Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix scan


  • Please log in to reply
15 replies to this topic

#1 Jakeburbery84

Jakeburbery84

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 11 October 2014 - 02:05 PM

Hi,

 

My PC seems to have an infection because everytime I run ComboFix I get the results telling me there are certain Locked Registry Keys and that orphans have been removed. They can't have been removed though because they always appear.

 

I'd really appreciate someone's help on this if anything from the ComboFix log looks familiar to you, please let me know.

 

The log is as follows:

 

ComboFix 14-10-04.01 - Jake 11/10/2014  19:44:11.10.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.4007.2580 [GMT 1:00]
Running from: e:\downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-11 to 2014-10-11  )))))))))))))))))))))))))))))))
.
.
2014-10-11 18:54 . 2014-10-11 18:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-10-11 18:54 . 2014-10-11 18:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-06 20:00 . 2014-10-06 20:00 -------- d-----w- c:\windows\ERUNT
2014-10-03 11:12 . 2014-10-03 11:12 -------- d-----w- c:\users\Jake\AppData\Roaming\Unity
2014-10-03 10:43 . 2014-10-03 10:43 -------- d-----w- c:\users\Jake\AppData\Local\Unity
2014-09-29 17:08 . 2014-09-29 17:08 -------- d--h--w- c:\programdata\CanonIJMyPrinter
2014-09-27 18:19 . 2014-09-27 18:19 -------- d-----w- c:\users\Jake\AppData\Roaming\Canon
2014-09-27 18:19 . 2014-09-27 18:19 -------- d--h--w- c:\programdata\CanonIJQuickMenu
2014-09-27 18:19 . 2014-09-27 18:19 -------- d--h--w- c:\programdata\CanonIJEGV
2014-09-27 18:16 . 2012-04-16 04:00 392192 ----a-w- c:\windows\system32\CNMXLMBA.DLL
2014-09-27 18:13 . 2014-09-27 18:13 -------- d-----w- c:\program files\Common Files\CANON
2014-09-27 18:12 . 2014-09-27 18:12 -------- d-----w- c:\programdata\CanonIJWSpt
2014-09-27 18:08 . 2014-09-27 18:13 -------- d-----w- c:\program files\Canon
2014-09-27 18:07 . 2014-09-27 18:07 -------- d--h--w- c:\programdata\CanonBJ
2014-09-27 18:07 . 2012-04-16 04:00 30208 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDBA.DLL
2014-09-27 18:07 . 2012-04-16 04:00 100352 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPBA.DLL
2014-09-27 18:07 . 2014-09-27 18:07 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2014-09-27 18:07 . 2012-04-16 04:00 389120 ----a-w- c:\windows\system32\CNMLMBA.DLL
2014-09-27 18:06 . 2014-09-27 18:06 -------- d-----w- c:\windows\system32\STRING
2014-09-27 18:06 . 2012-03-28 17:01 39424 ----a-w- c:\windows\system32\CNMN6UI.DLL
2014-09-27 18:06 . 2012-03-28 17:01 359936 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2014-09-27 18:04 . 2014-10-07 20:02 -------- d-----w- c:\programdata\CanonIJPLM
2014-09-27 18:04 . 2014-09-27 18:04 -------- d--h--w- c:\programdata\CanonIJETV
2014-09-27 18:03 . 2014-09-27 18:13 -------- d-----w- c:\program files (x86)\Canon
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\programdata\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\users\Jake\AppData\Roaming\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\users\Jake\AppData\Local\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\program files (x86)\TomTom HOME 2
2014-09-20 15:19 . 2014-09-20 15:19 -------- d-----w- c:\program files (x86)\TomTom International B.V
2014-09-20 15:18 . 2014-09-20 15:18 -------- d-----w- c:\users\Jake\AppData\Local\Downloaded Installations
2014-09-17 09:34 . 2014-09-05 02:01 574976 ----a-w- c:\windows\system32\aepdu.dll
2014-09-17 09:34 . 2014-09-05 01:55 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-09-12 09:43 . 2014-09-12 09:43 227728 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-11 18:39 . 2011-09-06 10:55 151552 ----a-w- c:\windows\KMSEmulator.exe
2014-10-03 21:23 . 2014-04-28 17:57 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-03 12:36 . 2012-06-19 17:59 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-10-03 12:36 . 2011-08-03 12:42 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-17 17:49 . 2011-08-03 10:42 101694776 ----a-w- c:\windows\system32\MRT.exe
2014-09-14 10:23 . 2011-08-03 12:14 534104 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
2014-07-24 14:58 . 2014-03-23 18:58 42040 ----a-w- c:\windows\system32\drivers\avnetflt.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}]
2014-03-27 20:29 297128 ----a-w- c:\program files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-08-12 751184]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2014-01-10 1861968]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2014-04-03 450560]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-09-12 959176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys;c:\windows\SYSNATIVE\DRIVERS\asahci64.sys [x]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys;c:\windows\SYSNATIVE\Drivers\RapportKE64.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 RapportCerberus_80055;RapportCerberus_80055;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80055.sys;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80055.sys [x]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [x]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [x]
S2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
S2 Seagate MobileBackup Service;Seagate MobileBackup Service;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 12:36]
.
2014-10-11 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-09-06 10:55]
.
2014-10-11 c:\windows\Tasks\AutoKMSDaily.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-09-06 10:55]
.
2014-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-23 11:58]
.
2014-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-23 11:58]
.
2014-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000Core.job
- c:\users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-03 10:57]
.
2014-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000UA.job
- c:\users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-03 10:57]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}]
2014-03-20 18:08 357432 ----a-w- c:\program files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-01-29 442328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-01-29 399832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-01-29 171992]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-19 11613288]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-01 675840]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\program files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - c:\program files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-11  19:58:44
ComboFix-quarantined-files.txt  2014-10-11 18:58
ComboFix2.txt  2014-10-06 20:46
ComboFix3.txt  2014-10-06 20:32
ComboFix4.txt  2014-10-06 19:55
ComboFix5.txt  2014-10-11 18:42
.
Pre-Run: 343,634,767,872 bytes free
Post-Run: 343,194,873,856 bytes free
.
- - End Of File - - FC83FAD05CD31D83E0C1870E68D4FE1C
A36C5E4F47E84449FF07ED3517B43A31
 


