Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Redirect Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 Desent

Desent

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 31 December 2014 - 09:13 PM

Hello Bleeping Computer. I previously made a topic here, where I was helped very well by lighthouse party, who told me to make a new one. The symptoms of the virus have not changed, as far as I can tell, so I will just quote the original topic. 

 


Hello Bleeping Computer,

 

I have been having trouble with my internet browser (chrome). Often, when I click on a link, my browser opens a new tab that says "sup" and eventually changes to a phishing site, or some other site that my browser blocks automatically. This is very unnerving and I am a bit scared that there is also a keylogger. I have tried running malwarebytes and nothing happens.

 

In addition, on websites with a lot of ads, I often get sent to a screen telling me that I need to update my flash media player (obviously a scam), but it is very annoying since it overwrites the page I am on. This is probably just the ads, but it might be due to the same virus, so I mention it a well. 

 

I am using Windows 7

 

 

Attached are the two logs from DDS.

 

Thanks for the help! 

Attached Files


Edited by Desent, 31 December 2014 - 09:13 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,627 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 PM

Posted 05 January 2015 - 09:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/561665 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 06 January 2015 - 06:13 PM

Okay, here are my other logs. Thanks!

Attached Files


Edited by Desent, 06 January 2015 - 06:13 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 PM

Posted 07 January 2015 - 11:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#5 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 10 January 2015 - 09:58 AM

Hello nasdaq. Thanks for helping me out. My computer is running fine, except for this virus which frequently redirects google chrome to  malicious websites, especially on pages with banner ads. I also suspect it is preventing me from installing extensions for chrome, since when I try I get an unknown error.  Here are the logs:

 

# AdwCleaner v4.107 - Report created 10/01/2015 at 00:46:56
# Updated 07/01/2015 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Desent - DESENT-PC
# Running from : C:\Users\Desent\Desktop\adwcleaner_4.107.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Local 
 
Storage\hxxp_www.wajam.com_0.localstorage
File Deleted : C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Local 
 
Storage\hxxp_www.wajam.com_0.localstorage-journal
File Deleted : C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Local 
 
Storage\hxxps_static.olark.com_0.localstorage-journal
File Deleted : C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Local 
 
Storage\hxxp_search.incredibar.com_0.localstorage
File Deleted : C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Local 
 
Storage\hxxp_search.incredibar.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Mozilla Firefox v34.0.5 (x86 en-US)
 
 
-\\ Google Chrome v37.0.2062.103
 
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://websearch.ask.com/redirect?
 
client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=8D6BDB25-BB21-4A7B-944B-
 
2D21DB34A7B0&apn_ptnrs=TV&apn_sauid=DD46FC53-F16A-4121-B84A-
 
6D6F83648EE6&apn_dtid=OSJ000YYUS&q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://websearch.ask.com/redirect?
 
client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=8D6BDB25-BB21-4A7B-944B-
 
2D21DB34A7B0&apn_ptnrs=TV&apn_sauid=DD46FC53-F16A-4121-B84A-
 
6D6F83648EE6&apn_dtid=OSJ000YYUS&q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://www.trovi.com/Results.aspx?
 
gd=&ctid=CT3322289&octid=EB_ORIGINAL_CTID&ISID=M66AD0A70-B8D0-40DE-A486-
 
F4A641E5D74B&SearchSource=58&CUI=&UM=6&UP=SPB41AB7B0-B7F4-4F1A-8466-116DC443331A&q=
 
{searchTerms}&SSPV=
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://www.trovi.com/Results.aspx?
 
gd=&ctid=CT3322289&octid=EB_ORIGINAL_CTID&ISID=M66AD0A70-B8D0-40DE-A486-
 
F4A641E5D74B&SearchSource=58&CUI=&UM=6&UP=SPB41AB7B0-B7F4-4F1A-8466-116DC443331A&q=
 
{searchTerms}&SSPV=
 
-\\ Chromium v
 
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://websearch.ask.com/redirect?
 
client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=8D6BDB25-BB21-4A7B-944B-
 
2D21DB34A7B0&apn_ptnrs=TV&apn_sauid=DD46FC53-F16A-4121-B84A-
 
6D6F83648EE6&apn_dtid=OSJ000YYUS&q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://websearch.ask.com/redirect?
 
