Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy Loopback Hijack - 127.0.0.1:8800


  • This topic is locked This topic is locked
3 replies to this topic

#1 PixelGod

PixelGod

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, VA
  • Local time:03:36 AM

Posted 13 January 2015 - 08:27 PM

Hello,

 

I am working on a friend's computer which seems to have a nastily persistent virus which is constantly setting proxy settings to a loopback address. All removal processes found online have resulted in nothing, deleting the registry settings just lets them return on the next reboot.

 

I stumbled across someone that was able to solve this with the help of your team and the use of a software package called "FRST". This is my first use with this package, and I am sad to find that there is no documentation on how to generate our own fixlist.txt file -- this would be extremely useful when no network access is available.

 

Anyhow, here is my FRST report. In advance, thank you for your help in this matter.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015 02
Ran by Smurfs (administrator) on SMURFCLAN on 13-01-2015 20:06:29
Running from G:\Tools
Loaded Profile: Smurfs (Available profiles: Smurfs)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(Altonv) C:\Program Files (x86)\RadPlayer\Altonv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BBSvc.EXE
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
() C:\Program Files (x86)\Amazon Browser Bar\ToolbarUpdaterService.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
(RadPlayer) C:\Program Files (x86)\RadPlayer\RadPlayerSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
() C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar1.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar2.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareTray.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe
(Microsoft Corporation) C:\Users\Smurfs\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(RadPlayer) C:\Program Files (x86)\RadPlayer\RadPlayer.Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.EXE
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicator.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2799912 2011-06-09] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-06-07] (IDT, Inc.)
HKLM\...\Run: [SetDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [42808 2011-06-27] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [AdAwareTray] => C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareTray.exe [7715160 2014-06-03] ()
HKLM\...\Run: [RadPlayer Tray] => C:\Program Files (x86)\RadPlayer\TyV1.exe [89832 2014-12-10] (RadPlayer)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-04-30] (Intel Corporation)
HKLM-x32\...\Run: [HPQuickWebProxy] => C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe [168504 2011-06-26] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [5188112 2014-12-16] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-12-16] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Run: [HP Deskjet 3520 series (NET)] => C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe [2551656 2012-01-31] (Hewlett-Packard Co.)
HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Run: [SkyDrive] => C:\Users\Smurfs\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe [277672 2014-10-18] (Microsoft Corporation)
HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Run: [BackgroundContainer] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Smurfs\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun <===== ATTENTION
HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\RunOnce: [Uninstall C:\Users\Smurfs\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811_1\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Smurfs\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811_1\amd64"
AppInit_DLLs: C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL => C:\Program Files (x86)\Amazon\Amazon1ButtonApp\AmazonExtIE64.dll [119616 2014-05-23] (Amazon Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Smurfs\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3520 series (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3520 series (Network).lnk -> C:\Program Files\HP\HP Deskjet 3520 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\Smurfs\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8800;https=127.0.0.1:8800
ProxyServer: [HKLM-x32] => http=127.0.0.1:8800;https=127.0.0.1:8800
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-695141066-1470065661-4152419856-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
URLSearchHook: HKLM-x32 - (No Name) - {da7a20cf-bef4-4342-ad78-0240fdf87055} - No File
