Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect and email hijacked


  • This topic is locked This topic is locked
18 replies to this topic

#1 Den.

Den.

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 21 April 2015 - 07:40 PM

Vista machine, IE9. About three weeks ago I noticed that when trying to visit  http://www.motogp.com/en  , a site I look at only once every week to ten days, I am redirected to  https://whatbrowser.org/  . My Avast scan and Malwarebytes scan find nothing.

 

And, starting today at 3:35 PM EST (Florida, USA), I began receiving Delivery Notification: Delivery has failed notifications in my email. As of 8:36 PM 109 . That is just the failures. There is no telling how many have been sent since nothing appears in the Sent Items folder. I performed a System Restore back to 4-18-15 at around 6:15 PM but the failed emails are still being returned.

 

Can you help?  Thanks, Den



BC AdBot (Login to Remove)

 


#2 Den.

Den.
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 25 April 2015 - 02:50 PM

Vista machine, IE9. About three weeks ago I noticed that when trying to visit  http://www.motogp.com/en  , a site I look at only once every week to ten days, I am redirected to  https://whatbrowser.org/  . My Avast scan and Malwarebytes scan find nothing.

 

And, starting today at 3:35 PM EST (Florida, USA), I began receiving Delivery Notification: Delivery has failed notifications in my email. As of 8:36 PM 109 . That is just the failures. There is no telling how many have been sent since nothing appears in the Sent Items folder. I performed a System Restore back to 4-18-15 at around 6:15 PM but the failed emails are still being returned.

 

Can you help?  Thanks, Den

Sorry, I didn't read the Preparation Guide.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-04-2015
Ran by Den (administrator) on DEN-PC on 25-04-2015 15:31:10
Running from C:\Users\Den\Desktop
Loaded Profiles: Den (Available profiles: Den)
Platform: Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IObit) C:\Program Files\IObit\Advanced SystemCare 8\ASCService.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(ATI Technologies Inc.) C:\WINDOWS\System32\Ati2evxx.exe
(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(ATI Technologies Inc.) C:\WINDOWS\System32\Ati2evxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(IObit) C:\Program Files\IObit\Advanced SystemCare 8\Monitor.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
() C:\hp\KBD\KbdStub.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Gadwin Systems, Inc) C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
() C:\Program Files\TitleBarClock\Tbc.exe
(IObit) C:\Program Files\IObit\Advanced SystemCare 8\ASCTray.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe
(TomTom) C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Conexant Systems, Inc.) C:\WINDOWS\System32\drivers\XAudio.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Logitech, Inc.) C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
(Microsoft Corporation) C:\WINDOWS\System32\wbem\unsecapp.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(IObit) C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM\...\Run: [KBD] => C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
HKLM\...\Run: [HP Health Check Scheduler] => c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-02] (Hewlett-Packard)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateReg] => C:\Windows\system32\jureg.exe [54936 2007-04-07] (Sun Microsystems, Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227648 2015-03-17] (AVAST Software)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2303256 2014-05-19] (Logitech, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [DBAgent] => C:\Program Files\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1518664 2014-09-17] (Seagate Technology LLC)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1359064 2015-04-21] (COMODO)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [335232 2015-04-15] (Oracle Corporation)
HKLM\...\Run: [Dcfssvc] => C:\WINDOWS\System32\Drivers\dcfssvc.exe
HKLM\...\Run: [ScanRegistry] => C:\WINDOWS\scanregw.exe /autorun
HKLM\...\Run: [SystemTray] => C:\Windows\system32\SysTray.Exe [8192 2006-11-02] (Microsoft Corporation)
HKLM\...\Run: [LoadPowerProfile] => Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\...\Run: [EM_EXEC] => c:\mouse\system\em_exec.exe