BC AdBot (Login to Remove)

 


m

#2 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 12 October 2014 - 01:48 PM

My browser has become quite slow too if that helps



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:30 AM

Posted 14 October 2014 - 08:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#4 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 14 October 2014 - 03:06 PM

Thanks for getting back to me, really appreciate it! I think the AdwCleaner removed some of the files, but I'm not 100% sure. Anyway here are the logs.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 14/10/2014
Scan Time: 18:38:58
Logfile: MBAMscan.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.10.14.10
Rootkit Database: v2014.10.11.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7
CPU: x64
File System: NTFS
User: Jake
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332853
Time Elapsed: 12 min, 5 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
# AdwCleaner v4.000 - Report created 14/10/2014 at 19:02:49
# DB v2014-10-13.5
# Updated 12/10/2014 by Xplode
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : Jake - JAKE-PC
# Running from : E:\Downloads\adwcleaner_4.000.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\~0
Folder Deleted : C:\Program Files\003
Folder Deleted : C:\Program Files (x86)\Common Files\DVDVideoSoft\TB
Folder Deleted : C:\Program Files (x86)\ExpressFiles
Folder Deleted : C:\Program Files (x86)\GreenTree Applications
Folder Deleted : E:\Documents\Optimizer Pro
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Bubble Dock BSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Bubble Dock BSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Bubble Dock_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Bubble Dock_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IminentSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IminentSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\optprostart_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\optprostart_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchProtectINT_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchProtectINT_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Uninstall Bubble Dock_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Uninstall Bubble Dock_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Complitly
Key Deleted : HKCU\Software\ExpressFiles
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\Nosibay
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\ExpressFiles
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C19AC53289098045B06B0DD1D37CBAB
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23D9E9D21B4E77E41B9F50DD22F24E20
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23EEA1F105A7F45449974D9B95E7AC89
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\26982796A8AFD1246B95E00265A95BF9
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42D92D0D75AFEF74297E03876C8D9D33
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50FFE845C555A6E4BADB7CB7A145BFEB
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\715A3348920B6534690067594BB69F60
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7B7B13B037A7C2A42AC3E3EAF14D7107
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D05B2942E9CC80499F397F6114DFB35
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8591B8948E1C4A04F90505B3CDEE8555
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8D841C5FEC311624CB88D49DB3884FA7
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD746BF3B3B3FD8409B86604BA85982A
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F355F0DB7A2E3A14B8E7A568FBA25937
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16476
 
 
-\\ Google Chrome v
 
Deleted [Search Provider] : hxxp://search.babylon.com/?q={searchTerms}&tt=010412_crm&babsrc=SP_crm
 