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM -> {754636AC-DCD2-4281-95AA-F104948DAFEA} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {2EE1E0F8-4DA3-4171-AE75-72D353CB93D5} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 -> {754636AC-DCD2-4281-95AA-F104948DAFEA} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {9a216821-0ec5-49a3-85ac-fb72ae79a1e8} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^Y6^xdm003^YYA^us&si=CMCX7_e74b8CFQuCaQodiXAAIg&ptb=A8BC1EF5-F79E-46EE-BCF6-17FF9F15959F&ind=2014072518&n=780c4ec6&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> DefaultScope {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = http://www.amazon.com/websearch/ref=bit_bds-p23_serp_ie_us_display?ie=UTF8&tagbase=bds-p23&tag=bds-p23-serp-us-ie-20&tbrId=v1_abb-channel-23_706e95aead1a4416870885da6be5eb32_39_1006_20140819_US_ie_ds_&query={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M1376F801-C14C-4679-9793-E6B5740B2BE8&SearchSource=58&CUI=&UM=5&UP=SPC57F609C-B26A-4384-802F-9A96EBA67F26&q={searchTerms}&SSPV=212221_sp_ie
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {253E300C-E744-4B2B-94B7-342E32A7CEB2} URL = http://websearch.ask.com/redirect?client=ie&tb=OVO2&o=APN10379&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=^ABE&apn_dtid=^YYYYYY^YY^US&apn_uid=ba3d618c-5205-40df-8b27-d920f45d6246&apn_sauid=627A432E-7134-49CB-A98C-90E1B4AF93FB
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {754636AC-DCD2-4281-95AA-F104948DAFEA} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {91607fa7-3c2f-4f90-93e3-d5337a6b0ac2} URL = Playbryte-fa-ptn/search/redirect/?type=default&user_id=74475ec7-42ea-4ab7-a69a-3943cc59608f&query={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={59DED9D1-C8E4-476B-A036-7C6E13960B76}&mid=156120cd7a1f47d3bb943dd332a13965-8525b195beaf21ad5a4e9e1a0c2869b9a6c25f34&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-20 15:48:10&v=17.1.3.3&pid=safeguard&sg=77&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {9a216821-0ec5-49a3-85ac-fb72ae79a1e8} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^Y6^xdm003^YYA^us&si=CMCX7_e74b8CFQuCaQodiXAAIg&ptb=A8BC1EF5-F79E-46EE-BCF6-17FF9F15959F&ind=2014072518&n=780c4ec6&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {A415FADF-41C3-4CEE-81CE-E637E2C90A19} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M1376F801-C14C-4679-9793-E6B5740B2BE8&SearchSource=58&CUI=&UM=5&UP=SPC57F609C-B26A-4384-802F-9A96EBA67F26&q={searchTerms}&SSPV=212221_sp_ie
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = 
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {B2C1527A-5803-48DC-B1AA-1A6FA49D75DC} URL = https://search.yahoo.com/yhs/search?hspart=verti&hsimp=yhs-verti_002&type=ds0101022015&p={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = http://www.amazon.com/websearch/ref=bit_bds-p23_serp_ie_us_display?ie=UTF8&tagbase=bds-p23&tag=bds-p23-serp-us-ie-20&tbrId=v1_abb-channel-23_706e95aead1a4416870885da6be5eb32_39_1006_20140819_US_ie_ds_&query={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
Toolbar: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> No Name - {DA7A20CF-BEF4-4342-AD78-0240FDF87055} -  No File
Toolbar: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Winsock: Catalog9 01 C:\Windows\SysWOW64\Altonv.dll [358632] (Altonv)
Winsock: Catalog9 02 C:\Windows\SysWOW64\Altonv.dll [358632] (Altonv)
Winsock: Catalog9 03 C:\Windows\SysWOW64\Altonv.dll [358632] (Altonv)
Winsock: Catalog9 04 C:\Windows\SysWOW64\Altonv.dll [358632] (Altonv)
Winsock: Catalog9 15 C:\Windows\SysWOW64\Altonv.dll [358632] (Altonv)
Winsock: Catalog9-x64 01 C:\Windows\system32\Altonv64.dll [465128] (Altonv)
Winsock: Catalog9-x64 02 C:\Windows\system32\Altonv64.dll [465128] (Altonv)
Winsock: Catalog9-x64 03 C:\Windows\system32\Altonv64.dll [465128] (Altonv)
Winsock: Catalog9-x64 04 C:\Windows\system32\Altonv64.dll [465128] (Altonv)
Winsock: Catalog9-x64 15 C:\Windows\system32\Altonv64.dll [465128] (Altonv)
Tcpip\Parameters: [DhcpNameServer] 204.124.136.100 205.132.9.98 4.2.2.2

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @ei.CouponXplorer_5z.com/Plugin -> C:\Program Files (x86)\CouponXplorer_5zEI\Installr\1.bin\NP5zEISB.dll (CouponXplorer)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: HP Smart Print - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2013-01-26]
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\17.3.2.101
FF Extension: AVG SafeGuard toolbar - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\17.3.2.101 [2014-01-10]
FF HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Firefox\Extensions: [games@acandy.com] - C:\Users\Smurfs\AppData\Local\ArcadeCandy\games@acandy.com
FF Extension: ArcadeCandy - C:\Users\Smurfs\AppData\Local\ArcadeCandy\games@acandy.com [2013-07-09]

Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\pdf.dll No File
CHR Plugin: (registryAccess) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaanijiojpcccpkjdjjmjghddcgcbfj\7.17.1.0_0\background/registryAccess.dll (APN)
CHR Plugin: (Norton Confidential) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\6.0.2_0\npcoplgn.dll No File
CHR Plugin: (ArcadeCandy Textlinks Plugin) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnfegheljpcijmdgonkecjpcaopjlpac\1.24.366_0\npCandyx.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (WildTangent Games App V2 Presence Detector) - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll No File
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Profile: C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Oovoo Toolbar) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaanijiojpcccpkjdjjmjghddcgcbfj [2012-12-02]
CHR Extension: (SweetPacks) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\banjjklfojcdbofbhbgiedekefohoaff [2013-11-27]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-30]
CHR Extension: (Wajam) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp [2013-10-20]
CHR Extension: (WhiteSmoke New) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi [2013-11-27]
CHR Extension: (AVG SafeGuard) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2013-11-20]
CHR Extension: (Google Wallet) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]
CHR Extension: (ArcadeCandy Games) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnfegheljpcijmdgonkecjpcaopjlpac [2013-11-02]
CHR Extension: (Amazon 1Button App for Chrome) - C:\Users\Smurfs\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbjikboenpfhbbejgkoklgkhjpfogcam [2014-09-30]
CHR HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Chrome\Extension: [banjjklfojcdbofbhbgiedekefohoaff] - C:\Users\Smurfs\AppData\Local\CRE\banjjklfojcdbofbhbgiedekefohoaff.crx [2013-10-09]
CHR HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Smurfs\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx [2013-10-07]
CHR HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Chrome\Extension: [pbjikboenpfhbbejgkoklgkhjpfogcam] - C:\Program Files (x86)\Amazon\ABB\AmazonChrome-bds-amzn.crx [2014-04-04]
CHR HKLM-x32\...\Chrome\Extension: [aaaanijiojpcccpkjdjjmjghddcgcbfj] - C:\Users\Smurfs\AppData\Local\APN\GoogleCRXs\aaaanijiojpcccpkjdjjmjghddcgcbfj_7.17.1.0.crx [2012-11-28]
CHR HKLM-x32\...\Chrome\Extension: [banjjklfojcdbofbhbgiedekefohoaff] - C:\Users\Smurfs\AppData\Local\CRE\banjjklfojcdbofbhbgiedekefohoaff.crx [2013-10-09]
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [jpmbfleldcgkldadpdinhjjopdfpjfjp] - C:\Users\Smurfs\AppData\Local\Wajam\Chrome\wajam.crx [2013-07-10]
CHR HKLM-x32\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Smurfs\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx [2013-10-07]
CHR HKLM-x32\...\Chrome\Extension: [nnfegheljpcijmdgonkecjpcaopjlpac] - C:\Users\Smurfs\AppData\Local\ArcadeCandy\candyLinkx.crx [2012-07-09]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Altonv; C:\Program Files (x86)\RadPlayer\Altonv.exe [3860200 2014-12-10] (Altonv)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3247120 2014-12-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [289328 2014-12-16] (AVG Technologies CZ, s.r.o.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [240736 2013-10-07] (WildTangent)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2372096 2011-02-18] (Realsil Microelectronics Inc.) [File not signed]
R2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.2.5952.0\AdAwareService.exe [706864 2014-06-03] ()
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S4 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 RadPlayerV1; C:\Program Files (x86)\RadPlayer\RadPlayerSvc.exe [118504 2014-12-10] (RadPlayer)
R2 RadPlayerV2; C:\Program Files (x86)\RadPlayer\RadPlayer.Service.exe [22248 2014-12-10] (RadPlayer)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 Updater Service for AMZN; C:\Program Files (x86)\Amazon Browser Bar\ToolbarUpdaterService.exe [222368 2013-03-21] ()
