Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE, Chrome and Mozilla pop up random ads


  • This topic is locked This topic is locked
10 replies to this topic

#1 valen9600

valen9600

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 07 December 2014 - 09:49 PM

Hi,
 
IE, Chrome and Mozilla have been hijacked by pop up adds.  I tried to remove the malware but could not.  I ran AdwCleaner, Junkwae Removal Tool, Combifix and CCleaner, but am still having problems.  The logs are below.  Can someone give me some advice?  Thanks.   
 
 
# AdwCleaner v4.104 - Report created 07/12/2014 at 10:11:44
# Updated 05/12/2014 by Xplode
# Database : 2014-12-01.1 [Local]
# Operating System : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# Username : Andy - TEXAS
# Running from : C:\Users\Andy\Downloads\adwcleaner_4.104.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
[!] Folder Deleted : C:\Program Files (x86)\Spyware Clear
[!] Folder Deleted : C:\Program Files (x86)\Common Files\DealAlly
[!] Folder Deleted : C:\Program Files (x86)\Common Files\Hoist Search
[!] Folder Deleted : C:\Users\Andy\AppData\Local\PackageAware
File Deleted : C:\END
File Deleted : C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
File Deleted : C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Deleted : C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{FCF8BFD3-39B8-4370-B464-EC2AAACD97CF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC865B26-C31D-4D23-B17B-96548EEF03F6}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Groovorio
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\SweetIM
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\SweetIM
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6592FDEC-2C1A-413A-9985-25FEC2F0848D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{6592FDEC-2C1A-413A-9985-25FEC2F0848D}
Key Deleted : [x64] HKLM\SOFTWARE\DivX\Install\Setup\WizardLayout\ConduitToolbar
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16592
 
 
-\\ Mozilla Firefox v33.1 (x86 en-US)
 
 
-\\ Google Chrome v39.0.2171.71
 
 
*************************
 
AdwCleaner[R0].txt - [3427 octets] - [07/12/2014 10:06:33]
AdwCleaner[S0].txt - [3007 octets] - [07/12/2014 10:11:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3067 octets] ##########
 
 
 
 
 
 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows ™ Vista Home Premium x64
Ran by Andy on Sun 12/07/2014 at 10:37:27.58
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Users\Andy\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage"
Successfully deleted: [File] "C:\Users\Andy\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage-journal"
 