*************************
 
AdwCleaner[R0].txt - [7875 octets] - [14/10/2014 18:56:21]
AdwCleaner[S0].txt - [7533 octets] - [14/10/2014 19:02:49]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7593 octets] ##########
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-10-2014 02
Ran by Jake (administrator) on JAKE-PC on 14-10-2014 19:13:38
Running from E:\Downloads
Loaded Profile: Jake (Available profiles: Jake)
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
(IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Sonix) C:\Windows\vsnp2uvc.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11613288 2010-11-19] (Realtek Semiconductor)
HKLM\...\Run: [snp2uvc] => C:\Windows\vsnp2uvc.exe [675840 2008-08-01] (Sonix)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [703736 2014-10-14] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1861968 2014-01-10] ()
HKLM-x32\...\Run: [DivXMediaServer] => C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2014-04-03] (DivX, LLC)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3507203518-2337994747-1172144935-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x209D28B7F216CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {75FB01F2-217D-4622-87C7-EE4F4F7689F7} URL = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre8\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre8\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKCU - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @java.com/DTPlugin,version=11.5.2 -> C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.5.2 -> C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll (CANON INC.)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 -> C:\Users\Jake\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 -> C:\Users\Jake\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Jake\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF HKCU\...\Firefox\Extensions: [{B64D9B05-48E1-4CEB-BF58-E0643994E900}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff
FF Extension: Download videos and MP3s from YouTube - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff [2014-03-28]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.co.uk/
CHR StartupUrls: Default -> "hxxp://www.google.co.uk/"
CHR Profile: C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Angry Birds) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2012-03-19]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-17]
CHR Extension: (YouTube) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-18]
CHR Extension: (Guitarist's Reference) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\cddaabhppoebkmalboinjhgofbhdbcgk [2012-04-11]
CHR Extension: (Shogun's Fate) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdliblldgjdficcbflpdknckckdfdkbo [2012-04-13]
CHR Extension: (Google Search) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-18]
CHR Extension: (Guitar Tab Viewer) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkdmbkpfnfkhalmhebdelpldipheihng [2012-03-21]
CHR Extension: (Avira Browser Safety) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-03-24]
CHR Extension: (Guitar Chords Chart) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmmjcbokmpooocgkccpdfkcaclcfgdhd [2012-03-21]
CHR Extension: (Senatry) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\hendkppcdmlcdncpdpbhkkbmldmadfln [2012-04-13]
CHR Extension: (video2mp3.net) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\higgajlpbghlddcdenhmgdkmngaefgfp [2012-10-01]
CHR Extension: (YouTube to MP3 Converter) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibcpjodfibnpbphfodohkmgmedjbgkhj [2012-10-01]
CHR Extension: (Google Wallet) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-23]
CHR Extension: (Gmail) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-18]
CHR StartMenuInternet: Google Chrome - C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-10-14] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-10-14] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [994096 2014-10-14] (Avira Operations GmbH & Co. KG)
R2 CTDevice_Srv; C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe [61440 2007-04-02] (Creative Technology Ltd) [File not signed]
S3 CTUPnPSv; C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [64000 2008-05-21] (Creative Technology Ltd) [File not signed]
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2012-03-28] ()
R2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [1919256 2014-09-14] (IBM Corp.)
R2 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16000 2014-02-10] (Seagate Technology LLC)
R2 Seagate MobileBackup Service; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [157264 2014-02-10] (Seagate Technology LLC)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [36448 2011-03-02] (Asmedia Technology)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-14] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-14] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-02-25] (Avira Operations GmbH & Co. KG)
R1 RapportCerberus_80055; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80055.sys [761720 2014-09-24] ()
R1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [445880 2014-09-14] (IBM Corp.)
R0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [534104 2014-09-14] (IBM Corp.)
R1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [557656 2014-09-14] (IBM Corp.)
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [3557248 2009-06-03] ()
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [560184 2012-04-13] (Duplex Secure Ltd.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-14 19:10 - 2014-10-14 19:13 - 00000000 ____D () C:\FRST
2014-10-14 18:55 - 2014-10-14 19:02 - 00000000 ____D () C:\AdwCleaner
2014-10-11 19:58 - 2014-10-11 19:58 - 00018594 _____ () C:\ComboFix.txt
2014-10-11 09:48 - 2014-10-11 09:49 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-10-10 07:47 - 2014-10-14 19:06 - 00002756 _____ () C:\Windows\System32\Tasks\AutoKMSDaily
2014-10-06 21:00 - 2014-10-06 21:00 - 00000000 ____D () C:\Windows\ERUNT
2014-10-03 12:12 - 2014-10-03 12:12 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\Unity
2014-10-03 11:43 - 2014-10-03 11:43 - 00000000 ____D () C:\Users\Jake\AppData\Local\Unity
2014-09-29 18:08 - 2014-09-29 18:08 - 00000000 ___HD () C:\ProgramData\CanonIJMyPrinter
2014-09-27 19:19 - 2014-09-27 19:19 - 00000000 ___HD () C:\ProgramData\CanonIJQuickMenu
2014-09-27 19:19 - 2014-09-27 19:19 - 00000000 ___HD () C:\ProgramData\CanonIJEGV