HKLM\...\Run: [CreateCD50] => "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
HKLM\...\Run: [AdaptecDirectCD] => "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
HKLM\...\Run: [StillImageMonitor] => C:\WINDOWS\SYSTEM\STIMON.EXE
HKLM\...\Run: [LoadQM] => loadqm.exe
HKLM\...\Run: [Tweak UI] => RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
HKLM\...\RunServices: [LoadPowerProfile] => Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\...\RunServices: [SchedulingAgent] => mstask.exe
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\...\Run: [Gadwin PrintScreen] => C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe [495616 2008-12-09] (Gadwin Systems, Inc)
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\...\Run: [TBC.exe] => C:\Program Files\TitleBarClock\Tbc.exe [17920 2002-12-29] ()
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\...\Run: [Advanced SystemCare 8] => C:\Program Files\IObit\Advanced SystemCare 8\ASCTray.exe [2428704 2015-04-05] (IObit)
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\...\Run: [Uploader] => C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [127080 2014-09-17] (Seagate Technology LLC)
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [704512 2009-04-10] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [msnmsgr] => "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
HKU\S-1-5-18\...\Run: [GCS] => "C:\PROGRAM FILES\GRABCLIPSAVE\GRABCLIPSAVE.EXE"
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2014-12-03] (AVAST Software)
ShellIconOverlayIdentifiers: [SlowFile Icon Overlay] -> {7D688A77-C613-11D0-999B-00C04FD655E1} => C:\WINDOWS\SYSTEM\SHELL32.DLL No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://toolbar.i-lookup.com/search.html
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-lookup.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.i-lookup.com/search.html
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {3A9A5C13-2D3F-49E8-8BD6-F8DD111E6162} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKU\S-1-5-21-4092789914-3921467535-3769324934-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4092789914-3921467535-3769324934-1000 -> {3A9A5C13-2D3F-49E8-8BD6-F8DD111E6162} URL =
SearchScopes: HKU\S-1-5-21-4092789914-3921467535-3769324934-1000 -> {4ECD9BFB-55E9-42E0-A875-21F5822773FC} URL =
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22] (Adobe Systems Incorporated)
BHO: AdPopper Class -> {34D516EA-40E3-4E3B-8BA8-505112738ED5} -> C:\WINDOWS\SYSTEM\CTAVP3.DLL No File
BHO: BHO Class -> {61D029AC-972B-49FE-A155-962DFA0A37BB} -> C:\WINDOWS\SYSTEM\INEB.DLL No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-04-15] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-12-03] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Advanced SystemCare Surfing Protection -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> C:\Program Files\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll [2015-04-05] (IObit)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-04-15] (Oracle Corporation)
BHO: No Name -> {FFFFFEF0-5B30-21D4-945D-000000000000} -> C:\PROGRA~1\STARDO~1\SDIEINT.DLL No File
Toolbar: HKLM - &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX No File
Toolbar: HKLM - Search Bar - {B418B139-414D-4374-820F-EE74520C5A0D} - C:\WINDOWS\SYSTEM\CTAVP3.DLL No File
Toolbar: HKLM - I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL No File
DPF: {31564D57-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {4580026C-022A-4FDA-87BC-EDA848D0B7A6} http://66.51.29.59/ctavp.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-1_4_1_01-windows-i586.cab
DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} http://windowsupdate.microsoft.com/R1116/V31Controls/x86/w98/en/actsetup.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://active.macromedia.com/flash2/cabs/swflash.cab
DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} http://toolbar.i-lookup.com/ineb.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INFORMATION RETRIEVAL\ITSS50.DLL No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-07] (Microsoft Corporation)
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM\MSHTML.DLL No File
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\SYSTEM\MSDXM.OCX No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\SYSTEM\SHDOC401.DLL No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1C517DEB-59CF-4806-A1BA-A71265252F3D}: [NameServer] 156.154.70.22,156.154.71.22