 
 
~~~ Folders
 
Successfully deleted: [Empty Folder] C:\Users\Andy\appdata\local\{186F0A8A-F29E-4785-AE17-6F365AB29A66}
Successfully deleted: [Empty Folder] C:\Users\Andy\appdata\local\{27552214-F8D4-43EC-96A3-9C598F8733D6}
Successfully deleted: [Empty Folder] C:\Users\Andy\appdata\local\{38F7BDA0-4FAC-4177-AC25-F94629F69CB8}
Successfully deleted: [Empty Folder] C:\Users\Andy\appdata\local\{413BF490-6EFC-481C-ADF7-D773C6904F63}
Successfully deleted: [Empty Folder] C:\Users\Andy\appdata\local\{76F19754-F11F-4FE7-899B-D3AEA08BBA1C}
Successfully deleted: [Empty Folder] C:\Users\Andy\appdata\local\{B50D08AB-87B2-46A1-B2F5-F4A43241D5D3}
Successfully deleted: [Empty Folder] C:\Users\Andy\appdata\local\{BA588FF2-DBAC-4A76-9B11-2DA0660A2C64}
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/07/2014 at 10:41:32.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
ComboFix 14-12-07.01 - Andy 12/07/2014  11:02:30.1.4 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6141.4168 [GMT -6:00]
Running from: c:\users\Andy\Downloads\ComboFix.exe
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AV: Webroot SecureAnywhere *Disabled/Updated* {66A6FE14-08CB-F415-3742-517201416109}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Webroot SecureAnywhere *Disabled/Updated* {DDC71FF0-2EF1-FB9B-0DF2-6A007AC62BB4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\INSTALL.LOG
c:\program files (x86)\readme.txt
c:\programdata\600440862
c:\programdata\600440862\BIT149F.tmp
c:\users\Andy\AppData\Local\assembly\tmp
c:\users\Andy\g2mdlhlpx.exe
c:\windows\msdownld.tmp
D:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-07 to 2014-12-07  )))))))))))))))))))))))))))))))
.
.
2014-12-07 16:52 . 2014-12-07 16:52 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C00DA7C-D572-43C9-B3BA-A1F1FE7FAAFE}\offreg.dll
2014-12-07 16:37 . 2014-12-07 16:37 -------- d-----w- c:\windows\ERUNT
2014-12-07 16:06 . 2014-12-07 16:25 -------- d-----w- C:\AdwCleaner
2014-12-05 10:26 . 2014-12-05 10:26 -------- d-----w- c:\program files (x86)\VS Revo Group
2014-12-05 09:19 . 2014-11-02 04:20 11632448 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C00DA7C-D572-43C9-B3BA-A1F1FE7FAAFE}\mpengine.dll
2014-11-30 20:10 . 2014-11-30 20:10 -------- d-----w- c:\users\Andy\AppData\Roaming\OpenSoftwareUpdater
2014-11-30 20:08 . 2014-12-02 12:58 -------- d-----w- c:\program files (x86)\OpenSoftwareUpdater
2014-11-29 22:06 . 2014-11-29 22:06 -------- d-----w- c:\windows\Warhammer 40,000 Armageddon
2014-11-29 18:45 . 2014-11-29 18:45 -------- d-----w- c:\users\Andy\AppData\Roaming\JCP
2014-11-29 18:37 . 2014-11-29 18:38 -------- d-----w- c:\program files (x86)\Common Files\Cache utility
2014-11-29 18:36 . 2014-11-29 18:37 -------- d-----w- c:\program files (x86)\Common Files\Display settings
2014-11-28 17:19 . 2014-11-28 17:24 -------- d-----w- c:\users\Andy\AppData\Roaming\VASSAL
2014-11-28 17:18 . 2014-11-28 17:25 -------- d-----w- c:\program files\VASSAL-3.2.13
2014-11-28 17:09 . 2014-11-28 17:09 -------- d-----w- c:\program files (x86)\Common Files\Diagnostics
2014-11-28 17:06 . 2014-12-02 13:58 21976 ----a-w- c:\windows\system32\drivers\SPPD.sys
2014-11-28 17:04 . 2014-12-02 01:06 -------- d-----w- c:\programdata\WinZip
2014-11-26 19:44 . 2014-11-26 19:44 4443312 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2014-11-19 14:12 . 2014-10-24 01:03 499200 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-11-19 14:12 . 2014-10-24 00:39 656384 ----a-w- c:\windows\system32\kerberos.dll
2014-11-12 19:43 . 2014-10-12 23:52 2782208 ----a-w- c:\windows\system32\win32k.sys
2014-11-12 19:42 . 2014-09-19 00:50 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2014-11-12 19:42 . 2014-09-19 00:45 347136 ----a-w- c:\windows\system32\schannel.dll
2014-11-12 19:41 . 2014-08-12 02:25 729600 ----a-w- c:\windows\SysWow64\IMJP10K.DLL
2014-11-12 19:41 . 2014-08-12 02:11 923136 ----a-w- c:\windows\system32\IMJP10K.DLL
2014-11-12 19:33 . 2014-10-24 01:04 67072 ----a-w- c:\windows\SysWow64\packager.dll
2014-11-12 19:33 . 2014-10-24 00:39 77312 ----a-w- c:\windows\system32\packager.dll
2014-11-12 19:33 . 2014-08-27 00:55 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2014-11-12 19:33 . 2014-08-27 00:55 1249280 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-11-12 19:33 . 2014-08-27 00:41 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-11-12 19:33 . 2014-08-27 00:41 1869824 ----a-w- c:\windows\system32\msxml3.dll
2014-11-12 12:33 . 2014-10-27 20:05 483840 ----a-w- c:\program files\Internet Explorer\ieinstal.exe
2014-11-12 12:33 . 2014-10-27 20:05 223744 ----a-w- c:\program files\Internet Explorer\ielowutil.exe
2014-11-12 12:33 . 2014-10-27 20:03 11264 ----a-w- c:\windows\system32\msfeedssync.exe
2014-11-12 12:33 . 2014-10-27 18:57 470016 ----a-w- c:\program files (x86)\Internet Explorer\ieinstal.exe
2014-11-12 12:33 . 2014-10-27 18:57 223232 ----a-w- c:\program files (x86)\Internet Explorer\ielowutil.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-26 19:44 . 2012-04-19 14:03 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-26 19:44 . 2011-05-19 14:30 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-23 16:18 . 2013-05-19 14:06 153256 ----a-w- c:\windows\SysWow64\WRusr.dll
2014-11-23 16:18 . 2013-05-19 14:06 114176 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2014-11-23 16:18 . 2013-05-19 14:06 103816 ----a-w- c:\windows\system32\WRusr.dll
2014-11-12 19:34 . 2006-11-02 12:35 103374192 ----a-w- c:\windows\system32\mrt.exe
2014-11-04 20:30 . 2009-10-02 21:47 275080 ------w- c:\windows\system32\MpSigStub.exe
2014-10-16 22:18 . 2014-10-16 22:19 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-02 19:23 . 2014-10-02 19:23 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2014-10-02 19:23 . 2014-10-02 19:23 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2014-09-09 06:40 . 2014-09-24 01:59 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 06:24 . 2014-09-24 01:59 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2013-05-19 14:16 . 2013-05-19 14:16 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe
2012-03-29 14:11 . 2012-03-29 14:11 3993600 ----a-w- c:\program files (x86)\GUT25F8.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Steam"="c:\program files (x86)\steam\steam.exe" [2014-11-18 1940160]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"EADM"="c:\program files (x86)\Origin\Origin.exe" [2014-11-06 3618648]
"SmileboxTray"="c:\users\Andy\AppData\Roaming\Smilebox\SmileboxTray.exe" [2014-09-12 342312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Smart Copy"="c:\program files (x86)\IOI\Smart Copy\ButtonMonitor.exe" [2008-05-11 49152]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files (x86)\Norton 360\osCheck.exe" [2008-02-26 988512]