R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-14] (AVG Secure Search)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S2 donutleadsServiceCore; C:\Program Files (x86)\donutleads\DonutLeadsService.exe "F0C8EE84-B42E-E411-87EC-001517D1792A" "optional" "{4C1F9950-D9C0-4329-8C88-907D09C77D29}" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [152344 2014-06-30] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [244504 2014-07-21] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [237848 2014-10-24] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [328984 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [269080 2014-10-20] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-14] (AVG Technologies)
S3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [389240 2014-04-22] (BitDefender S.R.L.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 20:06 - 2015-01-13 20:06 - 00000000 ____D () C:\FRST
2015-01-13 19:57 - 2015-01-13 19:57 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-13 19:43 - 2014-07-25 17:04 - 00872008 _____ (Mindspark) C:\Program Files (x86)\65Uninstall FromDocToPDF.dll
2015-01-13 19:43 - 2014-07-25 17:04 - 00196992 _____ () C:\Program Files (x86)\65res.dll
2015-01-13 19:00 - 2015-01-13 19:00 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2015-01-13 18:59 - 2015-01-13 19:01 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-01-13 18:59 - 2015-01-13 19:00 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-01-13 18:59 - 2015-01-13 18:59 - 00001391 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-01-13 18:59 - 2015-01-13 18:59 - 00001379 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-01-13 18:59 - 2015-01-13 18:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-01-13 18:59 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-01-13 18:51 - 2015-01-13 19:53 - 00000224 _____ () C:\Windows\setupact.log
2015-01-13 18:51 - 2015-01-13 18:51 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-13 18:47 - 2015-01-13 19:45 - 00004568 _____ () C:\Windows\PFRO.log
2015-01-13 18:08 - 2015-01-13 18:08 - 00152236 _____ () C:\Users\Smurfs\Documents\cc_20150113_180839.reg
2015-01-13 03:33 - 2015-01-13 17:57 - 00001144 _____ () C:\Users\Smurfs\Desktop\Live PC Help.lnk
2015-01-13 03:30 - 2015-01-13 03:30 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-13 03:30 - 2015-01-13 03:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
2015-01-02 09:59 - 2015-01-02 09:59 - 00000000 ____D () C:\Users\Smurfs\AppData\Roaming\flightgear.org
2015-01-02 09:58 - 2015-01-02 09:58 - 00001222 _____ () C:\Users\Smurfs\Desktop\FlightGear 2.4.0.lnk
2015-01-02 09:58 - 2015-01-02 09:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlightGear 2.4.0
2015-01-02 09:55 - 2015-01-02 09:55 - 00000000 ____D () C:\Program Files (x86)\FlightGear 2.4.0
2015-01-02 09:42 - 2015-01-02 09:42 - 00003402 _____ () C:\Windows\System32\Tasks\DonutQuotes
2015-01-02 09:42 - 2015-01-02 09:42 - 00000000 ____D () C:\Users\Smurfs\AppData\Local\Skyrocket Player
2015-01-02 09:41 - 2015-01-03 13:09 - 00000000 ____D () C:\Program Files (x86)\Skyrocket Player
2015-01-02 09:41 - 2015-01-02 12:38 - 00000000 ____D () C:\Program Files (x86)\donutleads
2015-01-02 09:41 - 2015-01-02 09:48 - 00000000 ____D () C:\ProgramData\donutleads
2015-01-02 09:41 - 2015-01-02 09:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skyrocket Player
2015-01-02 09:40 - 2015-01-02 09:40 - 00000978 _____ () C:\Users\Public\Desktop\Rad Player.lnk
2015-01-02 09:40 - 2015-01-02 09:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RadPlayer
2015-01-02 09:40 - 2014-12-10 19:35 - 00465128 _____ (Altonv) C:\Windows\system32\Altonv64.dll
2015-01-02 09:40 - 2014-12-10 19:35 - 00358632 _____ (Altonv) C:\Windows\SysWOW64\Altonv.dll
2015-01-02 09:39 - 2015-01-02 09:40 - 00000000 ____D () C:\ProgramData\RadPlayer
2015-01-02 09:39 - 2015-01-02 09:40 - 00000000 ____D () C:\Program Files (x86)\RadPlayer
2015-01-02 09:38 - 2015-01-02 09:38 - 00269672 _____ () C:\Users\Smurfs\Downloads\FlightSimInstaller.exe
2014-12-29 14:05 - 2014-12-29 14:05 - 00013380 _____ () C:\Users\Smurfs\Documents\sixers 2015.xlsx
2014-12-24 08:14 - 2014-12-24 08:14 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-20 07:51 - 2014-12-13 00:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-20 07:51 - 2014-12-12 22:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-14 08:05 - 2015-01-13 19:53 - 00003376 _____ () C:\Windows\System32\Tasks\BackgroundContainer Startup Task