2014-09-27 19:19 - 2014-09-27 19:19 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\Canon
2014-09-27 19:16 - 2012-04-16 05:00 - 00392192 _____ (CANON INC.) C:\Windows\system32\CNMXLMBA.DLL
2014-09-27 19:13 - 2014-09-27 19:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon iP7200 series User Registration
2014-09-27 19:13 - 2014-09-27 19:13 - 00000000 ____D () C:\Program Files\Common Files\CANON
2014-09-27 19:12 - 2014-09-27 19:12 - 00000000 ____D () C:\ProgramData\CanonIJWSpt
2014-09-27 19:08 - 2014-09-27 19:13 - 00000000 ____D () C:\Program Files\Canon
2014-09-27 19:08 - 2014-09-27 19:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
2014-09-27 19:08 - 2014-09-27 19:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon iP7200 series Manual
2014-09-27 19:07 - 2014-09-27 19:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon iP7200 series
2014-09-27 19:07 - 2014-09-27 19:07 - 00000000 ___HD () C:\Windows\system32\CanonIJ Uninstaller Information
2014-09-27 19:07 - 2014-09-27 19:07 - 00000000 ___HD () C:\ProgramData\CanonBJ
2014-09-27 19:07 - 2012-04-16 05:00 - 00389120 _____ (CANON INC.) C:\Windows\system32\CNMLMBA.DLL
2014-09-27 19:06 - 2014-09-27 19:06 - 00000000 ___HD () C:\Program Files\CanonBJ
2014-09-27 19:06 - 2014-09-27 19:06 - 00000000 ____D () C:\Windows\system32\STRING
2014-09-27 19:06 - 2012-03-28 18:01 - 00359936 _____ (CANON INC.) C:\Windows\system32\CNMN6PPM.DLL
2014-09-27 19:06 - 2012-03-28 18:01 - 00039424 _____ (CANON INC.) C:\Windows\system32\CNMN6UI.DLL
2014-09-27 19:04 - 2014-10-07 21:02 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-09-27 19:04 - 2014-09-27 19:04 - 00000000 ___HD () C:\ProgramData\CanonIJETV
2014-09-27 19:03 - 2014-09-27 19:13 - 00000000 ____D () C:\Program Files (x86)\Canon
2014-09-20 16:21 - 2014-09-20 16:21 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\TomTom
2014-09-20 16:21 - 2014-09-20 16:21 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\Mozilla
2014-09-20 16:21 - 2014-09-20 16:21 - 00000000 ____D () C:\Users\Jake\AppData\Local\TomTom
2014-09-20 16:21 - 2014-09-20 16:21 - 00000000 ____D () C:\ProgramData\TomTom
2014-09-20 16:21 - 2014-09-20 16:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TomTom
2014-09-20 16:21 - 2014-09-20 16:21 - 00000000 ____D () C:\Program Files (x86)\TomTom HOME 2
2014-09-20 16:19 - 2014-09-20 16:19 - 00000000 ____D () C:\Program Files (x86)\TomTom International B.V
2014-09-20 16:18 - 2014-09-20 16:18 - 00000000 ____D () C:\Users\Jake\AppData\Local\Downloaded Installations
2014-09-17 10:34 - 2014-09-05 03:01 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-17 10:34 - 2014-09-05 02:55 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-14 19:13 - 2009-07-14 05:45 - 00020448 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-14 19:13 - 2009-07-14 05:45 - 00020448 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-14 19:06 - 2011-09-06 11:55 - 00000214 _____ () C:\Windows\Tasks\AutoKMS.job
2014-10-14 19:05 - 2012-05-17 04:40 - 00000218 _____ () C:\Windows\Tasks\AutoKMSDaily.job
2014-10-14 19:05 - 2011-10-23 12:59 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-14 19:05 - 2011-09-06 11:55 - 00151552 _____ () C:\Windows\KMSEmulator.exe
2014-10-14 19:04 - 2011-08-03 13:34 - 00206652 _____ () C:\Windows\PFRO.log
2014-10-14 19:04 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-14 19:04 - 2009-07-14 05:51 - 00106352 _____ () C:\Windows\setupact.log
2014-10-14 19:03 - 2011-08-03 11:10 - 01859844 _____ () C:\Windows\WindowsUpdate.log
2014-10-14 18:45 - 2011-08-03 11:57 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000UA.job
2014-10-14 18:38 - 2014-04-28 18:57 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-14 18:37 - 2014-03-23 19:58 - 00043064 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-10-14 18:37 - 2014-03-23 13:57 - 00131608 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-10-14 18:37 - 2014-03-23 13:57 - 00119272 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-10-14 09:18 - 2011-10-23 12:59 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-14 09:17 - 2012-06-19 18:59 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-14 08:43 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-12 21:18 - 2011-10-22 20:54 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\Skype
2014-10-12 17:44 - 2011-08-03 11:57 - 00000852 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000Core.job
2014-10-11 19:58 - 2014-05-08 08:58 - 00000000 ____D () C:\Qoobox
2014-10-11 19:55 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2014-10-11 09:48 - 2011-08-14 22:01 - 00000000 ____D () C:\ProgramData\Adobe
2014-10-11 09:48 - 2011-08-14 22:01 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-10-05 16:25 - 2014-03-24 18:14 - 00001067 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\LINE.lnk
2014-10-05 16:25 - 2014-03-24 18:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LINE
2014-10-04 15:08 - 2011-08-03 11:57 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-10-03 13:36 - 2012-06-19 18:59 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-10-03 13:36 - 2012-06-19 18:59 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-10-03 13:36 - 2011-08-14 22:01 - 00000000 ____D () C:\Users\Jake\AppData\Local\Adobe
2014-10-03 13:36 - 2011-08-03 13:42 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-10-02 21:37 - 2012-02-16 23:48 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\vlc
2014-10-01 17:36 - 2009-07-14 06:13 - 00783394 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-01 16:51 - 2014-05-07 21:37 - 00000000 ____D () C:\Users\Jake\Downloads\dokumentärer
2014-10-01 07:44 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Speech
2014-09-30 22:01 - 2014-04-28 18:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-30 22:01 - 2014-04-28 18:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-30 20:16 - 2011-10-18 08:07 - 00000000 ____D () C:\Users\Jake\AppData\Roaming\uTorrent
2014-09-29 18:08 - 2009-07-14 06:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-09-24 08:45 - 2014-03-23 14:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trusteer Endpoint Protection
2014-09-17 18:53 - 2014-07-10 19:16 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-09-17 18:53 - 2014-03-23 14:24 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-17 18:53 - 2011-08-03 13:07 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-17 18:49 - 2011-08-03 11:42 - 101694776 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-14 11:23 - 2011-08-03 13:14 - 00534104 _____ (IBM Corp.) C:\Windows\system32\Drivers\RapportKE64.sys
 