"PinnacleDriverCheck"="c:\windows\SysWOW64\PSDrvCheck.exe" [2003-11-10 406016]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-14 59720]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2013-04-15 450560]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"WRSVC"="c:\program files (x86)\Webroot\WRSA.exe" [2014-11-23 768656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-09-26 271744]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-10-02 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
.
c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Andy\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-11-13 35419192]
PMB Media Check Tool.lnk - c:\program files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe /noballoononstart [2011-2-22 333088]
WinCal - Shortcut.lnk - c:\program files\Windows Calendar\WinCal.exe [2008-1-20 1264128]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-5-19 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-5-19 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_Dlls"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 51cdb72;Optimizer Pro Crash Monitor;c:\windows\system32\rundll32.exe;c:\windows\SYSNATIVE\rundll32.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-11-26 18:34 1087304 ----a-w- c:\program files (x86)\Google\Chrome\Application\39.0.2171.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 19:44]
.
2014-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 23:23]
.
2014-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 23:23]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ ]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  ]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\   ]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\    ]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Andy\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\    ]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\   ]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ ]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  ]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2014-11-23 16:18 153256 ----a-w- c:\windows\SysWOW64\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-04-13 6150656]
"Skytel"="Skytel.exe" [2008-04-13 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 137240]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 202264]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 165400]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX4710-UB003A
mStart Page = hxxp://start.smilebox.com/?src=10&st=12&crg=3.5000006.10040&barid={635D70F8-C7E6-11E2-AC97-001FE23B346F}
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX4710-UB003A
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:13081
uInternet Settings,ProxyOverride = <-loopback>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX4710-UB003A
Trusted Zone: hullandassoc.com\mail
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\wba22bz2.default-1417776382507\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
Wow6432Node-HKLM-Run-BrStsMon00 - c:\program files (x86)\Browny02\Brother\BrStMonW.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-Warhammer 40,000 Armageddon1.00 - c:\windows\Warhammer 40
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\GrillaPrice]
"ImagePath"="c:\program files (x86)\Windows Media Player\grillaprice\grillaprice.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2338045119-2004918162-2729742732-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:e2,fa,49,59,7a,93,90,cc,87,76,19,41,ab,60,f3,a1,3a,a1,af,04,a8,e4,b4,
   55,54,6a,95,a3,59,6a,17,65,39,a7,3e,8b,6e,95,00,ee,2e,3a,ac,07,8a,3b,bd,2f,\
"??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
.
[HKEY_USERS\S-1-5-21-2338045119-2004918162-2729742732-1000\Software\SecuROM\License information*]
"datasecu"=hex:61,42,66,67,61,65,bd,77,a5,87,df,9e,8e,8d,14,b8,80,11,d2,8d,14,
   98,19,b6,bf,2a,9d,26,c3,10,cd,00,5f,83,36,3b,72,26,74,b4,78,3f,fd,4d,39,ee,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\GrillaPrice]
@Denied: (A B 2 3) (Everyone)
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=expand:"c:\\Program Files (x86)\\Windows Media Player\\grillaprice\\grillaprice.exe -service"
"DisplayName"="GrillaPrice"
"WOW64"=dword:00000001
"ObjectName"="LocalSystem"
"Description"="This service will show you offers from GorillaPrice in a seperate window, up to 8 offers per day."
"FailureActions"=hex:01,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,
   00,01,00,00,00,64,00,00,00,01,00,00,00,64,00,00,00,01,00,00,00,64,00,00,00
.
Completion time: 2014-12-07  11:14:40
ComboFix-quarantined-files.txt  2014-12-07 17:14
.
Pre-Run: 71,480,684,544 bytes free
Post-Run: 73,269,063,680 bytes free
.
- - End Of File - - C8527BEB2DB0AC5816CF02060C8E52F5
5C616939100B85E558DA92B899A0FC36

Edited by Orange Blossom, 07 December 2014 - 10:14 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 sewinluv

sewinluv

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 07 December 2014 - 10:13 PM

Hi Valen9600

 

I am also having the same issues.  I find too that certain words are double underlined in blue and if you click or place your cursor on them, they will lead to an ad or a survey.  I have also run the suggested fixes and have found them to make no difference.  Still searching for a better fix.  I also ran malware bytes.  It was not helpful.

 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 11 December 2014 - 09:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#4 valen9600

valen9600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 12 December 2014 - 04:51 AM

Here is the FRST Log and addition.txt is attached.

Since my first post, I installed and ran Malwarebytes Anti-Malware (free version) and ran it. It quarantined a bunch of stuff (~1422 items).

Thanks.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-12-2014 03
Ran by Andy (administrator) on TEXAS on 12-12-2014 03:43:13
Running from C:\Users\Andy\Desktop\Malware Removal
Loaded Profile: Andy (Available profiles: Andy & UpdatusUser)
Platform: Windows Vista ™ Home Premium Service Pack 2 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Symantec Corporation) C:\Program Files (x86)\Common Files\Symantec Shared\CCSVCHST.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Windows\SysWOW64\PnkBstrB.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio64.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Symantec Corporation) C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Electronic Arts) C:\Program Files (x86)\Origin\Origin.exe
(Smilebox, Inc.) C:\Users\Andy\AppData\Roaming\Smilebox\SmileboxTray.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(IOI) C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe
(Dropbox, Inc.) C:\Users\Andy\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Symantec Corporation) C:\Program Files (x86)\Common Files\Symantec Shared\CCSVCHST.EXE
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
() C:\Program Files (x86)\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6150656 2008-04-13] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2008-04-13] (Realtek Semiconductor Corp.)
