the Options window

Chrome proxy reset:

  1. Click "Customize and Control Google Chrome" menu.
  2. Click "Options" button.
  3. Under "Google Chrome Options" window select 'Under the Hood" tab
  4. In the 'Network' section, click the "Change proxy settings" button.
  5. Under "Internet Properties" window click "Lan settings" button.
  6. Under "Local Area Network (LAN) Settings" window click on the Proxy server for your LAN"
  7. If you don't connect to the Internet through a proxy (or don't know whether you connect through a proxy), select No Proxy. (unticked)
  8. Click OK and Apply to save the settings.

----------------------

 

Reset browsers

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome
Chrome - Reset browser settings

 

 

Step 2:

 

Run FRST fixlist

 

Please open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

start
ProxyServer: 127.0.0.1:5050
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {38bc6857-67fa-4358-afae-28e0f9ad2128} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YXxdm002YYus&ptb=1E49B7E1-549F-4CD6-97BF-C397AB0C83A0&ind=2012020716&ptnrS=YXxdm002YYus&si=CIrdsYDtjK4CFVCR7QodBi41eQ&n=77ecffec&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 - {4fa67103-5daf-45a1-9ddb-236d1ff7a590} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=LKxdm003YYus&ptnrS=LKxdm003YYus&si=CNmPmfSt4rACFaVdTAodYXJw0g&ptb=971BAC81-25B1-4AA4-AC92-047D0D3CD66F&ind=2012062213&n=77eda205&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKCU - {2BBE7BBF-5808-412A-A359-72B3DD7FEC5C} URL = http://websearch.shopathome.com?user_id={AE4BBEEB-1D6D-407B-8892-112E57F16438}&q={searchTerms}
SearchScopes: HKCU - {38bc6857-67fa-4358-afae-28e0f9ad2128} URL = 
SearchScopes: HKCU - {4fa67103-5daf-45a1-9ddb-236d1ff7a590} URL = 
SearchScopes: HKCU - {749ADE67-9AB8-4D41-9B6B-78AF59DFD501} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3282137&CUI=UN39968819211435019
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @FestiveBar_3g.com/Plugin -> C:\Program Files (x86)\FestiveBar_3g\bar\1.bin\NP3gStub.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Starla\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2014-01-12]
CHR HKCU\...\Chrome\Extension: [ggamifejnddpoocdmadhjdbgaijnphdi] - C:\Users\Starla\AppData\Local\CRE\ggamifejnddpoocdmadhjdbgaijnphdi.crx [2013-08-22]
CHR HKCU\...\Chrome\Extension: [phfmiknmhngmmlcppkpmbnopohlnfpbh] - C:\Users\Starla\AppData\Local\CRE\phfmiknmhngmmlcppkpmbnopohlnfpbh.crx [2013-08-22]
CHR HKLM-x32\...\Chrome\Extension: [ggamifejnddpoocdmadhjdbgaijnphdi] - C:\Users\Starla\AppData\Local\CRE\ggamifejnddpoocdmadhjdbgaijnphdi.crx [2013-08-22]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
CHR HKLM-x32\...\Chrome\Extension: [phfmiknmhngmmlcppkpmbnopohlnfpbh] - C:\Users\Starla\AppData\Local\CRE\phfmiknmhngmmlcppkpmbnopohlnfpbh.crx [2014-07-14]
S2 HitmanPro37CrusaderBoot; "G:\HitmanPro_x64.exe" /crusader:boot [X]
C:\Users\Starla\AppData\Local\Temp\{0363BAAA-05C3-4B83-ACC4-8D4B03F2E7F0}.exe
CustomCLSID: HKU\S-1-5-21-2013044014-1361014474-2390419853-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Starla\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
Task: {11D65AE0-811D-4CD6-B085-BC66B55AF39D} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {14EC0AD3-0BB0-4477-907C-768B1EDDB38E} - \task159087900 No Task File <==== ATTENTION
Task: {57CF0FA7-F6A8-4C03-99DE-D630EDE67169} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-14] (Google Inc.)
Task: {5C9C995C-B45F-4C2B-9D04-3C5072AF0348} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-14] (Google Inc.)
Shortcut: C:\Users\Starla\Desktop\Seagate Expansion Drive (G) - Shortcut.lnk -> G:\ (No File)
Shortcut: C:\Users\Starla\Pictures\Overlays\Snow Overlay\KMLC Terms of Use.lnk -> C:\Users\Starla\Pictures\kmlcreatives paper\Cherished\READ ME TEXT-TERMS of USE.txt (No File)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForStarla.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns1
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns2
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns3
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns4
CMD: netsh advfirewall reset /c
CMD: netsh advfirewall set allprofiles state ON /c
CMD: ipconfig /flushdns /c
CMD: netsh winsock reset catalog /c
CMD: netsh int ip reset c:\resetlog.txt  /c
CMD: ipconfig /release /c
CMD: ipconfig /renew /c
Emptytemp:
Hosts:
End

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST, and press the Fix button, just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

-----------------------------------------------------------------------------------

 

Note: If not deleted snap.do, please try again in safe mode.