Some content of TEMP:
====================
C:\Users\Jake\AppData\Local\Temp\avgnt.exe
C:\Users\Jake\AppData\Local\Temp\Quarantine.exe
C:\Users\Jake\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-07 09:21
 
==================== End Of Log ============================
 
 
I've also attached the Addition.txt file as requested.
 
My browser is still a little laggy, but it seems to have improved greatly.
 
Thanks again for your help, anything else you suggest to run?
 
Thanks
Jake

 

Attached Files



#5 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 15 October 2014 - 03:11 AM

Actually having run ComboFix again it looks like none of the orphans or locked registry keys were removed. I thought that AdWCleaner had attempted to, but maybe not. Here's the new ComboFix log:

 

ComboFix 14-10-15.01 - Jake 15/10/2014   8:50.11.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.4007.2371 [GMT 1:00]
Running from: e:\downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-15 to 2014-10-15  )))))))))))))))))))))))))))))))
.
.
2014-10-15 08:00 . 2014-10-15 08:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-10-15 08:00 . 2014-10-15 08:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-14 18:10 . 2014-10-14 18:14 -------- d-----w- C:\FRST
2014-10-14 17:55 . 2014-10-14 18:02 -------- d-----w- C:\AdwCleaner
2014-10-06 20:00 . 2014-10-06 20:00 -------- d-----w- c:\windows\ERUNT
2014-10-03 11:12 . 2014-10-03 11:12 -------- d-----w- c:\users\Jake\AppData\Roaming\Unity
2014-10-03 10:43 . 2014-10-03 10:43 -------- d-----w- c:\users\Jake\AppData\Local\Unity
2014-09-29 17:08 . 2014-09-29 17:08 -------- d--h--w- c:\programdata\CanonIJMyPrinter
2014-09-27 18:19 . 2014-09-27 18:19 -------- d-----w- c:\users\Jake\AppData\Roaming\Canon
2014-09-27 18:19 . 2014-09-27 18:19 -------- d--h--w- c:\programdata\CanonIJQuickMenu
2014-09-27 18:19 . 2014-09-27 18:19 -------- d--h--w- c:\programdata\CanonIJEGV
2014-09-27 18:16 . 2012-04-16 04:00 392192 ----a-w- c:\windows\system32\CNMXLMBA.DLL
2014-09-27 18:13 . 2014-09-27 18:13 -------- d-----w- c:\program files\Common Files\CANON
2014-09-27 18:12 . 2014-09-27 18:12 -------- d-----w- c:\programdata\CanonIJWSpt
2014-09-27 18:08 . 2014-09-27 18:13 -------- d-----w- c:\program files\Canon
2014-09-27 18:07 . 2014-09-27 18:07 -------- d--h--w- c:\programdata\CanonBJ
2014-09-27 18:07 . 2012-04-16 04:00 30208 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDBA.DLL
2014-09-27 18:07 . 2012-04-16 04:00 100352 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPBA.DLL
2014-09-27 18:07 . 2014-09-27 18:07 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2014-09-27 18:07 . 2012-04-16 04:00 389120 ----a-w- c:\windows\system32\CNMLMBA.DLL
2014-09-27 18:06 . 2014-09-27 18:06 -------- d-----w- c:\windows\system32\STRING
2014-09-27 18:06 . 2012-03-28 17:01 39424 ----a-w- c:\windows\system32\CNMN6UI.DLL
2014-09-27 18:06 . 2012-03-28 17:01 359936 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2014-09-27 18:04 . 2014-10-07 20:02 -------- d-----w- c:\programdata\CanonIJPLM
2014-09-27 18:04 . 2014-09-27 18:04 -------- d--h--w- c:\programdata\CanonIJETV
2014-09-27 18:03 . 2014-09-27 18:13 -------- d-----w- c:\program files (x86)\Canon
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\programdata\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\users\Jake\AppData\Roaming\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\users\Jake\AppData\Local\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\program files (x86)\TomTom HOME 2
2014-09-20 15:19 . 2014-09-20 15:19 -------- d-----w- c:\program files (x86)\TomTom International B.V
2014-09-20 15:18 . 2014-09-20 15:18 -------- d-----w- c:\users\Jake\AppData\Local\Downloaded Installations
2014-09-17 09:34 . 2014-09-05 02:01 574976 ----a-w- c:\windows\system32\aepdu.dll
2014-09-17 09:34 . 2014-09-05 01:55 424448 ----a-w- c:\windows\system32\aeinv.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-15 07:43 . 2011-09-06 10:55 151552 ----a-w- c:\windows\KMSEmulator.exe
2014-10-14 17:38 . 2014-04-28 17:57 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-14 17:37 . 2014-03-23 18:58 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-10-14 17:37 . 2014-03-23 12:57 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-10-14 17:37 . 2014-03-23 12:57 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-10-03 12:36 . 2012-06-19 17:59 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-10-03 12:36 . 2011-08-03 12:42 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-17 17:49 . 2011-08-03 10:42 101694776 ----a-w- c:\windows\system32\MRT.exe
2014-09-14 10:23 . 2011-08-03 12:14 534104 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-10-14 703736]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2014-01-10 1861968]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2014-04-03 450560]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-09-12 959176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys;c:\windows\SYSNATIVE\DRIVERS\asahci64.sys [x]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys;c:\windows\SYSNATIVE\Drivers\RapportKE64.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 RapportCerberus_80055;RapportCerberus_80055;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80055.sys;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80055.sys [x]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [x]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [x]
S2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
S2 Seagate MobileBackup Service;Seagate MobileBackup Service;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 12:36]
.
2014-10-15 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-09-06 10:55]
.
2014-10-15 c:\windows\Tasks\AutoKMSDaily.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-09-06 10:55]
.
2014-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-23 11:58]
.
2014-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-23 11:58]
.
2014-10-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000Core.job
- c:\users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-03 10:57]
.
2014-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000UA.job
- c:\users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-03 10:57]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-01-29 442328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-01-29 399832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-01-29 171992]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-19 11613288]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-01 675840]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\program files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - c:\program files (x86)\GreenTree Applications\YTD Video Downloader\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-15  09:04:27
ComboFix-quarantined-files.txt  2014-10-15 08:04
ComboFix2.txt  2014-10-11 18:58
ComboFix3.txt  2014-10-06 20:46
ComboFix4.txt  2014-10-06 20:32
ComboFix5.txt  2014-10-15 07:47
.
Pre-Run: 341,611,012,096 bytes free
Post-Run: 341,223,706,624 bytes free
.
- - End Of File - - 9F008060A141192979734E4D2054DFBB
A36C5E4F47E84449FF07ED3517B43A31
 