client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=8D6BDB25-BB21-4A7B-944B-
 
2D21DB34A7B0&apn_ptnrs=TV&apn_sauid=DD46FC53-F16A-4121-B84A-
 
6D6F83648EE6&apn_dtid=OSJ000YYUS&q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://www.trovi.com/Results.aspx?
 
gd=&ctid=CT3322289&octid=EB_ORIGINAL_CTID&ISID=M66AD0A70-B8D0-40DE-A486-
 
F4A641E5D74B&SearchSource=58&CUI=&UM=6&UP=SPB41AB7B0-B7F4-4F1A-8466-116DC443331A&q=
 
{searchTerms}&SSPV=
[C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search 
 
Provider] : hxxp://www.trovi.com/Results.aspx?
 
gd=&ctid=CT3322289&octid=EB_ORIGINAL_CTID&ISID=M66AD0A70-B8D0-40DE-A486-
 
F4A641E5D74B&SearchSource=58&CUI=&UM=6&UP=SPB41AB7B0-B7F4-4F1A-8466-116DC443331A&q=
 
{searchTerms}&SSPV=
 
*************************
 
AdwCleaner[R0].txt - [3023 octets] - [10/01/2015 00:42:05]
AdwCleaner[R1].txt - [3083 octets] - [10/01/2015 00:45:49]
AdwCleaner[S0].txt - [4576 octets] - [10/01/2015 00:46:56]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4636 octets] ##########
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-01-2015
Ran by Desent (administrator) on DESENT-PC on 10-01-2015 09:49:40
Running from C:\Users\Desent\Desktop
Loaded Profile: Desent (Available profiles: Desent & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Service.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-Network.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-BlockDevice.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-SharedFolder.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Nota Inc.) C:\Program Files (x86)\Gyazo\GyStation.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6510 series\Bin\HPNetworkCommunicator.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2809856 2012-01-16] (ELAN Microelectronics Corp.)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2011-12-15] (Conexant Systems, Inc.)
HKLM\...\Run: [Andy] => C:\Program Files\Andy\HandyAndy.exe
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [152896 2012-06-25] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [835288 2014-08-13] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\...\Run: [PlayNC Launcher] => [X]
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\...\Run: [HP Photosmart 6510 series (NET)] => C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe [2676584 2011-09-16] (Hewlett-Packard Co.)
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\...\Run: [GoogleChromeAutoLaunch_1853C40E639A33520B9A87A4A1F17502] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [852808 2014-08-29] (Google Inc.)
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [3095840 2014-10-27] (Nota Inc.)
Lsa: [Notification Packages] scecli C:\Program Files\Lenovo\Bluetooth Software\BtwProximityCP.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [VeriFace Enc] -> {771C7324-DA80-49D3-8017-753B0AF60951} => C:\Windows\system32\IcnOvrly.dll ()
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=KMOH&bmod=KMOH
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com/ig/redirectdomain?brand=KMOH&bmod=KMOH
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3765074288-4215764826-1854813902-1000 -> {2E92D7F3-8E3D-4012-A0A3-F8B1B64FE6B1} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3765074288-4215764826-1854813902-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7KMOH_enUS501US501
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Desent\AppData\Roaming\Mozilla\Firefox\Profiles\k5y0kutc.default-1419089014707
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_265.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro PDF\Professional 7\npnitromozilla.dll ( )