 

Step 3:

 

Please be sure to run our tools with administrator rights.

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 btqf1973

btqf1973
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 22 September 2014 - 06:05 AM

The proxy server entry is still showing up - here are the log files

 

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-09-2014 01
Ran by Starla at 2014-09-22 05:33:55 Run:1
Running from C:\Users\Starla\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
ProxyServer: 127.0.0.1:5050
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKCU - {2BBE7BBF-5808-412A-A359-72B3DD7FEC5C} URL = http://websearch.shopathome.com?user_id={AE4BBEEB-1D6D-407B-8892-112E57F16438}&q={searchTerms}
SearchScopes: HKCU - {38bc6857-67fa-4358-afae-28e0f9ad2128} URL = 
SearchScopes: HKCU - {4fa67103-5daf-45a1-9ddb-236d1ff7a590} URL = 
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @FestiveBar_3g.com/Plugin -> C:\Program Files (x86)\FestiveBar_3g\bar\1.bin\NP3gStub.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Starla\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2014-01-12]
CHR HKCU\...\Chrome\Extension: [ggamifejnddpoocdmadhjdbgaijnphdi] - C:\Users\Starla\AppData\Local\CRE\ggamifejnddpoocdmadhjdbgaijnphdi.crx [2013-08-22]
CHR HKCU\...\Chrome\Extension: [phfmiknmhngmmlcppkpmbnopohlnfpbh] - C:\Users\Starla\AppData\Local\CRE\phfmiknmhngmmlcppkpmbnopohlnfpbh.crx [2013-08-22]
CHR HKLM-x32\...\Chrome\Extension: [ggamifejnddpoocdmadhjdbgaijnphdi] - C:\Users\Starla\AppData\Local\CRE\ggamifejnddpoocdmadhjdbgaijnphdi.crx [2013-08-22]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
CHR HKLM-x32\...\Chrome\Extension: [phfmiknmhngmmlcppkpmbnopohlnfpbh] - C:\Users\Starla\AppData\Local\CRE\phfmiknmhngmmlcppkpmbnopohlnfpbh.crx [2014-07-14]
S2 HitmanPro37CrusaderBoot; "G:\HitmanPro_x64.exe" /crusader:boot [X]
C:\Users\Starla\AppData\Local\Temp\{0363BAAA-05C3-4B83-ACC4-8D4B03F2E7F0}.exe
CustomCLSID: HKU\S-1-5-21-2013044014-1361014474-2390419853-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Starla\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
Task: {11D65AE0-811D-4CD6-B085-BC66B55AF39D} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {14EC0AD3-0BB0-4477-907C-768B1EDDB38E} - \task159087900 No Task File <==== ATTENTION
Task: {57CF0FA7-F6A8-4C03-99DE-D630EDE67169} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-14] (Google Inc.)
Task: {5C9C995C-B45F-4C2B-9D04-3C5072AF0348} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-14] (Google Inc.)
Shortcut: C:\Users\Starla\Desktop\Seagate Expansion Drive (G) - Shortcut.lnk -> G:\ (No File)
Shortcut: C:\Users\Starla\Pictures\Overlays\Snow Overlay\KMLC Terms of Use.lnk -> C:\Users\Starla\Pictures\kmlcreatives paper\Cherished\READ ME TEXT-TERMS of USE.txt (No File)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForStarla.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns1
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns2
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns3
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns4
CMD: netsh advfirewall reset /c
CMD: netsh advfirewall set allprofiles state ON /c
CMD: ipconfig /flushdns /c
CMD: netsh winsock reset catalog /c
CMD: netsh int ip reset c:\resetlog.txt  /c
CMD: ipconfig /release /c
CMD: ipconfig /renew /c
Emptytemp:
Hosts:
*****************
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
"HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{38bc6857-67fa-4358-afae-28e0f9ad2128}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{38bc6857-67fa-4358-afae-28e0f9ad2128}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{4fa67103-5daf-45a1-9ddb-236d1ff7a590}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{4fa67103-5daf-45a1-9ddb-236d1ff7a590}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2BBE7BBF-5808-412A-A359-72B3DD7FEC5C}" => Key deleted successfully.