HKLM-x32\...\Run: [Smart Copy] => C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe [49152 2008-05-11] (IOI)
HKLM-x32\...\Run: [ccApp] => C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe [51048 2008-10-17] (Symantec Corporation)
HKLM-x32\...\Run: [osCheck] => C:\Program Files (x86)\Norton 360\osCheck.exe [988512 2008-02-26] (Symantec Corporation)
HKLM-x32\...\Run: [PinnacleDriverCheck] => C:\Windows\SysWOW64\PSDrvCheck.exe [406016 2003-11-10] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46368 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [29984 2010-03-08] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort12reminder] => C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe [328992 2010-02-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [DivXMediaServer] => C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-04-15] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-12] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\RunOnce: [Launcher] => %WINDIR%\SMINST\launcher.exe
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\...\Run: [Steam] => c:\program files (x86)\steam\steam.exe [1940160 2014-11-18] (Valve Corporation)
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3618648 2014-12-10] (Electronic Arts)
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\...\Run: [SmileboxTray] => C:\Users\Andy\AppData\Roaming\Smilebox\SmileboxTray.exe [342312 2014-09-12] (Smilebox, Inc.)
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7063832 2014-11-21] (Piriform Ltd)
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\...\RunOnce: [Adobe Speed Launcher] => 1418375000
Startup: C:\Users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Andy\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinCal - Shortcut.lnk
ShortcutTarget: WinCal - Shortcut.lnk -> C:\Program Files\Windows Calendar\WinCal.exe (Microsoft Corporation)
Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (Webroot Software, Inc.)
ShellIconOverlayIdentifiers-x32: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Common Files\Symantec Shared\Backup\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Common Files\Symantec Shared\Backup\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Common Files\Symantec Shared\Backup\buShell.dll (Symantec Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction http=127.0.0.1:13081
ProxyEnable: [S-1-5-19] => Internet Explorer proxy is enabled.
ProxyEnable: [S-1-5-20] => Internet Explorer proxy is enabled.
ProxyEnable: [S-1-5-21-2338045119-2004918162-2729742732-1000] => Internet Explorer proxy is enabled.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.smilebox.com/?src=10&st=12&crg=3.5000006.10040&barid={635D70F8-C7E6-11E2-AC97-001FE23B346F}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX4710-UB003A
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX4710-UB003A
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL =
SearchScopes: HKU\S-1-5-21-2338045119-2004918162-2729742732-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll (TechSmith Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll No File
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll (TechSmith Corporation)
BHO-x32: DivX Plus Web Player HTML5 -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)
BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Common Files\Symantec Shared\IDS\IPSBHO.dll (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll (TechSmith Corporation)
Toolbar: HKLM-x32 - Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
Toolbar: HKU\S-1-5-21-2338045119-2004918162-2729742732-1000 -> Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.srtest.com/srl_bin/sysreqlab3.cab
Handler-x32: http - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75

FireFox:
========
FF ProfilePath: C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\wba22bz2.default-1417776382507
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin-x32: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2338045119-2004918162-2729742732-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Andy\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKU\S-1-5-21-2338045119-2004918162-2729742732-1000: @facebook.com/FBPlugin,version=1.0.3 -> C:\Users\Andy\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF Plugin HKU\S-1-5-21-2338045119-2004918162-2729742732-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Andy\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPTURNMED.dll (CNN)
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2014-11-11]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-02]
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013-05-18]

Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2003) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (Turner Media Plugin 1.0.0.10) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPTURNMED.dll (CNN)
CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U37) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Facebook Plugin) - C:\Users\Andy\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\SysWOW64\npdeployJava1.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-26]
CHR Extension: (Google Wallet) - C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-04]
CHR Extension: (DivX Plus Web Player HTML5 ) - C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm [2011-09-29]
CHR HKLM-x32\...\Chrome\Extension: [dmidaiabaeipgkcooijbikmdcofhpakp] - No Path
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2013-05-06]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Automatic LiveUpdate Scheduler; C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe [238968 2008-02-21] (Symantec Corporation)
R2 ccEvtMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
R2 CLTNetCnService; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S3 comHost; C:\Program Files (x86)\Common Files\Symantec Shared\VAScanner\comHost.exe [267096 2007-08-22] (Symantec Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE [3220856 2008-08-04] (Symantec Corporation)
R2 LiveUpdate Notice; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [149352 2008-10-17] (Symantec Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1900400 2014-12-10] (Electronic Arts)
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [66872 2008-10-25] ()
R2 PnkBstrB; C:\Windows\SysWOW64\PnkBstrB.exe [107832 2008-10-25] ()
R3 Symantec Core LC; C:\Program Files (x86)\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [1245064 2008-06-17] ()
S2 51cdb72; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro 3.11\OptProCrash.dll",ENT

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
S1 Beep; No ImagePath
S3 COH_Mon; C:\Windows\system32\Drivers\COH_Mon.sys [25424 2008-07-30] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [475696 2008-09-02] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [128048 2008-09-02] (Symantec Corporation)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-05-19] (GFI Software)