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\Desent\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-3765074288-4215764826-1854813902-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Desent\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-3765074288-4215764826-1854813902-1000: thehappycloud.com/HappyCloudPlugin -> C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll (The Happy Cloud)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Desent\AppData\Local\Google\Chrome\User Data\Default
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [409304 2014-08-13] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384728 2014-08-13] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [777944 2014-08-13] (BlueStack Systems, Inc.)
S4 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [945440 2012-02-01] (Broadcom Corporation.)
S4 DamageGuardSvc; C:\Program Files\Lenovo\Instant Reset\DamageGuardSvc.exe [572976 2012-03-26] (Lenovo (Beijing) Limited)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [174112 2015-01-05] (EasyAntiCheat Ltd)
S4 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9216 2013-07-17] (Hi-Rez Studios) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NitroDriverReadSpool2; C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [216072 2012-06-21] (Nitro PDF Software)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-06-20] ()
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2012-02-01] (Broadcom Corporation.)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [122072 2014-08-13] (BlueStack Systems)
S4 DamageGuard; C:\Windows\System32\DRIVERS\DamageGuardX64.sys [217392 2012-02-10] (Lenovo)
S4 dgFltr; C:\Windows\System32\drivers\dgFltrX64.sys [23648 2011-12-13] (Lenovo)
S3 h647906; C:\Windows\System32\drivers\h647906.sys [63856 2008-08-08] (Your Corporation)
S3 h648101; C:\Windows\System32\drivers\h648101.sys [65776 2008-08-08] (Your Corporation)
S3 h648103; C:\Windows\System32\drivers\h648103.sys [62960 2008-08-08] (Your Corporation)
S3 hid7906; C:\Windows\SysWOW64\drivers\hid7906.sys [41272 2008-08-08] (Your Corporation)
S3 hid8101; C:\Windows\SysWOW64\drivers\hid8101.sys [43192 2008-08-08] (Your Corporation)
S3 hid8103; C:\Windows\SysWOW64\drivers\hid8103.sys [40856 2008-08-08] (Your Corporation)
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [104048 2012-03-02] (Qualcomm Atheros Co., Ltd.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [952832 2011-12-06] (Vimicro Corporation)
U3 BcmSqlStartupSvc; No ImagePath
U2 CLKMSVC10_3A60B698; No ImagePath
U2 CLKMSVC10_C3B3B687; No ImagePath
U2 DriverService; No ImagePath
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
U2 iATAgentService; No ImagePath
U2 idealife Update Service; No ImagePath
U3 IGRS; No ImagePath
U2 IviRegMgr; No ImagePath
U2 nvUpdatusService; No ImagePath
U2 Oasis2Service; No ImagePath
U2 PCCarerService; No ImagePath
U2 ReadyComm.DirectRouter; No ImagePath
U2 RichVideo; No ImagePath
U2 RtLedService; No ImagePath
U2 SeaPort; No ImagePath
U2 SoftwareService; No ImagePath
U3 SQLWriter; No ImagePath
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-10 09:49 - 2015-01-10 09:53 - 00019439 _____ () C:\Users\Desent\Desktop\FRST.txt
2015-01-10 09:49 - 2015-01-10 09:49 - 02124288 _____ (Farbar) C:\Users\Desent\Desktop\FRST64.exe
2015-01-10 09:49 - 2015-01-10 09:49 - 00000000 ____D () C:\FRST
2015-01-10 00:42 - 2015-01-10 00:46 - 00000000 ____D () C:\AdwCleaner
2015-01-10 00:41 - 2015-01-10 00:42 - 00000917 _____ () C:\Users\Desent\Desktop\New Text Document (4).txt
2015-01-10 00:41 - 2015-01-10 00:41 - 02191360 _____ () C:\Users\Desent\Desktop\adwcleaner_4.107.exe