"HKCR\CLSID\{2BBE7BBF-5808-412A-A359-72B3DD7FEC5C}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{38bc6857-67fa-4358-afae-28e0f9ad2128}" => Key deleted successfully.
"HKCR\CLSID\{38bc6857-67fa-4358-afae-28e0f9ad2128}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4fa67103-5daf-45a1-9ddb-236d1ff7a590}" => Key deleted successfully.
"HKCR\CLSID\{4fa67103-5daf-45a1-9ddb-236d1ff7a590}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{749ADE67-9AB8-4D41-9B6B-78AF59DFD501}" => Key deleted successfully.
"HKCR\CLSID\{749ADE67-9AB8-4D41-9B6B-78AF59DFD501}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
"HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@FestiveBar_3g.com/Plugin" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKCU\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf" => Key deleted successfully.
C:\Users\Starla\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx => Moved successfully.
"HKCU\SOFTWARE\Google\Chrome\Extensions\ggamifejnddpoocdmadhjdbgaijnphdi" => Key deleted successfully.
C:\Users\Starla\AppData\Local\CRE\ggamifejnddpoocdmadhjdbgaijnphdi.crx => Moved successfully.
"HKCU\SOFTWARE\Google\Chrome\Extensions\phfmiknmhngmmlcppkpmbnopohlnfpbh" => Key deleted successfully.
"C:\Users\Starla\AppData\Local\CRE\phfmiknmhngmmlcppkpmbnopohlnfpbh.crx" => File/Directory not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ggamifejnddpoocdmadhjdbgaijnphdi" => Key deleted successfully.
"C:\Users\Starla\AppData\Local\CRE\ggamifejnddpoocdmadhjdbgaijnphdi.crx" => File/Directory not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl" => Key deleted successfully.
C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\phfmiknmhngmmlcppkpmbnopohlnfpbh" => Key deleted successfully.
"C:\Users\Starla\AppData\Local\CRE\phfmiknmhngmmlcppkpmbnopohlnfpbh.crx" => File/Directory not found.
HitmanPro37CrusaderBoot => Service deleted successfully.
C:\Users\Starla\AppData\Local\Temp\{0363BAAA-05C3-4B83-ACC4-8D4B03F2E7F0}.exe => Moved successfully.
"HKU\S-1-5-21-2013044014-1361014474-2390419853-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{11D65AE0-811D-4CD6-B085-BC66B55AF39D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{11D65AE0-811D-4CD6-B085-BC66B55AF39D}" => Key deleted successfully.
C:\Windows\System32\Tasks\0 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{14EC0AD3-0BB0-4477-907C-768B1EDDB38E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{14EC0AD3-0BB0-4477-907C-768B1EDDB38E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\task159087900" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{57CF0FA7-F6A8-4C03-99DE-D630EDE67169}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57CF0FA7-F6A8-4C03-99DE-D630EDE67169}" => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5C9C995C-B45F-4C2B-9D04-3C5072AF0348}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C9C995C-B45F-4C2B-9D04-3C5072AF0348}" => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => Key deleted successfully.
Shortcut: C:\Users\Starla\Desktop\Seagate Expansion Drive (G) - Shortcut.lnk -> G:\ (No File) => Error: No automatic fix found for this entry.
Shortcut: C:\Users\Starla\Pictures\Overlays\Snow Overlay\KMLC Terms of Use.lnk -> C:\Users\Starla\Pictures\kmlcreatives paper\Cherished\READ ME TEXT-TERMS of USE.txt (No File) => Error: No automatic fix found for this entry.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
C:\Windows\Tasks\HPCeeScheduleForStarla.job => Moved successfully.
C:\Windows\Tasks\Adobe Flash Player Updater.job => Moved successfully.
C:\ProgramData\Nalpeiron => ":user.ns1" ADS removed successfully.
C:\ProgramData\Nalpeiron => ":user.ns2" ADS removed successfully.
C:\ProgramData\Nalpeiron => ":user.ns3" ADS removed successfully.
C:\ProgramData\Nalpeiron => ":user.ns4" ADS removed successfully.
 
=========  netsh advfirewall reset /c =========
 
 
The number of arguments  provided is not valid. Check help for the correct syntax.
 