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 20:01 - 2009-07-13 23:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-13 20:01 - 2009-07-13 23:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-13 19:57 - 2012-07-03 15:10 - 01100856 _____ () C:\Windows\WindowsUpdate.log
2015-01-13 19:54 - 2014-04-26 06:54 - 00003116 _____ () C:\Windows\Tasks\98598045-e1ab-4b07-9894-8212bcab8cee-3.job
2015-01-13 19:54 - 2014-04-26 06:54 - 00002244 _____ () C:\Windows\Tasks\98598045-e1ab-4b07-9894-8212bcab8cee-4.job
2015-01-13 19:54 - 2014-04-26 06:54 - 00001600 _____ () C:\Windows\Tasks\98598045-e1ab-4b07-9894-8212bcab8cee-5.job
2015-01-13 19:54 - 2014-04-26 06:54 - 00001498 _____ () C:\Windows\Tasks\98598045-e1ab-4b07-9894-8212bcab8cee-1.job
2015-01-13 19:54 - 2014-04-26 06:54 - 00001482 _____ () C:\Windows\Tasks\98598045-e1ab-4b07-9894-8212bcab8cee-2.job
2015-01-13 19:53 - 2014-06-13 14:13 - 00000462 _____ () C:\Windows\Tasks\RegCure Pro Startup.job
2015-01-13 19:53 - 2014-04-26 06:53 - 00001432 _____ () C:\Windows\Tasks\3af7f298-7aa2-490f-9202-f291e9f76d91-5.job
2015-01-13 19:53 - 2014-04-26 06:52 - 00002774 _____ () C:\Windows\Tasks\3af7f298-7aa2-490f-9202-f291e9f76d91-3.job
2015-01-13 19:53 - 2014-04-26 06:52 - 00002146 _____ () C:\Windows\Tasks\3af7f298-7aa2-490f-9202-f291e9f76d91-4.job
2015-01-13 19:53 - 2014-04-26 06:52 - 00001344 _____ () C:\Windows\Tasks\3af7f298-7aa2-490f-9202-f291e9f76d91-1.job
2015-01-13 19:53 - 2014-04-26 06:52 - 00001336 _____ () C:\Windows\Tasks\3af7f298-7aa2-490f-9202-f291e9f76d91-2.job
2015-01-13 19:53 - 2014-01-08 13:01 - 00002305 _____ () C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2015-01-13 19:53 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-13 18:46 - 2012-11-22 09:05 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-13 18:40 - 2012-10-24 15:21 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{847039F9-79BE-4079-BB8B-9C604239A795}
2015-01-13 18:06 - 2014-04-29 05:59 - 00000000 ____D () C:\Windows\Minidump
2015-01-13 18:06 - 2012-11-05 16:02 - 00000000 ____D () C:\Users\Smurfs\AppData\Local\CrashDumps
2015-01-13 18:06 - 2007-01-01 20:25 - 00000000 ____D () C:\Windows\Panther
2015-01-13 18:00 - 2014-06-13 14:13 - 00000470 _____ () C:\Windows\Tasks\ParetoLogic Registration3.job
2015-01-13 17:57 - 2014-08-19 09:46 - 00000000 ____D () C:\Users\Smurfs\AppData\Roaming\systweak
2015-01-13 17:55 - 2013-11-02 16:21 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-13 17:51 - 2012-11-22 09:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-13 17:50 - 2014-04-26 06:51 - 00000000 ____D () C:\Users\Smurfs\AppData\Local\WeatherAlerts
2015-01-13 03:36 - 2014-04-26 06:53 - 00000000 ____D () C:\Program Files (x86)\PC Speed Maximizer
2015-01-13 03:34 - 2014-06-13 14:13 - 00000000 ____D () C:\ProgramData\ParetoLogic
2015-01-13 03:32 - 2009-07-14 00:13 - 00783464 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-13 03:30 - 2013-11-02 19:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-01-08 17:52 - 2013-11-02 16:24 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2015-01-03 13:02 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-03 13:00 - 2012-10-30 18:35 - 00000274 _____ () C:\Windows\Tasks\CandyUpdater.job
2015-01-02 16:33 - 2014-08-19 09:45 - 00000270 _____ () C:\Windows\Tasks\Tuneup Pro_DEFAULT.job
2015-01-02 12:42 - 2014-03-07 13:00 - 00000336 _____ () C:\Windows\Tasks\HPCeeScheduleForSmurfs.job
2015-01-02 08:09 - 2014-06-13 14:13 - 00000565 _____ () C:\Windows\Tasks\RegCure Pro_sch_CD3A95BE-F32E-11E3-AA45-EC9A7445D096.job
2015-01-01 20:20 - 2014-03-07 13:00 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForSmurfs
2015-01-01 20:19 - 2012-12-07 07:09 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2015-01-01 20:19 - 2012-10-26 07:04 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-12-31 16:50 - 2014-08-19 09:45 - 00000278 _____ () C:\Windows\Tasks\Tuneup Pro_UPDATES.job
2014-12-31 16:50 - 2014-06-13 14:13 - 00000444 _____ () C:\Windows\Tasks\ParetoLogic Update Version3.job
2014-12-24 08:35 - 2013-09-17 16:19 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-12-24 08:10 - 2012-10-26 07:04 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForSMURFCLAN$.job
2014-12-24 08:10 - 2009-07-14 00:08 - 00032572 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-20 15:14 - 2012-10-26 07:04 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForSMURFCLAN$
2014-12-15 15:34 - 2013-03-14 13:33 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-12-15 15:34 - 2013-03-14 13:33 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-12-15 10:54 - 2013-03-14 13:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-12-14 07:57 - 2012-11-22 09:05 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-25 14:20