R1 IDSvia64; C:\ProgramData\Symantec\Definitions\SymcData\ipsdefs\20081014.001\IDSviA64.sys [368688 2008-09-12] (Symantec Corporation)
R0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69152 2010-06-11] (Lavasoft AB)
S3 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [440880 2008-01-31] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [476720 2008-01-31] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2008-01-31] (Symantec Corporation)
S3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [29704 2008-09-16] ()
S3 SWNC8U80; C:\Windows\System32\DRIVERS\swnc8u80.sys [196608 2008-01-10] (Sierra Wireless Inc.)
S3 SWUMX80; C:\Windows\System32\DRIVERS\swumx80.sys [191744 2008-01-10] (Sierra Wireless Inc.)
R3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [16432 2009-02-19] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172080 2009-01-10] (Symantec Corporation)
R3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [145456 2009-02-19] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [28720 2009-02-19] (Symantec Corporation)
R3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [47664 2009-02-19] (Symantec Corporation)
R3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [28720 2009-02-19] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [266800 2009-02-19] (Symantec Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20081015.050\ENG64.SYS [X]
S3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20081015.050\EX64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCASp50a64; System32\Drivers\PCASp50a64.sys [X]
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-12 03:40 - 2014-12-12 03:43 - 00000000 ____D () C:\Users\Andy\Desktop\Malware Removal
2014-12-12 03:40 - 2014-12-12 03:43 - 00000000 ____D () C:\FRST
2014-12-12 03:39 - 2014-12-12 03:39 - 02119680 _____ (Farbar) C:\Users\Andy\Downloads\FRST64.exe
2014-12-12 03:10 - 2014-12-12 03:10 - 01595176 _____ () C:\Users\Andy\Downloads\Attachments_20141212 (2).zip
2014-12-12 03:10 - 2014-12-12 03:10 - 00211614 _____ () C:\Users\Andy\Downloads\Attachments_20141212 (1).zip
2014-12-12 03:09 - 2014-12-12 03:09 - 00207167 _____ () C:\Users\Andy\Downloads\Attachments_20141212.zip
2014-12-11 08:47 - 2014-12-11 18:46 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-11 08:43 - 2014-12-11 08:43 - 00000952 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-11 08:43 - 2014-12-11 08:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-11 08:43 - 2014-12-11 08:43 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-11 08:43 - 2014-12-11 08:43 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-11 08:43 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-11 08:43 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-11 08:43 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-11 08:37 - 2014-12-11 08:37 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Andy\Downloads\mbam-setup-2.0.4.1028.exe
2014-12-10 18:49 - 2014-12-10 18:49 - 00103182 _____ () C:\Users\Andy\Downloads\Attachments_20141210.zip
2014-12-10 06:31 - 2014-11-06 19:33 - 00974848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-10 06:31 - 2014-11-06 19:28 - 01209856 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-10 06:31 - 2014-11-03 18:35 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-10 06:31 - 2014-11-03 18:19 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-10 06:29 - 2014-12-02 20:06 - 00278528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-12-10 06:29 - 2014-12-02 19:51 - 00347136 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-12-10 05:56 - 2014-12-11 18:38 - 00537028 _____ () C:\Windows\PFRO.log
2014-12-10 03:43 - 2014-11-24 16:12 - 17874432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-10 03:43 - 2014-11-24 15:59 - 00448512 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2014-12-10 03:43 - 2014-11-24 15:54 - 10921984 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-10 03:43 - 2014-11-24 15:53 - 02339840 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-10 03:43 - 2014-11-24 15:47 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-10 03:43 - 2014-11-24 15:47 - 01388032 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-10 03:43 - 2014-11-24 15:45 - 01494016 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-10 03:43 - 2014-11-24 15:45 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-12-10 03:43 - 2014-11-24 15:45 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 02157056 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 00282112 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-10 03:43 - 2014-11-24 15:44 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-12-10 03:43 - 2014-11-24 15:44 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-12-10 03:43 - 2014-11-24 15:43 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-10 03:43 - 2014-11-24 15:43 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-10 03:43 - 2014-11-24 15:43 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-12-10 03:43 - 2014-11-24 15:42 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-10 03:43 - 2014-11-24 14:44 - 00367104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2014-12-10 03:43 - 2014-11-24 14:41 - 12369920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-10 03:43 - 2014-11-24 14:40 - 01810944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-10 03:43 - 2014-11-24 14:37 - 09740800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-10 03:43 - 2014-11-24 14:35 - 01139712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-10 03:43 - 2014-11-24 14:35 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-10 03:43 - 2014-11-24 14:34 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-10 03:43 - 2014-11-24 14:34 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2014-12-10 03:43 - 2014-11-24 14:33 - 01802752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-10 03:43 - 2014-11-24 14:33 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-12-10 03:43 - 2014-11-24 14:33 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-10 03:43 - 2014-11-24 14:33 - 00421376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-10 03:43 - 2014-11-24 14:33 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-10 03:43 - 2014-11-24 14:33 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-10 03:43 - 2014-11-24 14:33 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2014-12-10 03:43 - 2014-11-24 14:32 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-10 03:43 - 2014-11-24 14:32 - 00353792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-10 03:43 - 2014-11-24 14:32 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-10 03:43 - 2014-11-24 14:32 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-10 03:43 - 2014-11-24 14:32 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-10 03:43 - 2014-11-24 14:32 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2014-12-10 03:43 - 2014-11-24 14:32 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2014-12-09 16:46 - 2014-12-09 16:46 - 00024260 _____ () C:\Users\Andy\Downloads\DocumentFragment_6322808 (2).tif