Usage:  reset [export <path\filename>]
 
Remarks:
 
      - Restores the Windows Firewall with Advanced Security policy to the
        default policy.  The current active policy can be optionally exported
        to a specified file.
      - In a Group Policy object, this command returns all settings to
        notconfigured and deletes all connection security and firewall
        rules.
 
Examples:
 
      Backup the current policy and restore out-of-box policy:
      netsh advfirewall reset export "c:\backuppolicy.wfw"
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state ON /c =========
 
 
The number of arguments  provided is not valid. Check help for the correct syntax.
 
Usage:  set allprofiles (parameter) (value)
 
Parameters:
 
      state             - Configure the firewall state.
              Usage: state on|off|notconfigured
 
      firewallpolicy    - Configures default inbound and outbound behavior.
      Usage: firewallpolicy (inbound behavior),(outbound behavior)
         Inbound behavior:
            blockinbound        - Block inbound connections that do not
                                  match an inbound rule.
            blockinboundalways  - Block all inbound connections even if
                                  the connection matches a rule.
            allowinbound        - Allow inbound connections that do
                                  not match a rule.
            notconfigured       - Return the value to its unconfigured state.
         Outbound behavior:
            allowoutbound       - Allow outbound connections that do not
                                  match a rule.
            blockoutbound       - Block outbound connections that do not
                                  match a rule.
            notconfigured       - Return the value to its unconfigured state.
 
      settings          - Configures firewall settings.
      Usage: settings (parameter) enable|disable|notconfigured
      Parameters:
         localfirewallrules         - Merge local firewall rules with Group
                                      Policy rules. Valid when configuring
                                      a Group Policy store.
         localconsecrules           - Merge local connection security rules
                                      with Group Policy rules. Valid when
                                      configuring a Group Policy store.
         inboundusernotification    - Notify user when a program listens
                                      for inbound connections.
         remotemanagement           - Allow remote management of Windows
                                      Firewall.
         unicastresponsetomulticast - Control stateful unicast response to
                                      multicast.
 
      logging           - Configures logging settings.
      Usage: logging (parameter) (value)
      Parameters:
         allowedconnections  - Log allowed connections.
                               Values: enable|disable|notconfigured
         droppedconnections  - Log dropped connections.
                               Values: enable|disable|notconfigured
         filename            - Name and location of the firewall log.
                               Values: <string>|notconfigured
         maxfilesize         - Maximum log file size in kilobytes.
                               Values: 1 - 32767|notconfigured
 
Remarks:
 
      - Configures profile settings for all profiles.
      - The "notconfigured" value is valid only for a Group Policy store.
 
Examples:
 
      Turn the firewall off for all profiles:
      netsh advfirewall set allprofiles state off
 
      Set the default behavior to block inbound and allow outbound
      connections on all profiles:
      netsh advfirewall set allprofiles firewallpolicy
      blockinbound,allowoutbound
 
      Turn on remote management on all profiles:
      netsh advfirewall set allprofiles settings remotemanagement enable
 
      Log dropped connections on all profiles:
      netsh advfirewall set allprofiles logging droppedconnections enable
 
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns /c =========
 
 
Error: unrecognized or incomplete command line.
 
USAGE:
    ipconfig [/allcompartments] [/? | /all | 
                                 /renew [adapter] | /release [adapter] |
                                 /renew6 [adapter] | /release6 [adapter] |
                                 /flushdns | /displaydns | /registerdns |
                                 /showclassid adapter |
                                 /setclassid adapter [classid] |
                                 /showclassid6 adapter |
                                 /setclassid6 adapter [classid] ]
 
where
    adapter             Connection name 
                       (wildcard characters * and ? allowed, see examples)
 
    Options:
       /?               Display this help message
       /all             Display full configuration information.
       /release         Release the IPv4 address for the specified adapter.
       /release6        Release the IPv6 address for the specified adapter.
       /renew           Renew the IPv4 address for the specified adapter.
       /renew6          Renew the IPv6 address for the specified adapter.
       /flushdns        Purges the DNS Resolver cache.
       /registerdns     Refreshes all DHCP leases and re-registers DNS names
       /displaydns      Display the contents of the DNS Resolver Cache.
       /showclassid     Displays all the dhcp class IDs allowed for adapter.
       /setclassid      Modifies the dhcp class id.  
       /showclassid6    Displays all the IPv6 DHCP class IDs allowed for adapter.
       /setclassid6     Modifies the IPv6 DHCP class id.
 
 
The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.
 
For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.
 
For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.
 