2015-01-06 18:08 - 2015-01-06 18:09 - 00688992 ____R (Swearware) C:\Users\Desent\Desktop\dds (1).com
2015-01-06 15:54 - 2015-01-06 15:54 - 00000964 _____ () C:\Users\Desent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\osu!.lnk
2015-01-06 15:54 - 2015-01-06 15:54 - 00000956 _____ () C:\Users\Desent\Desktop\osu!.lnk
2015-01-06 15:53 - 2015-01-06 16:27 - 00000000 ____D () C:\Users\Desent\AppData\Local\osu!
2015-01-06 15:53 - 2015-01-06 15:53 - 03191368 _____ (ppy) C:\Users\Desent\Desktop\osu!install.exe
2015-01-06 10:27 - 2015-01-06 10:27 - 00004466 _____ () C:\Users\Desent\Documents\The Hero, Jontron Version.mid
2015-01-06 03:57 - 2015-01-06 03:57 - 00001281 _____ () C:\Users\Desent\Desktop\bencircuit
2015-01-05 21:22 - 2015-01-05 21:22 - 00000981 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-dc_en.jnlp
2015-01-05 21:03 - 2015-01-05 21:03 - 00000747 _____ () C:\Users\Desent\Desktop\torque_en.jnlp
2015-01-05 21:01 - 2015-01-05 21:01 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-05 21:01 - 2015-01-05 21:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-05 21:00 - 2015-01-05 21:00 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-05 20:59 - 2015-01-05 20:59 - 00638888 _____ (Oracle Corporation) C:\Users\Desent\Desktop\chromeinstall-8u25.exe
2015-01-05 20:36 - 2015-01-05 20:36 - 00001042 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-dc-virtual-lab_en.jnlp
2015-01-05 20:33 - 2015-01-05 20:33 - 00000975 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en (6).jnlp
2015-01-05 20:25 - 2015-01-05 20:25 - 00000975 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en (5).jnlp
2015-01-05 20:22 - 2015-01-05 20:22 - 00000975 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en (4).jnlp
2015-01-05 20:22 - 2015-01-05 20:22 - 00000859 _____ () C:\Users\Public\Desktop\FileViewPro.lnk
2015-01-05 20:22 - 2015-01-05 20:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileViewPro
2015-01-05 20:22 - 2015-01-05 20:22 - 00000000 ____D () C:\Program Files\FileViewPro
2015-01-05 20:21 - 2015-01-05 20:21 - 02981504 _____ () C:\Users\Desent\Desktop\Setup_FileViewPro_[2015] (1).exe
2015-01-05 20:21 - 2015-01-05 20:21 - 00000000 ____D () C:\Spacekace
2015-01-05 20:20 - 2015-01-05 20:21 - 02981504 _____ () C:\Users\Desent\Desktop\Setup_FileViewPro_[2015].exe
2015-01-05 20:13 - 2015-01-05 20:14 - 00000975 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en (3).jnlp
2015-01-05 20:13 - 2015-01-05 20:13 - 02207593 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en (1).jar
2015-01-05 20:13 - 2015-01-05 20:13 - 00000975 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en (2).jnlp
2015-01-05 20:12 - 2015-01-05 20:12 - 02207593 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en.jar
2015-01-05 20:11 - 2015-01-05 20:11 - 00000975 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en (1).jnlp
2015-01-05 20:10 - 2015-01-05 20:10 - 00000975 _____ () C:\Users\Desent\Desktop\circuit-construction-kit-ac_en.jnlp
2015-01-05 16:34 - 2015-01-05 16:23 - 00174112 _____ (EasyAntiCheat Ltd) C:\Windows\SysWOW64\EasyAntiCheat.exe
2014-12-31 20:31 - 2014-12-31 20:31 - 00688992 ____R (Swearware) C:\Users\Desent\Desktop\dds.com
2014-12-27 20:50 - 2014-12-27 21:29 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-27 20:49 - 2014-12-27 21:29 - 00000000 ____D () C:\Users\Desent\Desktop\mbar
2014-12-27 20:48 - 2014-12-27 20:49 - 16448208 _____ (Malwarebytes Corp.) C:\Users\Desent\Desktop\mbar-1.08.2.1001.exe
2014-12-27 20:21 - 2014-12-27 20:21 - 16448208 _____ (Malwarebytes Corp.) C:\Users\Desent\Desktop\Unconfirmed 68801.crdownload
2014-12-27 20:21 - 2014-12-27 20:21 - 00448512 _____ (OldTimer Tools) C:\Users\Desent\Desktop\TFC.exe