2014-12-09 16:44 - 2014-12-09 16:44 - 00024260 _____ () C:\Users\Andy\Downloads\DocumentFragment_6322808 (1).tif
2014-12-09 16:43 - 2014-12-09 16:43 - 00024260 _____ () C:\Users\Andy\Downloads\DocumentFragment_6322808.tif
2014-12-09 16:34 - 2014-12-09 16:34 - 00032098 _____ () C:\Users\Andy\Desktop\Letter OPC re Scheduling Order.wpd
2014-12-09 16:23 - 2014-12-09 16:23 - 00032089 _____ () C:\Users\Andy\Downloads\Letter OPC re Scheduling Order.wpd
2014-12-09 07:58 - 2014-12-09 07:58 - 00003340 _____ () C:\Users\Andy\Downloads\Skyler-Stephens.vcf
2014-12-07 20:25 - 2014-12-07 20:25 - 00002770 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-12-07 20:25 - 2014-12-07 20:25 - 00000781 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-12-07 20:25 - 2014-12-07 20:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-12-07 20:25 - 2014-12-07 20:25 - 00000000 ____D () C:\Program Files\CCleaner
2014-12-07 20:24 - 2014-12-07 20:24 - 05162080 _____ (Piriform Ltd) C:\Users\Andy\Downloads\ccsetup500.exe
2014-12-07 20:24 - 2014-12-07 20:24 - 05162080 _____ (Piriform Ltd) C:\Users\Andy\Downloads\ccsetup500 (1).exe
2014-12-07 20:20 - 2014-12-07 20:20 - 00000129 _____ () C:\Users\Andy\Desktop\CFScript.txt
2014-12-07 11:14 - 2014-12-07 11:14 - 00026167 _____ () C:\ComboFix.txt
2014-12-07 10:59 - 2011-06-26 00:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-07 10:59 - 2010-11-07 11:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-07 10:59 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-07 10:59 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-07 10:59 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-07 10:59 - 2000-08-30 18:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-07 10:59 - 2000-08-30 18:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-07 10:59 - 2000-08-30 18:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-07 10:58 - 2014-12-07 11:14 - 00000000 ____D () C:\Qoobox
2014-12-07 10:58 - 2014-12-07 11:13 - 00000000 ____D () C:\Windows\erdnt
2014-12-07 10:58 - 2014-12-07 10:58 - 05600430 ____R (Swearware) C:\Users\Andy\Downloads\ComboFix.exe
2014-12-07 10:37 - 2014-12-07 10:37 - 00000000 ____D () C:\Windows\ERUNT
2014-12-07 10:36 - 2014-12-07 10:36 - 01707646 _____ (Thisisu) C:\Users\Andy\Downloads\JRT.exe
2014-12-07 10:06 - 2014-12-07 10:25 - 00000000 ____D () C:\AdwCleaner
2014-12-07 10:06 - 2014-12-07 10:06 - 00000055 _____ () C:\AdwCleanerDebug.txt
2014-12-07 10:05 - 2014-12-07 10:05 - 02153472 _____ () C:\Users\Andy\Downloads\adwcleaner_4.104.exe
2014-12-05 04:51 - 2014-12-05 04:51 - 01754248 _____ () C:\Users\Andy\Downloads\Adaware_Installer(6).exe
2014-12-05 04:46 - 2014-12-05 04:46 - 00000000 ____D () C:\Users\Andy\Desktop\Old Firefox Data
2014-12-05 04:26 - 2014-12-05 04:26 - 00001110 _____ () C:\Users\Andy\Desktop\Revo Uninstaller.lnk
2014-12-05 04:26 - 2014-12-05 04:26 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2014-12-05 04:25 - 2014-12-05 04:25 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Andy\Downloads\revosetup.exe
2014-12-04 18:44 - 2014-12-04 18:44 - 00631416 _____ () C:\Users\Andy\Downloads\setup (3).exe
2014-12-04 07:51 - 2014-12-04 07:51 - 00056063 _____ () C:\Users\Andy\Downloads\Attachments_2014124.zip
2014-12-02 07:15 - 2014-12-02 07:15 - 00079841 _____ () C:\Users\Andy\Downloads\Attachments_2014122 (1).zip
2014-12-02 07:13 - 2014-12-02 07:13 - 00497140 _____ () C:\Users\Andy\Downloads\Attachments_2014122.zip
2014-11-30 14:19 - 2014-11-30 14:20 - 43088513 _____ () C:\Users\Andy\Downloads\1-of-1.zip
2014-11-30 14:19 - 2014-11-30 14:19 - 00131736 _____ () C:\Users\Andy\Downloads\setup (2).exe
2014-11-30 14:10 - 2014-11-30 14:10 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\OpenSoftwareUpdater
2014-11-30 14:08 - 2014-12-02 06:58 - 00000000 ____D () C:\Program Files (x86)\OpenSoftwareUpdater
2014-11-30 14:07 - 2014-11-30 14:08 - 00355280 _____ (Installer Technology Co) C:\Users\Andy\Downloads\SoftwareUpdater.exe
2014-11-29 16:14 - 2014-11-29 16:14 - 00002068 _____ () C:\Users\Andy\Desktop\Warhammer 40,000 Armageddon (Game Menu).lnk
2014-11-29 16:14 - 2014-11-29 16:14 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Warhammer 40,000 Armageddon
2014-11-29 16:06 - 2014-11-29 16:06 - 00000000 ____D () C:\Windows\Warhammer 40,000 Armageddon
2014-11-29 15:59 - 2014-11-29 15:48 - 1009005019 _____ () C:\Users\Andy\Desktop\WH_Armageddon_SetupRelease_100.zip
2014-11-29 12:45 - 2014-11-29 12:45 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\JCP
2014-11-29 12:44 - 2014-11-30 15:21 - 00000000 ____D () C:\Users\Andy\Desktop\Holiday 2014
2014-11-28 11:19 - 2014-11-28 11:24 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\VASSAL
2014-11-28 11:18 - 2014-11-28 11:25 - 00000000 ____D () C:\Program Files\VASSAL-3.2.13
2014-11-28 11:18 - 2014-11-28 11:18 - 17785327 _____ () C:\Users\Andy\Downloads\VASSAL-3.2.13-windows.exe
2014-11-28 11:18 - 2014-11-28 11:18 - 00000796 _____ () C:\Users\Andy\Desktop\VASSAL.lnk
2014-11-28 11:18 - 2014-11-28 11:18 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VASSAL
2014-11-28 11:12 - 2014-11-28 11:12 - 08060424 _____ (FreeDownloadManager.ORG ) C:\Users\Andy\Downloads\fdminst.exe
2014-11-28 11:11 - 2014-12-11 08:37 - 00001024 _____ () C:\.rnd
2014-11-28 11:06 - 2014-12-02 07:58 - 00021976 _____ () C:\Windows\system32\Drivers\SPPD.sys
2014-11-28 11:04 - 2014-12-01 19:06 - 00000000 ____D () C:\ProgramData\WinZip
2014-11-28 11:03 - 2014-11-28 11:03 - 00880584 _____ ( ) C:\Users\Andy\Downloads\winzip19-mediafire.exe
2014-11-28 11:01 - 2014-11-28 11:01 - 110942603 _____ () C:\Users\Andy\Downloads\6thbasic (1).rar
2014-11-28 10:59 - 2014-11-28 10:59 - 110942603 _____ () C:\Users\Andy\Downloads\6thbasic.rar
2014-11-26 18:53 - 2014-11-26 18:53 - 06075219 _____ () C:\Users\Andy\Downloads\Attachments_20141126.zip
2014-11-22 12:19 - 2014-11-22 12:19 - 10692096 _____ () C:\Users\Andy\Downloads\asthmaspeakerkit (1).ppt
2014-11-22 11:06 - 2014-11-22 11:06 - 10692096 _____ () C:\Users\Andy\Downloads\asthmaspeakerkit.ppt
2014-11-21 19:21 - 2014-11-22 13:44 - 00000000 ____D () C:\Users\Andy\Desktop\Mold Research
2014-11-21 17:20 - 2014-11-21 17:20 - 00112981 _____ () C:\Users\Andy\Downloads\Attachments_20141121 (1).zip
2014-11-21 16:10 - 2014-11-21 16:10 - 00124125 _____ () C:\Users\Andy\Desktop\Global Earth Energy Inc. (GLER) Stock Message Board - InvestorsHub.html
2014-11-21 16:10 - 2014-11-21 16:10 - 00000000 ____D () C:\Users\Andy\Desktop\Global Earth Energy Inc. (GLER) Stock Message Board - InvestorsHub_files
2014-11-21 16:06 - 2014-11-21 16:06 - 00387159 _____ () C:\Users\Andy\Downloads\Attachments_20141121.zip