Examples:
    > ipconfig                       ... Show information
    > ipconfig /all                  ... Show detailed information
    > ipconfig /renew                ... renew all adapters
    > ipconfig /renew EL*            ... renew any connection that has its 
                                         name starting with EL
    > ipconfig /release *Con*        ... release all matching connections,
                                         eg. "Local Area Connection 1" or
                                             "Local Area Connection 2"
    > ipconfig /allcompartments      ... Show information about all 
                                         compartments
    > ipconfig /allcompartments /all ... Show detailed information about all
                                         compartments
 
========= End of CMD: =========
 
 
=========  netsh winsock reset catalog /c =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ip reset c:\resetlog.txt  /c =========
 
Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  ipconfig /release /c =========
 
 
Windows IP Configuration
 
The operation failed as no adapter is in the state permissible for 
this operation.
 
========= End of CMD: =========
 
 
=========  ipconfig /renew /c =========
 
 
Windows IP Configuration
 
The operation failed as no adapter is in the state permissible for 
this operation.
 
========= End of CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 306.3 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====
 
Combofix.txt
ComboFix 14-09-22.01 - Starla 09/22/2014   5:47.7.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12087.9261 [GMT -5:00]
Running from: c:\users\Starla\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-22 to 2014-09-22  )))))))))))))))))))))))))))))))
.
.
2014-09-22 10:59 . 2014-09-22 10:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-09-22 10:59 . 2014-09-22 10:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-21 17:27 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D5694C1A-E4E4-4C90-932B-98FEFFCFE588}\mpengine.dll
2014-09-21 17:02 . 2014-09-22 10:35 -------- d-----w- C:\FRST
2014-09-18 22:24 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-09-16 22:26 . 2014-09-16 22:25 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{54878E20-2EB3-4E5C-B598-25962FAAE726}\gapaengine.dll
2014-09-13 23:42 . 2014-09-15 13:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-13 21:45 . 2014-09-13 21:48 -------- d-----w- C:\AdwCleaner
2014-09-13 21:07 . 2014-09-21 16:43 36456 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-13 21:07 . 2014-09-13 21:07 -------- d-----w- c:\programdata\RogueKiller
2014-09-12 09:43 . 2014-09-12 09:43 227728 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2014-09-11 08:01 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-09-11 08:01 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2014-09-10 20:26 . 2014-07-07 02:06 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-09-10 20:26 . 2014-07-07 01:40 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-09-10 20:26 . 2014-07-07 02:06 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-09-10 20:26 . 2014-07-07 01:40 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-09-10 20:26 . 2014-07-07 01:39 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-09-10 20:22 . 2014-08-01 11:53 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-09-10 20:22 . 2014-08-01 11:35 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-09-10 20:16 . 2014-06-24 03:29 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2014-09-10 20:16 . 2014-06-24 02:59 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2014-09-10 20:16 . 2014-09-05 02:10 578048 ----a-w- c:\windows\system32\aepdu.dll
2014-09-10 20:16 . 2014-09-05 02:05 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-09-06 22:59 . 2014-09-06 23:00 -------- d-----w- c:\program files (x86)\Common Files\Cache utility
2014-09-06 22:59 . 2014-09-06 22:59 -------- d-----w- c:\program files (x86)\Common Files\Display settings
2014-09-06 22:59 . 2014-09-06 22:59 -------- d-----w- c:\program files (x86)\Common Files\Hoist Search
2014-09-06 22:59 . 2014-09-06 22:59 -------- d-----w- c:\program files (x86)\Common Files\DealAlly
2014-09-06 21:59 . 2014-09-06 21:59 -------- d-----w- c:\users\Starla\AppData\Local\TNT2
2014-09-06 21:58 . 2014-09-06 21:58 -------- d-----w- c:\program files (x86)\Common Files\Diagnostics
2014-09-04 12:40 . 2014-09-04 12:40 -------- d-----w- C:\SUPERDelete
2014-08-31 11:57 . 2014-09-21 20:36 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-08-28 14:49 . 2014-08-23 00:59 3163648 ----a-w- c:\windows\system32\win32k.sys
2014-08-28 14:49 . 2014-08-23 02:07 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-28 14:49 . 2014-08-23 01:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-28 14:23 . 2014-08-28 14:23 -------- d-----w- c:\program files (x86)\Common Files\Skype
2014-08-27 23:38 . 2014-08-27 23:38 -------- d-----w- c:\users\Starla\AppData\Local\XtenNetworksInc
2014-08-27 20:48 . 2014-09-07 18:04 -------- d-----r- c:\users\Starla\Dropbox
2014-08-27 20:44 . 2014-09-07 18:25 -------- d-----w- c:\users\Starla\AppData\Roaming\Dropbox
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-13 23:42 . 2014-07-26 13:40 128728 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-13 23:42 . 2014-07-26 13:39 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-11 08:01 . 2011-10-01 16:59 101694776 ----a-w- c:\windows\system32\MRT.exe
2014-09-10 13:29 . 2012-03-30 20:53 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-10 13:29 . 2012-01-03 19:18 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-08-31 15:41 . 2010-06-24 18:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-20 21:02 . 2011-10-03 14:16 1169712 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-07-25 07:35 . 2014-07-25 07:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 04:47 . 2014-07-25 04:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-17 23:05 . 2014-07-17 23:05 269008 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2014-07-17 23:05 . 2011-04-27 20:25 125584 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-07-16 03:23 . 2014-08-15 05:27 2048 ----a-w- c:\windows\system32\tzres.dll
2014-07-16 02:46 . 2014-08-15 05:27 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-07-14 02:02 . 2014-08-15 05:30 1216000 ----a-w- c:\windows\system32\rpcrt4.dll