2014-12-23 10:36 - 2014-12-23 10:37 - 00001328 _____ () C:\DelFix.txt
2014-12-23 01:16 - 2014-12-23 01:16 - 00000000 __SHD () C:\Users\Desent\AppData\Local\EmieBrowserModeList
2014-12-23 01:15 - 2014-12-23 01:15 - 02077392 _____ (Microsoft Corporation) C:\Users\Desent\Desktop\IE11-Windows6.1.exe
2014-12-22 15:47 - 2014-12-22 15:47 - 00000000 ____D () C:\Users\Desent\AppData\Roaming\Gyazo
2014-12-22 15:45 - 2014-12-22 16:45 - 00000000 ____D () C:\Program Files (x86)\Gyazo
2014-12-22 15:45 - 2014-12-22 15:45 - 09698760 _____ (Nota Inc. ) C:\Users\Desent\Desktop\Gyazo-2.3.0.exe
2014-12-22 15:45 - 2014-12-22 15:45 - 00003752 _____ () C:\Windows\System32\Tasks\GyazoUpdateTaskMachine
2014-12-22 15:45 - 2014-12-22 15:45 - 00000997 _____ () C:\Users\Public\Desktop\Gyazo.lnk
2014-12-22 15:45 - 2014-12-22 15:45 - 00000997 _____ () C:\Users\Public\Desktop\Gyazo GIF.lnk
2014-12-22 15:45 - 2014-12-22 15:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gyazo
2014-12-22 15:21 - 2014-12-22 15:21 - 00000000 ____D () C:\Users\Desent\Desktop\Pokemon Omicron 1.4 (Win)
2014-12-22 15:17 - 2014-12-22 15:19 - 122283772 _____ () C:\Users\Desent\Desktop\Pokemon Omicron 1.4 (Win).zip
2014-12-22 12:48 - 2014-12-22 12:48 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-12-22 12:42 - 2014-12-22 12:42 - 00000000 ____D () C:\Windows\ERUNT
2014-12-21 22:16 - 2014-12-22 01:33 - 00015292 _____ () C:\Users\Desent\Documents\Bens time management.xlsx
2014-12-21 22:15 - 2014-12-21 22:15 - 00022386 _____ () C:\Users\Desent\Documents\TimeManTemplate2014 (1).xlsx
2014-12-21 21:23 - 2014-12-21 21:23 - 00051712 _____ () C:\Users\Desent\Desktop\TimeManTemplate2014 (1).xls
2014-12-21 21:22 - 2014-12-21 21:22 - 00051712 _____ () C:\Users\Desent\Desktop\TimeManTemplate2014.xls
2014-12-21 01:00 - 2014-12-21 01:00 - 00293326 _____ () C:\Users\Desent\Desktop\lmsclass.zip
2014-12-21 01:00 - 2014-12-21 01:00 - 00000000 ____D () C:\Users\Desent\Desktop\lmsclass
2014-12-21 00:33 - 2014-12-21 00:33 - 00058068 _____ () C:\Users\Desent\Desktop\london3.tex
2014-12-20 12:37 - 2014-12-27 20:50 - 00135384 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-20 12:36 - 2014-12-27 20:49 - 00096472 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-20 12:36 - 2014-12-20 12:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-20 12:36 - 2014-12-20 12:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-20 12:36 - 2014-12-20 12:36 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-20 12:36 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-20 12:36 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-20 12:35 - 2014-12-20 12:36 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Desent\Downloads\mbam-setup-2.0.4.1028.exe
2014-12-20 10:23 - 2014-12-20 10:23 - 00000000 ____D () C:\Users\Desent\Desktop\Old Firefox Data
2014-12-17 22:09 - 2014-12-13 00:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-17 22:09 - 2014-12-12 22:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-14 18:58 - 2014-12-14 18:58 - 00086963 _____ () C:\lms.cls
2014-12-14 18:57 - 2014-12-14 18:57 - 00086963 _____ () C:\lms.cls.tex
2014-12-14 18:55 - 2014-12-14 18:55 - 00086963 _____ () C:\Users\Desent\Documents\lms.cls.tex
2014-12-13 13:52 - 2014-12-13 13:52 - 00002991 _____ () C:\Users\Desent\Desktop\GoPanda2.lnk
2014-12-13 13:52 - 2014-12-13 13:52 - 00000000 ____D () C:\Users\Desent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GoPanda2
2014-12-13 13:52 - 2014-12-13 13:52 - 00000000 ____D () C:\Program Files (x86)\GoPanda2
2014-12-13 13:49 - 2014-12-13 13:49 - 00002448 _____ () C:\Users\Desent\Desktop\CGoban 3.lnk