2014-11-19 08:12 - 2014-10-23 19:03 - 00499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-19 08:12 - 2014-10-23 18:39 - 00656384 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-16 10:26 - 2014-11-16 10:26 - 00005149 _____ () C:\Users\Andy\Downloads\TEXAS_SUBPOENA.wpd
2014-11-13 13:10 - 2014-11-13 13:10 - 00079770 _____ () C:\Users\Andy\Downloads\Attachments_20141113 (1).zip
2014-11-13 04:44 - 2014-11-13 04:44 - 00037649 _____ () C:\Users\Andy\Downloads\Attachments_20141113.zip
2014-11-12 13:43 - 2014-10-12 17:52 - 02782208 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-12 13:41 - 2014-08-11 20:25 - 00729600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-12 13:41 - 2014-08-11 20:11 - 00923136 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-12 13:40 - 2014-10-17 19:08 - 00564224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-12 13:40 - 2014-10-17 18:46 - 00847360 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-12 13:40 - 2014-10-09 19:10 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-12 13:40 - 2014-10-09 19:09 - 01689600 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-12 13:40 - 2014-10-09 19:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-12 13:40 - 2014-10-09 19:01 - 00077312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-12 13:40 - 2014-10-09 19:00 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-12 13:40 - 2014-10-09 17:53 - 00619520 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-12 13:40 - 2014-10-09 17:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-12 13:40 - 2014-10-02 19:18 - 00274432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-12 13:40 - 2014-10-02 19:17 - 00396800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-12 13:40 - 2014-10-02 19:17 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-12 13:40 - 2014-10-02 19:03 - 00313344 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-12 13:40 - 2014-10-02 19:02 - 00201728 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-12 13:40 - 2014-10-02 19:01 - 00474624 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-12 13:40 - 2014-10-02 19:01 - 00446976 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-12 13:40 - 2014-10-02 17:49 - 00088576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\audiodg.exe
2014-11-12 13:33 - 2014-10-23 19:04 - 00067072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-12 13:33 - 2014-10-23 18:39 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-12 13:33 - 2014-08-26 18:55 - 01249280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-12 13:33 - 2014-08-26 18:55 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-12 13:33 - 2014-08-26 18:41 - 01869824 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-12 13:33 - 2014-08-26 18:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-12 03:34 - 2011-09-29 18:48 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-12 03:06 - 2008-06-17 22:50 - 01624100 _____ () C:\Windows\WindowsUpdate.log
2014-12-12 03:04 - 2014-07-18 05:35 - 00000000 ___RD () C:\Users\Andy\Dropbox
2014-12-12 03:04 - 2014-07-18 05:32 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\Dropbox
2014-12-12 03:04 - 2013-08-25 10:48 - 00000000 ____D () C:\ProgramData\Origin
2014-12-12 03:03 - 2013-08-25 10:48 - 00000000 ____D () C:\Program Files (x86)\Origin
2014-12-12 03:03 - 2012-03-19 17:32 - 00065536 _____ () C:\Windows\system32\Ikeext.etl
2014-12-12 03:03 - 2008-12-21 14:24 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-12-12 03:02 - 2011-09-29 18:48 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-12 03:02 - 2008-06-17 23:33 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-12-12 03:02 - 2006-11-02 09:42 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-12 03:02 - 2006-11-02 09:22 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-12 03:02 - 2006-11-02 09:22 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-11 19:22 - 2006-11-02 09:42 - 00032638 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-11 18:44 - 2012-04-19 08:03 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-11 18:43 - 2014-07-18 05:35 - 00000963 _____ () C:\Users\Andy\Desktop\Dropbox.lnk
2014-12-11 18:43 - 2014-07-18 05:33 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-11 09:02 - 2013-05-19 08:06 - 00000000 ____D () C:\ProgramData\WRData
2014-12-11 09:02 - 2008-04-09 15:57 - 00000000 ____D () C:\Windows\Panther
2014-12-10 19:44 - 2012-04-19 08:03 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-10 19:44 - 2012-04-19 08:03 - 00003682 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-10 19:44 - 2011-05-19 08:30 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-10 19:37 - 2011-09-29 18:51 - 00002036 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-12-10 18:39 - 2012-12-26 16:01 - 00002425 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2014-12-10 08:12 - 2006-11-02 07:33 - 00000000 ____D () C:\Windows\rescache
2014-12-10 06:37 - 2013-08-15 08:59 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-10 06:32 - 2006-11-02 06:35 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-12-09 21:29 - 2008-12-07 16:20 - 00004806 ___SH () C:\Windows\SysWOW64\KGyGaAvL.sys
2014-12-09 16:15 - 2012-06-30 10:51 - 00000336 _____ () C:\Windows\BRCALIB.INI
2014-12-07 20:27 - 2009-09-22 16:14 - 00000000 ____D () C:\Windows\Minidump
2014-12-07 11:14 - 2006-11-02 07:33 - 00000000 __RHD () C:\Users\Default
2014-12-07 11:12 - 2008-08-16 15:20 - 00000000 ____D () C:\Users\Andy
2014-12-07 11:12 - 2006-11-02 06:34 - 00000215 _____ () C:\Windows\system.ini
2014-12-05 04:53 - 2013-03-09 07:48 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\LavasoftStatistics
2014-12-05 03:22 - 2006-11-02 07:34 - 00000000 ____D () C:\Windows\tracing
2014-12-02 20:20 - 2013-04-07 12:26 - 00000000 ____D () C:\Users\Andy\AppData\Local\Citrix
2014-12-02 06:04 - 2010-05-27 06:02 - 00001356 _____ () C:\Users\Andy\AppData\Local\d3d9caps.dat
2014-11-30 14:17 - 2008-08-16 15:21 - 00097960 _____ () C:\Users\Andy\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-30 14:14 - 2006-11-02 09:21 - 00379384 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-29 20:27 - 2008-08-16 16:34 - 00000000 ____D () C:\Users\Andy\Documents\My Games
2014-11-29 16:06 - 2011-07-22 21:38 - 00000000 ____D () C:\Program Files (x86)\Slitherine
2014-11-29 16:03 - 2006-11-02 06:46 - 00822014 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-29 16:02 - 2014-11-09 08:34 - 00000000 ____D () C:\Users\Andy\Desktop\40k
2014-11-28 21:02 - 2012-10-09 14:47 - 00000000 ____D () C:\Users\Andy\Desktop\Melanie SAC Consulting
2014-11-28 11:08 - 2006-11-02 07:33 - 00000000 ____D () C:\Windows\Resources
2014-11-21 02:38 - 2013-05-28 16:31 - 00000000 ____D () C:\Users\Andy\AppData\Roaming\Smilebox
2014-11-16 21:10 - 2014-10-25 09:36 - 00000000 ____D () C:\Users\Andy\AppData\Local\Battle.net