2014-07-14 01:40 . 2014-08-15 05:30 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2014-07-09 02:03 . 2014-08-15 05:32 7168 ----a-w- c:\windows\system32\KBDYAK.DLL
2014-07-09 02:03 . 2014-08-15 05:32 7168 ----a-w- c:\windows\system32\KBDTAT.DLL
2014-07-09 02:03 . 2014-08-15 05:32 7168 ----a-w- c:\windows\system32\KBDRU1.DLL
2014-07-09 02:03 . 2014-08-15 05:32 6656 ----a-w- c:\windows\system32\KBDRU.DLL
2014-07-09 02:03 . 2014-08-15 05:32 7168 ----a-w- c:\windows\system32\KBDBASH.DLL
2014-07-09 01:31 . 2014-08-15 05:32 7168 ----a-w- c:\windows\SysWow64\KBDYAK.DLL
2014-07-09 01:31 . 2014-08-15 05:32 6656 ----a-w- c:\windows\SysWow64\KBDBASH.DLL
2014-06-30 22:24 . 2014-08-15 08:01 8856 ----a-w- c:\windows\system32\icardres.dll
2014-06-30 22:14 . 2014-08-15 08:01 8856 ----a-w- c:\windows\SysWow64\icardres.dll
2014-06-25 02:05 . 2014-08-15 05:20 14175744 ----a-w- c:\windows\system32\shell32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP KEYBOARDx"="c:\program files (x86)\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE" [2010-02-11 710656]
"DT HPO"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2010-12-01 121456]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2011-10-30 571392]
"Adobe Creative Cloud"="c:\program files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" [2014-07-22 2694040]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ColorMunki Display Tray.lnk - c:\program files (x86)\X-Rite\ColorMunki Display\ColorMunkiDisplayTray.exe [2013-6-9 2223616]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2010-11-18 1040952]
XRGamma.lnk - c:\program files (x86)\X-Rite\ColorMunki Display\XRGamma.exe [2013-6-9 802816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [x]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [x]
S2 CalendarSynchService;CalendarSynchService;c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe;c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [x]
S2 Diagnostics;Diagnostics;c:\program files (x86)\Common Files\Diagnostics\node\service.exe;c:\program files (x86)\Common Files\Diagnostics\node\service.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe;c:\windows\SysWOW64\nlssrv32.exe [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe [x]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]
S2 Proxy;Proxy;c:\program files (x86)\Common Files\Diagnostics\node\service.exe;c:\program files (x86)\Common Files\Diagnostics\node\service.exe [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\DDCDrv.sys;c:\windows\SYSNATIVE\drivers\DDCDrv.sys [x]
S2 WTabletServicePro;Wacom Professional Service;c:\program files\Tablet\Wacom\WTabletServicePro.exe;c:\program files\Tablet\Wacom\WTabletServicePro.exe [x]
S2 xrdd.exe;X-Rite Device Services Manager;c:\program files (x86)\X-Rite\Devices\Services\xrdd.exe;c:\program files (x86)\X-Rite\Devices\Services\xrdd.exe [x]
S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 hidkmdf;KMDF Driver;c:\windows\system32\DRIVERS\hidkmdf.sys;c:\windows\SYSNATIVE\DRIVERS\hidkmdf.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 WacHidRouter;Wacom Hid Router;c:\windows\system32\DRIVERS\wachidrouter.sys;c:\windows\SYSNATIVE\DRIVERS\wachidrouter.sys [x]
S3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\DRIVERS\wacomrouterfilter.sys;c:\windows\SYSNATIVE\DRIVERS\wacomrouterfilter.sys [x]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-10 23:38 1096520 ----a-w- c:\program files (x86)\Google\Chrome\Application\37.0.2062.120\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2013044014-1361014474-2390419853-1001Core.job
- c:\users\Starla\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-10-11 05:08]
.
2014-09-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2013044014-1361014474-2390419853-1001UA.job
- c:\users\Starla\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-10-11 05:08]
.
2014-09-04 c:\windows\Tasks\HPCeeScheduleForSTARLA-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 10:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco1]
@="{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}"
[HKEY_CLASSES_ROOT\CLSID\{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}]
2014-07-16 16:06 672416 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco2]
@="{853B7E05-C47D-4985-909A-D0DC5C6D7303}"
[HKEY_CLASSES_ROOT\CLSID\{853B7E05-C47D-4985-909A-D0DC5C6D7303}]
2014-07-16 16:06 672416 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco3]
@="{42D38F2E-98E9-4382-B546-E24E4D6D04BB}"
[HKEY_CLASSES_ROOT\CLSID\{42D38F2E-98E9-4382-B546-E24E4D6D04BB}]
2014-07-16 16:06 672416 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-08-08 15:34 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-08-08 15:34 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-08-08 15:34 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-08-08 15:34 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-08-08 15:34 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeatsOSDApp"="c:\program files\IDT\WDM\beats64.exe" [2010-10-20 37888]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2014-02-28 558496]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-04-25 1425408]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-08-17 168944]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-08-17 394224]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-08-17 418800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-08-20 21720]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = 127.0.0.1:5050
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1
DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} - hxxp://www.zenfolio.com/zf/code/upload-ie-win-x86.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-93274557.sys
AddRemove-SmileBox_EN Toolbar - c:\program files (x86)\SmileBox_EN\uninstall.exe
AddRemove-{037524F1-D279-4FD5-A5DE-19B241F4ED4E} - c:\programdata\{E07EA62F-B06F-44AA-A564-5E6E7AB7DA96}\UMPSetup.exe
AddRemove-{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE} - c:\program files (x86)\InstallShield Installation Information\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-22  06:02:16
ComboFix-quarantined-files.txt  2014-09-22 11:02
ComboFix2.txt  2014-09-21 16:39
ComboFix3.txt  2014-09-13 22:29
ComboFix4.txt  2014-09-13 20:42
ComboFix5.txt  2014-09-22 10:46
.
Pre-Run: 289,206,181,888 bytes free
Post-Run: 289,151,848,448 bytes free
.
- - End Of File - - 49BE48DFA00D2E2096B8B9A18E0DE809
 