 
Thanks again for your help


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:30 AM

Posted 17 October 2014 - 10:14 AM

Sorry for this delay. I had technical difficulties.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKCU - URL http://search.conduit.com/Results.aspx?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=58&CUI=&UM=5&UP=SP46B1F126-7C4F-46A1-9722-834ED9A8978B&q={searchTerms}&SSPV=
SearchScopes: HKCU - SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF HKCU\...\Firefox\Extensions: [{B64D9B05-48E1-4CEB-BF58-E0643994E900}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
Task: {023AF68A-EB11-440B-AC40-B74E9162AF8D} - System32\Tasks\Express Files Updater => C:\Program Files (x86)\ExpressFiles\EFupdater.exe <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#7 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 17 October 2014 - 02:58 PM

Thanks for getting back to me again. This is the first log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by Jake at 2014-10-17 20:33:09 Run:1
Running from E:\Downloads
Loaded Profile: Jake (Available profiles: Jake)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF HKCU\...\Firefox\Extensions: [{B64D9B05-48E1-4CEB-BF58-E0643994E900}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
Task: {023AF68A-EB11-440B-AC40-B74E9162AF8D} - System32\Tasks\Express Files Updater => C:\Program Files (x86)\ExpressFiles\EFupdater.exe <==== ATTENTION
 
End
*****************
 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => Key deleted successfully.
"HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => Key deleted successfully.
"HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => Key deleted successfully.
"HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => Key deleted successfully.
"HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SuggestionsURL_JSON => value deleted successfully.
"HKCR\PROTOCOLS\Handler\skype-ie-addon-data" => Key deleted successfully.
"HKCR\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}" => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
HKCU\Software\Mozilla\Firefox\Extensions\\{B64D9B05-48E1-4CEB-BF58-E0643994E900} => value deleted successfully.
catchme => Service deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{023AF68A-EB11-440B-AC40-B74E9162AF8D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{023AF68A-EB11-440B-AC40-B74E9162AF8D}" => Key deleted successfully.
C:\Windows\System32\Tasks\Express Files Updater => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Express Files Updater" => Key deleted successfully.
 
==== End of Fixlog ====
 
...and her is the second:
 

 Results of screen317's Security Check version 0.99.89  
 Windows 7  x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Avira Desktop   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java version out of Date! 
 Adobe Flash Player 15.0.0.152  
 Adobe Reader XI  
 Google Chrome 37.0.2062.124  
 Google Chrome 38.0.2125.104  
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
 
I can see from that I'm Service Pack 1. Should I get Service Pack 2?
 
Thanks again
 
Jake


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:30 AM

Posted 18 October 2014 - 08:30 AM

The only service pack 1 is available for Windows 7.

Learn how to install Windows 7 Service Pack 1 (SP1)
http://windows.microsoft.com/en-CA/windows7/install-windows-7-service-pack-1

Check if you already have it and if not then Install from the Windows Updates (Recommended)

Check the link.
===

How is the computer running now?