2014-11-16 10:29 - 2011-09-29 18:48 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-16 10:29 - 2011-09-29 18:48 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-13 03:42 - 2012-04-28 08:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service

Some content of TEMP:
====================
C:\Users\Andy\AppData\Local\temp\drm_dialogs.dll
C:\Users\Andy\AppData\Local\temp\drm_dyndata_7350007.dll
C:\Users\Andy\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpyxr1do.dll
C:\Users\Andy\AppData\Local\temp\symlcsv1.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-12 03:09

==================== End Of Log ============================

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 12 December 2014 - 09:03 AM



Remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:13081 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".

If required press the Apply button.
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction http=127.0.0.1:13081
ProxyEnable: [S-1-5-19] => Internet Explorer proxy is enabled.
ProxyEnable: [S-1-5-20] => Internet Explorer proxy is enabled.
ProxyEnable: [S-1-5-21-2338045119-2004918162-2729742732-1000] => Internet Explorer proxy is enabled.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.smilebox.com/?src=10&st=12&crg=3.5000006.10040&barid={635D70F8-C7E6-11E2-AC97-001FE23B346F}
SearchScopes: HKU\S-1-5-21-2338045119-2004918162-2729742732-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKU\S-1-5-21-2338045119-2004918162-2729742732-1000 -> Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U37) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\SysWOW64\npdeployJava1.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (Google Wallet) - C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-04]
CHR HKLM-x32\...\Chrome\Extension: [dmidaiabaeipgkcooijbikmdcofhpakp] - No Path
S2 51cdb72; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro 3.11\OptProCrash.dll",ENT
S1 Beep; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20081015.050\ENG64.SYS [X]
S3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20081015.050\EX64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCASp50a64; System32\Drivers\PCASp50a64.sys [X]
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#6 valen9600

valen9600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 16 December 2014 - 08:51 PM

There have been no repeats of pop ups like before since I ran Malwarebytes Anti-Malware (free version)and quarantined the various files. Here are the printouts as you requested:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-12-2014 01
Ran by Andy at 2014-12-16 19:37:40 Run:1
Running from C:\Users\Andy\Desktop\Malware Removal
Loaded Profile: Andy (Available profiles: Andy & UpdatusUser)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction http=127.0.0.1:13081
ProxyEnable: [S-1-5-19] => Internet Explorer proxy is enabled.
ProxyEnable: [S-1-5-20] => Internet Explorer proxy is enabled.
ProxyEnable: [S-1-5-21-2338045119-2004918162-2729742732-1000] => Internet Explorer proxy is enabled.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.smilebox.com/?src=10&st=12&crg=3.5000006.10040&barid={635D70F8-C7E6-11E2-AC97-001FE23B346F}
SearchScopes: HKU\S-1-5-21-2338045119-2004918162-2729742732-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKU\S-1-5-21-2338045119-2004918162-2729742732-1000 -> Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java Platform SE 6 U37) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\SysWOW64\npdeployJava1.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (Google Wallet) - C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-04]
CHR HKLM-x32\...\Chrome\Extension: [dmidaiabaeipgkcooijbikmdcofhpakp] - No Path
S2 51cdb72; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro 3.11\OptProCrash.dll",ENT
S1 Beep; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20081015.050\ENG64.SYS [X]
S3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20081015.050\EX64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCASp50a64; System32\Drivers\PCASp50a64.sys [X]
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [X]

End
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}" => Key deleted successfully.
"HKCR\CLSID\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{97ab88ef-346b-4179-a0b1-7445896547a5} => value deleted successfully.
"HKCR\CLSID\{97ab88ef-346b-4179-a0b1-7445896547a5}" => Key deleted successfully.
HKU\S-1-5-21-2338045119-2004918162-2729742732-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key deleted successfully.
C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ppGoogleNaClPluginChrome.dll not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll not found.
C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll not found.
C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll not found.
C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll not found.
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll not found.
C:\Windows\SysWOW64\npdeployJava1.dll not found.
c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll not found.
C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dmidaiabaeipgkcooijbikmdcofhpakp" => Key deleted successfully.
51cdb72 => Service deleted successfully.
Beep => Service deleted successfully.
catchme => Service deleted successfully.
IpInIp => Service deleted successfully.
NAVENG => Service deleted successfully.
NAVEX15 => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.
PCASp50a64 => Service deleted successfully.
PCTINDIS5X64 => Service deleted successfully.


The system needed a reboot.

==== End of Fixlog ====

Results of screen317's Security Check version 0.99.93
Windows Vista Service Pack 2 x64 (UAC is enabled)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 71
Java™ 6 Update 5
Java™ 6 Update 7
Adobe Flash Player 15.0.0.246 Flash Player out of Date!
Adobe Reader 10.1.13 Adobe Reader out of Date!
Mozilla Firefox (33.1)
Google Chrome (39.0.2171.71)
Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 17 December 2014 - 09:49 AM

Using the Add/Remove Programs applet remove these old versions of Java.

Java 6 Update 5
Java 6 Update 7


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 valen9600

valen9600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 20 December 2014 - 12:02 PM

Ok. Done all of that. I removed Java 6 Update 5 and Java 6 Update 7. Adobe Reader said I already had it installed. My Adobe Flash Player was also up to date. I have had no other issues for a few days, and the pop ups seem to have gone away. Is there anything else I should do? Andrew

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 20 December 2014 - 02:22 PM

No you are good.

#10 valen9600

valen9600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 20 December 2014 - 02:58 PM

Thanks. I appreciate all your help nasdaq.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 PM

Posted 21 December 2014 - 08:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users