#5 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 22 September 2014 - 11:11 AM

Hi btqf1973,

 

Step1:

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step2:

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step3:

 

icon_zps423a0d9f.jpgPlease download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

Step4:

 

Run Eset Online Scan

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as Administrator command.

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option "Scan Archives" and Remove found threats is ticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

----------------------------------------------------------------------------

How is the computer doing now?

 

Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 24 September 2014 - 10:56 AM

Hello,

3 Day Bump

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 btqf1973

btqf1973
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 27 September 2014 - 08:29 AM

I was sent out of town on work unexpectedly - I will run today and post logs



#8 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 27 September 2014 - 09:24 AM

OK. Welcome Back! Thanks.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 btqf1973

btqf1973
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 27 September 2014 - 12:18 PM

ESET seems to have killed it - the others didn't

 

Here are the logs

Adwcleaner

# AdwCleaner v3.310 - Report created 27/09/2014 at 09:05:33
# Updated 12/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Starla - STARLA-HP
# Running from : C:\Users\Starla\Desktop\adwcleaner_3.310.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Users\Starla\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\Starla\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17280
 
 
-\\ Google Chrome v37.0.2062.124
 
[ File : C:\Users\Starla\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [9178 octets] - [13/09/2014 16:45:42]
AdwCleaner[R1].txt - [924 octets] - [26/09/2014 19:23:53]
AdwCleaner[R2].txt - [1312 octets] - [27/09/2014 09:04:43]
AdwCleaner[S0].txt - [8794 octets] - [13/09/2014 16:48:27]
AdwCleaner[S1].txt - [984 octets] - [27/09/2014 08:21:35]
AdwCleaner[S2].txt - [1237 octets] - [27/09/2014 09:05:33]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1297 octets] ##########
 