#9 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 20 October 2014 - 12:13 PM

Thanks, I downloaded Windows SP1 and also updated Java.

 

However, I ran Combofix this morning on a purely diagnostic basis as my browser was/is still laggy. Unfortunately I think the results are the same as when I first ran it. See below:

 

ComboFix 14-10-20.01 - Jake 20/10/2014   7:52.12.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.4007.2392 [GMT 1:00]
Running from: e:\downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-20 to 2014-10-20  )))))))))))))))))))))))))))))))
.
.
2014-10-20 07:03 . 2014-10-20 07:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-10-20 07:03 . 2014-10-20 07:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-19 19:09 . 2014-10-19 19:09 -------- d-----w- c:\windows\system32\SPReview
2014-10-19 18:54 . 2014-10-19 18:51 191400 ----a-w- c:\windows\system32\javaw.exe
2014-10-19 18:54 . 2014-10-19 18:51 190888 ----a-w- c:\windows\system32\java.exe
2014-10-19 18:53 . 2014-10-19 18:53 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-10-15 20:13 . 2014-10-10 01:53 276480 ----a-w- c:\windows\system32\generaltel.dll
2014-10-14 18:10 . 2014-10-17 19:33 -------- d-----w- C:\FRST
2014-10-14 17:55 . 2014-10-14 18:02 -------- d-----w- C:\AdwCleaner
2014-10-06 20:00 . 2014-10-06 20:00 -------- d-----w- c:\windows\ERUNT
2014-10-03 11:12 . 2014-10-03 11:12 -------- d-----w- c:\users\Jake\AppData\Roaming\Unity
2014-10-03 10:43 . 2014-10-03 10:43 -------- d-----w- c:\users\Jake\AppData\Local\Unity
2014-09-29 17:08 . 2014-09-29 17:08 -------- d--h--w- c:\programdata\CanonIJMyPrinter
2014-09-27 18:19 . 2014-09-27 18:19 -------- d-----w- c:\users\Jake\AppData\Roaming\Canon
2014-09-27 18:19 . 2014-09-27 18:19 -------- d--h--w- c:\programdata\CanonIJQuickMenu
2014-09-27 18:19 . 2014-09-27 18:19 -------- d--h--w- c:\programdata\CanonIJEGV
2014-09-27 18:16 . 2012-04-16 04:00 392192 ----a-w- c:\windows\system32\CNMXLMBA.DLL
2014-09-27 18:13 . 2014-09-27 18:13 -------- d-----w- c:\program files\Common Files\CANON
2014-09-27 18:12 . 2014-09-27 18:12 -------- d-----w- c:\programdata\CanonIJWSpt
2014-09-27 18:08 . 2014-09-27 18:13 -------- d-----w- c:\program files\Canon
2014-09-27 18:07 . 2014-09-27 18:07 -------- d--h--w- c:\programdata\CanonBJ
2014-09-27 18:07 . 2012-04-16 04:00 30208 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDBA.DLL
2014-09-27 18:07 . 2012-04-16 04:00 100352 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPBA.DLL
2014-09-27 18:07 . 2014-09-27 18:07 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2014-09-27 18:07 . 2012-04-16 04:00 389120 ----a-w- c:\windows\system32\CNMLMBA.DLL
2014-09-27 18:06 . 2014-09-27 18:06 -------- d-----w- c:\windows\system32\STRING
2014-09-27 18:06 . 2012-03-28 17:01 39424 ----a-w- c:\windows\system32\CNMN6UI.DLL
2014-09-27 18:06 . 2012-03-28 17:01 359936 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2014-09-27 18:04 . 2014-10-07 20:02 -------- d-----w- c:\programdata\CanonIJPLM
2014-09-27 18:04 . 2014-09-27 18:04 -------- d--h--w- c:\programdata\CanonIJETV
2014-09-27 18:03 . 2014-09-27 18:13 -------- d-----w- c:\program files (x86)\Canon
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\programdata\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\users\Jake\AppData\Roaming\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\users\Jake\AppData\Local\TomTom
2014-09-20 15:21 . 2014-09-20 15:21 -------- d-----w- c:\program files (x86)\TomTom HOME 2
2014-09-20 15:19 . 2014-09-20 15:19 -------- d-----w- c:\program files (x86)\TomTom International B.V
2014-09-20 15:18 . 2014-09-20 15:18 -------- d-----w- c:\users\Jake\AppData\Local\Downloaded Installations
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-20 06:46 . 2011-09-06 10:55 151552 ----a-w- c:\windows\KMSEmulator.exe
2014-10-19 19:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2014-10-19 19:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2014-10-19 18:51 . 2014-04-27 19:49 111016 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2014-10-19 18:51 . 2014-04-27 19:50 320936 ----a-w- c:\windows\system32\javaws.exe
2014-10-15 22:34 . 2011-08-03 10:42 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-10-14 17:38 . 2014-04-28 17:57 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-14 17:37 . 2014-03-23 18:58 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-10-14 17:37 . 2014-03-23 12:57 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-10-14 17:37 . 2014-03-23 12:57 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-10-03 12:36 . 2012-06-19 17:59 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-10-03 12:36 . 2011-08-03 12:42 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-14 10:23 . 2011-08-03 12:14 534104 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-10-14 703736]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2014-01-10 1861968]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2014-04-03 450560]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-09-12 959176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys;c:\windows\SYSNATIVE\DRIVERS\asahci64.sys [x]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys;c:\windows\SYSNATIVE\Drivers\RapportKE64.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 RapportCerberus_80055;RapportCerberus_80055;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80055.sys;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80055.sys [x]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [x]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [x]
S2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
S2 Seagate MobileBackup Service;Seagate MobileBackup Service;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 12:36]
.
2014-10-20 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-09-06 10:55]
.
2014-10-20 c:\windows\Tasks\AutoKMSDaily.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-09-06 10:55]
.
2014-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-23 11:58]
.
2014-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-23 11:58]
.
2014-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000Core.job
- c:\users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-03 19:45]
.
2014-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3507203518-2337994747-1172144935-1000UA.job
- c:\users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-03 19:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-01-29 442328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-01-29 399832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-01-29 171992]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-19 11613288]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-01 675840]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\program files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - c:\program files (x86)\GreenTree Applications\YTD Video Downloader\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-20  08:07:01
ComboFix-quarantined-files.txt  2014-10-20 07:07
ComboFix2.txt  2014-10-15 08:04
ComboFix3.txt  2014-10-11 18:58
ComboFix4.txt  2014-10-06 20:46
ComboFix5.txt  2014-10-20 06:51
.
Pre-Run: 349,587,378,176 bytes free
Post-Run: 348,969,369,600 bytes free
.
- - End Of File - - D4E35F81509AD961315B216F64A9285E
A36C5E4F47E84449FF07ED3517B43A31
 