==================== End Of Log ============================

If any additional information is needed, please let me know. I look forward to working with you!



BC AdBot (Login to Remove)

 


#2 PixelGod

PixelGod
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, VA
  • Local time:03:36 AM

Posted 13 January 2015 - 10:56 PM

Well, I took it upon myself to attempt to tackle this. This was due to the user's need for the computer and in part due to my own impatience.

 

I checked a few other fixthis.txt files available for other requests, and it appears to simply be lines from the Scan copied over into a text file for the most part. (The "tutorial" available on geekstogo is a bit more in-depth.)

 

After saving this to the directly where I have FRST placed, I ran the program and selected the FIX option, which ran repairs based on the lines given in the fixthis.txt file.

 

Viola! There are now no longer any problems and the browser is no longer being Hijacked by the virus. (Not sure why HiJackThis! couldn't fix it.) Nonetheless, everything appears to be working! Have restarted multiple times to verify, all browsers are no longer going to the loopback address.

 

Here is the content of my fixthis.txt file:

() C:\Program Files (x86)\Amazon Browser Bar\ToolbarUpdaterService.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-695141066-1470065661-4152419856-1000\...\Run: [BackgroundContainer] => "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Smurfs\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8800;https=127.0.0.1:8800
ProxyServer: [HKLM-x32] => http=127.0.0.1:8800;https=127.0.0.1:8800
URLSearchHook: HKLM-x32 - (No Name) - {da7a20cf-bef4-4342-ad78-0240fdf87055} - No File
Toolbar: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> No Name - {DA7A20CF-BEF4-4342-AD78-0240FDF87055} -  No File
Toolbar: HKU\S-1-5-21-695141066-1470065661-4152419856-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
2014-12-14 08:05 - 2015-01-13 19:53 - 00003376 _____ () C:\Windows\System32\Tasks\BackgroundContainer Startup Task

Essentially, I went through the list of items presented in the FRST.txt file and selected items that I felt were unnecessary (or I knew would not be critical if it broke something) and put them in this file. After I was satisfied that this was all from that file that I wanted to tackle I simply ran the program in "FIX" mode. The system generated a Fixlog.txt and now everything works! Very cool.

 

I hope this helps someone else looking for the same information!



#3 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,048 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:36 AM

Posted 14 January 2015 - 10:32 AM

Hey,
being honest this isn't clever. One time you had the luck, the other time this fix leads into an unbootable System. ;)

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,048 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:36 AM

Posted 18 January 2015 - 09:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users