JRT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.2.3 (09.27.2014:1)
OS: Windows 7 Home Premium x64
Ran by Starla on Sat 09/27/2014 at  8:42:36.75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.PseudoTransparentPlugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.PseudoTransparentPlugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.RadioSettings
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.RadioSettings.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.SettingsPlugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.SettingsPlugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.SkinLauncher
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\FestiveBar_3g.SkinLauncher.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\utilWhilokii_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\utilWhilokii_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\utilWhilokii_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\utilWhilokii_RASMANCS
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Starla\appdata\local\cre"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 09/27/2014 at  8:51:28.91
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ZHP
~ ZHPCleaner v2014.9.26.147 by Nicolas Coolman (26/09/2014)
~ Run by Starla (Administrator)  (27/09/2014 12:13:54)
~ State version : Updated version
~ Report : C:\Users\Starla\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\Starla\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ Windows 7, 64-bit Service Pack 1 (Build 7601)
 
 
---\\ Browser Microsoft Internet Explorer Repair.
REPLACED PARAMS: Default_Page_URL  ( http://go.microsoft.com/fwlink/?LinkId=69157 )
 
 
---\\ Repair of the hosts file
~ The hosts file is legitimate (1)
 
 
 
---\\ Result of repair
~ Repair carried out successfully
~ No browser found (Mozilla Firefox)
~ No browser found (Opera Software)
 
 
End of clean at 12:14:04
===================
ZHPCleaner-27092014-09_02_03.txt
ZHPCleaner-27092014-09_16_40.txt
ZHPCleaner-27092014-09_17_11.txt
ZHPCleaner-27092014-12_13_27.txt
ZHPCleaner-27092014-12_14_04.txt
 
ESET deleted
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\CT3279411\plugins\TBVerifier.dll.vir Win32/Toolbar.Conduit.AC potentially unwanted application deleted - quarantined
C:\FRST\Quarantine\C\Users\Starla\AppData\Local\CRE\ggamifejnddpoocdmadhjdbgaijnphdi.crx.xBAD a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Cache utility\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\DealAlly\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Diagnostics\node\4i6bagz5cwl.exe Win32/UnlimitedDownloads.A potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Diagnostics\node\4i6baogtowl.exe Win32/UnlimitedDownloads.A potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Diagnostics\node\4i6baxxq2gl.exe Win32/UnlimitedDownloads.A potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Diagnostics\node\4i6bb8tj08l.exe Win32/UnlimitedDownloads.A potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Diagnostics\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Display settings\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Common Files\Hoist Search\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application deleted - quarantined
C:\Qoobox\Quarantine\C\Users\Starla\jqs.exe.vir a variant of Win32/TrojanDownloader.Delf.RWG trojan cleaned by deleting - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\Autorun.inf Win32/Toolbar.TNT2.F potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\GameConsole.exe a variant of Win32/Toolbar.TNT2.E potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\IEToolbar.dll a variant of Win32/Toolbar.TNT2.B potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\IEToolbar64.dll a variant of Win32/Toolbar.TNT2.E potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\npTNT2.dll a variant of Win32/Toolbar.TNT2.H potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\passport.dll a variant of Win32/Toolbar.TNT2.E potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\passport64.dll a variant of Win32/Toolbar.TNT2.E potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\TNT2User.exe a variant of Win32/Toolbar.TNT2.A potentially unwanted application deleted - quarantined
C:\Users\Starla\AppData\Local\TNT2\2.0.0.1855\TNT2UserPS64.dll a variant of Win32/Toolbar.TNT2.E potentially unwanted application deleted - quarantined
C:\Users\Starla\Downloads\ccsetup416.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
C:\Users\Starla\Downloads\kozuka-gothic-pro-el.exe a variant of Win32/OpenInstall potentially unwanted application deleted - quarantined
C:\Users\Starla\Downloads\kozuka-gothic-pro-h.exe a variant of Win32/OpenInstall potentially unwanted application deleted - quarantined
 


#10 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 27 September 2014 - 06:51 PM

Hi btqf1973, thanks for the Logs.

 

How is your system responding now, any issues or concerns ?

 

--------------

 

Updating Java and Clearing Cache:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.

Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:

Java 3 Update 37

Now system reboot.

  • Download the latest version of Java Runtime Environment (JRE) 7
  • Recommended Version is 7 Update 67
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file.
  • Close any programs you may have running - especially your web browser.

java-1.jpg
See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 30 September 2014 - 05:53 PM

Hello,

 

3 Day Bump

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 AM

Posted 03 October 2014 - 02:23 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users