 
Actually the PC as a whole is slower. It took about a minute to highlight the whole of the text above to copy it!
 
Thanks in advance
Jake


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:30 AM

Posted 20 October 2014 - 12:54 PM

The log is clean.

Check for missing or corrupted Operating files in your system.

Execute the instructions on this page.
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

Keep me posted.

#11 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 20 October 2014 - 01:29 PM

Thanks for your prompt reply. I don't know what log you are referring to. The ComboFix log has locked registry keys and orphans every time it is ran. I read that malicious software can change the permissions of the registry keys making it difficult to delete them. From a little research I see there is a way to change the privileges on these registry keys and then delete them, but I am not sure if they are malicious so I don't want to mess with the registry if they are essential to my PC working. As for the orphans, I don't know why these are not being removed.

 

P.S. I ran the Command Prompt sfc scan and Windows Resource Protection did not find any integrity violations.

 

Cheers

Jake



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:30 AM

Posted 21 October 2014 - 08:33 AM

The locked registry keys are all valid.
Do not change them.

Try this.
How to perform a clean boot in Windows Vista, W7, W8.
http://support.microsoft.com/kb/929135

Read and follow the instruction one the page.

Did you find any conflicting issues?

#13 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 22 October 2014 - 10:49 AM

I tried this, but msconfig freezes when it carries out the operation and I can't do anything to it (other than close it via the task manager). I waited for at least 30 minutes. Also my browser seems slower than ever now. I'm using Google Chrome and I tried deleting all the history and it still wasn't any faster.

 

Is it usual for clean boot to freeze?

 

Jake


It also crashes when I first open the browser saying either to wait for the page to load or close it



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,251 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:30 AM

Posted 23 October 2014 - 08:59 AM

Lets check deeper.

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#15 Jakeburbery84

Jakeburbery84
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 23 October 2014 - 12:25 PM

I did the scan and hit delete, but it didn't delete the registry, Hosts file or Web Browsers. Should I check them and delete them also?
 
Thanks
 
Jake
 
RogueKiller V10.0.3.0 (x64) [Oct 16 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jake [Administrator]
Mode : Delete -- Date : 10/23/2014  18:21:56
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 16 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3507203518-2337994747-1172144935-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3507203518-2337994747-1172144935-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3507203518-2337994747-1172144935-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3507203518-2337994747-1172144935-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_CREATE[0] : C:\Windows\system32\drivers\nsiproxy.sys @ 0x3ca32c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_CLOSE[2] : C:\Windows\system32\drivers\nsiproxy.sys @ 0x3ca32c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_DEVICE_CONTROL[14] : C:\Windows\system32\drivers\nsiproxy.sys @ 0x3ca32c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : C:\Windows\system32\drivers\nsiproxy.sys @ 0x3ca32c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_POWER[22] : C:\Windows\system32\drivers\nsiproxy.sys @ 0x3ca32c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_SYSTEM_CONTROL[23] : C:\Windows\system32\drivers\nsiproxy.sys @ 0x3ca32c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\pciide.sys - IRP_MJ_PNP[27] : C:\Windows\system32\drivers\nsiproxy.sys @ 0x3ca32c0
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++
--- User ---
[MBR] a35e9805d44d40d61ce121c39186549c
[BSP] 28e1b2ea4c32ac31774793ac087b662e : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 553767 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1134321664 | Size: 399999 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_10232014_181919.log





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users