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-04-15] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin HKU\.DEFAULT: @adobe.com/Acrobat,version=5.1 -> C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll No File
FF Plugin HKU\S-1-5-21-4092789914-3921467535-3769324934-1000: tdameritrade.com/thinkorswim -> C:\Program Files\thinkorswim\npthinkorswim.dll [2015-04-24] (TD Ameritrade)
FF Plugin HKU\S-1-5-21-4092789914-3921467535-3769324934-1000: tdameritrade.com/tossc -> C:\Program Files\thinkorswim\nptossc.dll [2015-04-24] (TD Ameritrade)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-07-19]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-07-19]

Chrome:
=======
CHR Profile: C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-19]
CHR Extension: (Google Drive) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-19]
CHR Extension: (YouTube) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-19]
CHR Extension: (Google Search) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-19]
CHR Extension: (avast! Online Security) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-07-19]
CHR Extension: (Google Wallet) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-19]
CHR Extension: (Gmail) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-19]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-04]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
R2 AdvancedSystemCareService8; C:\Program Files\IObit\Advanced SystemCare 8\ASCService.exe [815392 2015-04-05] (IObit)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-03] (AVAST Software)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [4351816 2015-04-21] (COMODO) [File not signed]
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [1664728 2015-04-21] (COMODO)
R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-02] (Hewlett-Packard) [File not signed]
R2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2008-06-09] (Hewlett-Packard Company) [File not signed]
S2 LiveUpdateSvc; C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe [2724128 2015-04-05] (IObit)
R2 Seagate Dashboard Services; C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16000 2014-09-17] (Seagate Technology LLC)
R2 Seagate MobileBackup Service; C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe [157776 2014-09-17] (Seagate Technology LLC)
R3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-12-03] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2014-12-03] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55240 2014-12-03] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-12-03] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [787800 2014-12-03] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423784 2014-12-03] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57928 2014-12-03] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [206248 2014-12-03] ()
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [17088 2015-04-01] (COMODO) [File not signed]
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [622192 2015-04-01] (COMODO) [File not signed]
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [40736 2015-04-01] (COMODO) [File not signed]
R3 HSXHWBS3; C:\Windows\System32\DRIVERS\HSXHWBS3.sys [207360 2008-02-12] (Conexant Systems, Inc.)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [91200 2015-04-01] (COMODO) [File not signed]
R0 PxHelp20; C:\Windows\System32\DRIVERS\PxHelp20.sys [20016 2004-12-20] (Sonic Solutions) [File not signed]
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
R3 cpuz136; \??\C:\Users\Den\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [X]
U0x03000000 DcArdv; \SystemRoot\System32\Drivers\DcArdv.sys [X]
U0x03000000 DcCam; \SystemRoot\System32\Drivers\DcCam.sys [X]
U0x03000000 DcFpoint; \SystemRoot\System32\Drivers\DcFpoint.sys [X]
U0x03000000 DcLps; \SystemRoot\System32\Drivers\DcLps.sys [X]
U0x03000000 DcPtp; \SystemRoot\System32\Drivers\DcPtp.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000}; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [X]
U0x01000000 WDMFS; \SystemRoot\System32\Drivers\wdmfs.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-25 15:31 - 2015-04-25 15:31 - 00021210 _____ () C:\Users\Den\Desktop\FRST.txt
2015-04-25 15:29 - 2015-04-25 15:31 - 00000000 ____D () C:\FRST
2015-04-25 15:28 - 2015-04-25 15:28 - 01139200 _____ (Farbar) C:\Users\Den\Desktop\FRST.exe
2015-04-25 14:30 - 2015-04-25 14:30 - 335078520 _____ () C:\Users\Den\Desktop\backup Sat 4-25-15.reg
2015-04-25 13:44 - 2015-04-25 13:44 - 02224640 _____ () C:\Users\Den\Desktop\adwcleaner_4.202.exe
2015-04-24 12:09 - 2015-04-24 12:09 - 00000000 ____D () C:\Users\Den\AppData\Local\{C3D7C352-48F4-4374-92C4-C50C7AAF2E32}
2015-04-23 23:44 - 2015-04-23 23:44 - 00000000 ____D () C:\Users\Den\AppData\Local\{1A90C259-522A-4D83-A775-DA90675A85EE}
2015-04-23 09:37 - 2015-04-23 09:37 - 00000000 ____D () C:\Users\Den\AppData\Local\{F6F21EE0-5B66-435A-978E-86B02F4D7CCC}