2014-12-12 00:52 - 2014-12-12 00:52 - 00000000 ____D () C:\Users\Desent\AppData\OICE_15_974FA576_32C1D314_14F
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-10 09:50 - 2012-09-02 09:37 - 01178766 _____ () C:\Windows\WindowsUpdate.log
2015-01-10 09:48 - 2013-10-10 16:47 - 00000548 ____H () C:\Windows\Tasks\MATLAB R2013b Startup Accelerator.job
2015-01-10 09:46 - 2012-09-12 12:32 - 04112547 _____ () C:\FaceProv.log
2015-01-10 09:45 - 2012-09-02 10:21 - 00158259 _____ () C:\Windows\system32\fastboot.set
2015-01-10 09:45 - 2012-09-02 10:19 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-10 09:45 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-10 09:45 - 2009-07-13 23:51 - 00118737 _____ () C:\Windows\setupact.log
2015-01-10 00:47 - 2010-11-20 22:47 - 00322084 _____ () C:\Windows\PFRO.log
2015-01-10 00:47 - 2009-07-14 00:08 - 00032606 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-10 00:17 - 2012-09-02 10:19 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-09 23:47 - 2012-09-16 20:54 - 00000000 ____D () C:\Users\Desent\AppData\Roaming\Skype
2015-01-09 19:55 - 2009-07-14 00:13 - 00786558 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-09 17:05 - 2012-09-13 01:13 - 00000000 ____D () C:\Users\Desent\AppData\Roaming\TS3Client
2015-01-09 16:04 - 2012-09-13 06:47 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-09 15:36 - 2009-07-13 23:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-09 15:36 - 2009-07-13 23:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-07 13:59 - 2012-09-16 20:54 - 00000000 ____D () C:\ProgramData\Skype
2015-01-07 13:18 - 2012-09-16 23:58 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-06 23:08 - 2012-09-16 23:58 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-05 21:59 - 2013-01-04 18:13 - 00445952 ___SH () C:\Users\Desent\Desktop\Thumbs.db
2015-01-05 20:09 - 2014-11-19 12:44 - 00000000 ____D () C:\Users\Desent\AppData\Local\Windows Live
2015-01-05 02:17 - 2013-10-10 16:47 - 00000000 ____D () C:\Users\Desent\Documents\MATLAB
2015-01-03 00:15 - 2013-01-15 16:04 - 00000000 ____D () C:\Users\Desent\Desktop\SpeedAutoClicker
2014-12-31 06:14 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-23 10:25 - 2012-09-11 21:36 - 00116648 _____ () C:\Users\Desent\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-23 10:24 - 2009-07-13 23:45 - 00441792 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-23 01:15 - 2014-06-24 14:02 - 00008693 _____ () C:\Windows\IE11_main.log
2014-12-23 00:01 - 2013-06-12 17:51 - 00000000 ____D () C:\Program Files (x86)\Free FLV Converter
2014-12-23 00:01 - 2013-04-26 17:14 - 00000000 ____D () C:\Users\Desent\Desktop\Warcraft III
2014-12-20 15:23 - 2014-06-03 22:57 - 00084879 _____ () C:\Users\Desent\Downloads\debug.log
2014-12-20 14:04 - 2014-07-08 21:48 - 00000000 ____D () C:\Users\Desent\Desktop\download
2014-12-20 13:30 - 2014-05-29 21:45 - 02928883 _____ (te4.org) C:\Users\Desent\Downloads\patched-t-engine-launcher.exe
2014-12-20 13:30 - 2014-05-26 20:07 - 00000000 ____D () C:\Users\Desent\Downloads\download
2014-12-19 20:59 - 2012-11-19 14:49 - 00114328 _____ () C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-19 13:51 - 2013-05-06 15:54 - 00000000 ____D () C:\Users\Desent\Desktop\Daniel S hool
2014-12-18 18:04 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-12-16 02:06 - 2014-06-11 20:13 - 00000000 ____D () C:\Users\Desent\AppData\Local\GoPanda2
2014-12-13 13:16 - 2014-08-03 12:42 - 00002480 _____ () C:\Users\Desent\Desktop\Wurm Online.lnk
2014-12-13 13:14 - 2013-11-02 12:17 - 00000000 ____D () C:\ProgramData\Oracle
2014-12-11 03:01 - 2014-09-27 15:35 - 00000000 ____D () C:\ProgramData\Microsoft Help
 
Files to move or delete:
====================
C:\Users\Desent\jagex_cl_oldschool_LIVE.dat
C:\Users\Desent\jagex_cl_runescape_LIVE.dat
C:\Users\Desent\random.dat
 
 
Some content of TEMP:
====================
C:\Users\Desent\AppData\Local\Temp\Quarantine.exe
C:\Users\Desent\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Desent\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-04 12:34
 
==================== End Of Log ============================

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 PM

Posted 10 January 2015 - 10:17 AM

I suggest you remove this application using the Add/Remove programs applet.
Spource:
http://www.shouldiremoveit.com/InstallX-Search-Protect-for-Yahoo-101701-program.aspx

Uninstall Helper (HKLM-x32\...\Uninstall Helper 2.0.1.0) (Version: 2.0.1.0 - InstallX, LLC) <==== ATTENTION
Uninstall Helper (x32 Version: 2.0.1.0 - InstallX, LLC) Hidden <==== ATTENTION
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\...\Run: [PlayNC Launcher] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
U3 BcmSqlStartupSvc; No ImagePath
U2 CLKMSVC10_3A60B698; No ImagePath
U2 CLKMSVC10_C3B3B687; No ImagePath
U2 DriverService; No ImagePath
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
U2 iATAgentService; No ImagePath
U2 idealife Update Service; No ImagePath
U3 IGRS; No ImagePath
U2 IviRegMgr; No ImagePath
U2 nvUpdatusService; No ImagePath
U2 Oasis2Service; No ImagePath
U2 PCCarerService; No ImagePath
U2 ReadyComm.DirectRouter; No ImagePath
U2 RichVideo; No ImagePath
U2 RtLedService; No ImagePath
U2 SeaPort; No ImagePath
U2 SoftwareService; No ImagePath
U3 SQLWriter; No ImagePath
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

How is the computer running now?

#7 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 10 January 2015 - 11:58 AM

I uninastalled "Uninstall Helper" by installX llc, but could not find the other file, even when I had my computer show hidden folders. Here is the Farbar log:
 
As for how the computer is running, I am still getting redirected.
 
thanks for you help! 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-01-2015
Ran by Desent at 2015-01-10 11:45:19 Run:1
Running from C:\Users\Desent\Desktop
Loaded Profile: Desent (Available profiles: Desent & Guest)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\...\Run: [PlayNC Launcher] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
U3 BcmSqlStartupSvc; No ImagePath
U2 CLKMSVC10_3A60B698; No ImagePath
U2 CLKMSVC10_C3B3B687; No ImagePath
U2 DriverService; No ImagePath
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
U2 iATAgentService; No ImagePath
U2 idealife Update Service; No ImagePath
U3 IGRS; No ImagePath
U2 IviRegMgr; No ImagePath
U2 nvUpdatusService; No ImagePath
U2 Oasis2Service; No ImagePath
U2 PCCarerService; No ImagePath
U2 ReadyComm.DirectRouter; No ImagePath
U2 RichVideo; No ImagePath
U2 RtLedService; No ImagePath
U2 SeaPort; No ImagePath
U2 SoftwareService; No ImagePath
U3 SQLWriter; No ImagePath
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
 
End
*****************
 
Processes closed successfully.
HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\Software\Microsoft\Windows\CurrentVersion\Run\\PlayNC Launcher => value deleted successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKU\S-1-5-21-3765074288-4215764826-1854813902-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.
BcmSqlStartupSvc => Service deleted successfully.
CLKMSVC10_3A60B698 => Service deleted successfully.
CLKMSVC10_C3B3B687 => Service deleted successfully.
DriverService => Service deleted successfully.
EagleX64 => Service deleted successfully.
iATAgentService => Service deleted successfully.
idealife Update Service => Service deleted successfully.
IGRS => Service deleted successfully.
IviRegMgr => Service deleted successfully.
nvUpdatusService => Service deleted successfully.
Oasis2Service => Service deleted successfully.
PCCarerService => Service deleted successfully.
ReadyComm.DirectRouter => Service deleted successfully.
RichVideo => Service deleted successfully.
RtLedService => Service deleted successfully.
SeaPort => Service deleted successfully.
SoftwareService => Service deleted successfully.
SQLWriter => Service deleted successfully.
VBoxNetFlt => Service deleted successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 11:45:20 ====


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 PM

Posted 10 January 2015 - 01:44 PM

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is it now?

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 PM

Posted 16 January 2015 - 09:53 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 PM

Posted 22 January 2015 - 09:30 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users