2015-04-22 22:53 - 2015-04-23 15:39 - 00000000 ____D () C:\Users\Den\Desktop\new vypyr
2015-04-22 13:02 - 2015-04-22 13:03 - 00000000 ____D () C:\Users\Den\AppData\Local\{28BF4E55-F515-420A-9AFB-A3CBFA91C1DE}
2015-04-21 20:45 - 2015-04-21 20:46 - 00000000 ____D () C:\Users\Den\AppData\Local\{8B58D68B-5E24-45DC-963E-0BFBC95A5335}
2015-04-21 20:42 - 2015-04-25 15:29 - 00000000 ____D () C:\Users\Den\Desktop\BLEEPING
2015-04-21 19:02 - 2015-04-22 22:59 - 00008376 _____ () C:\Windows\system32\Drivers\fvstore.dat
2015-04-21 18:20 - 2014-12-03 20:56 - 00291352 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-04-21 12:33 - 2015-04-21 12:33 - 00000000 ____D () C:\Users\Den\AppData\Local\{FD4D5BCE-F9D9-40CD-B366-F382B8A97A3D}
2015-04-20 22:05 - 2015-04-20 22:05 - 00000000 ____D () C:\Users\Den\AppData\Local\{A70CBC4D-F40C-4190-B536-1EE1ECD5000C}
2015-04-20 18:27 - 2015-04-22 06:13 - 00001100 _____ () C:\Windows\PFRO.log
2015-04-20 13:31 - 2015-04-20 13:31 - 00000000 ___HD () C:\VTRoot
2015-04-20 07:00 - 2015-04-20 07:00 - 00000000 ____D () C:\Users\Den\AppData\Local\{6B0E476E-C002-422D-8646-4B88CC333ACF}
2015-04-19 16:58 - 2015-04-19 16:58 - 00000000 ____D () C:\Users\Den\AppData\Local\{7AEB6513-9F3A-4F5B-9275-E03F087B1A03}
2015-04-19 10:47 - 2015-04-19 10:47 - 00000000 ____D () C:\Users\Den\AppData\Local\{FC981F22-E5A0-410C-A5C2-F53184AB5E7E}
2015-04-19 08:34 - 2015-04-19 08:34 - 00000000 ____D () C:\Program Files\Common Files\Java(7)
2015-04-18 22:46 - 2015-04-18 22:46 - 00000000 ____D () C:\Users\Den\AppData\Local\{C1DA7CD7-2631-4112-8C5E-0422848160A1}
2015-04-18 09:18 - 2015-04-18 09:18 - 00000000 ____D () C:\Users\Den\AppData\Local\{6C0BAE1D-D1AE-453B-9DC3-8B3CBBCE025F}
2015-04-17 21:16 - 2015-04-17 21:17 - 00000000 ____D () C:\Users\Den\AppData\Local\{7368F788-3D8A-4EEF-B130-8C3E085AB198}
2015-04-17 17:35 - 2015-04-17 17:35 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-04-17 17:29 - 2015-04-17 17:29 - 00297984 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-04-17 17:29 - 2015-04-17 17:29 - 00244152 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2015-04-17 17:29 - 2015-04-17 17:29 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\clfsw32.dll
2015-04-17 17:28 - 2015-04-17 17:28 - 03604920 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-04-17 17:28 - 2015-04-17 17:28 - 03552184 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-04-17 17:28 - 2015-04-17 17:28 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-04-17 17:24 - 2015-04-17 17:24 - 01803264 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-04-17 17:24 - 2015-04-17 17:24 - 01139200 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-04-17 17:24 - 2015-04-17 17:24 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-04-17 17:24 - 2015-04-17 17:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-04-17 17:24 - 2015-04-17 17:24 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-04-17 17:24 - 2015-04-17 17:24 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-04-17 17:24 - 2015-04-17 17:24 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-04-17 17:24 - 2015-04-17 17:24 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-04-17 17:24 - 2015-03-09 18:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-04-17 17:23 - 2015-04-17 17:23 - 12377600 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 09747968 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-04-17 17:23 - 2015-04-17 17:23 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-04-17 17:23 - 2015-04-17 17:23 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-04-17 17:23 - 2015-03-09 19:03 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-04-17 09:15 - 2015-04-17 09:15 - 00000000 ____D () C:\Users\Den\AppData\Local\{905E06F1-91C9-4EED-A146-301EB9E6DD36}
2015-04-16 08:40 - 2015-04-16 08:40 - 00000000 ____D () C:\Users\Den\AppData\Local\{2147373E-B1D5-445F-985F-E3B002ED5432}
2015-04-15 18:49 - 2015-04-15 18:50 - 00000000 ____D () C:\Users\Den\AppData\Local\{705CC65F-D483-46C2-9B0F-F2BD2E5BA60D}
2015-04-15 17:31 - 2015-04-21 18:04 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-04-15 17:28 - 2015-04-25 15:02 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-15 06:48 - 2015-04-15 06:48 - 00000000 ____D () C:\Users\Den\AppData\Local\{768319C3-CC54-443E-9081-F690F21F864B}
2015-04-14 17:37 - 2015-04-14 17:37 - 00000000 ____D () C:\Users\Den\AppData\Local\{9D97853B-599A-4D84-A8A6-9D26CE50B8EC}
2015-04-13 21:17 - 2015-04-13 21:17 - 00000000 ____D () C:\Users\Den\AppData\Local\{7DAE1D75-63E3-4175-9652-BD7122E4A0AF}
2015-04-13 21:07 - 2015-04-13 21:08 - 00000000 ____D () C:\Users\Den\Desktop\John's range
2015-04-13 06:47 - 2015-04-13 06:47 - 00000000 ____D () C:\Users\Den\AppData\Local\{001D5410-41D0-419A-A894-624BBC561A68}
2015-04-12 14:01 - 2015-04-12 14:01 - 00000000 ____D () C:\Users\Den\AppData\Local\{647A41B6-94F2-4DCB-9F61-64C116689074}
2015-04-12 07:22 - 2015-04-12 07:22 - 00000000 ____D () C:\Users\Den\AppData\Local\{C549BCD9-4152-403C-B8F3-DE4B5424B807}
2015-04-11 09:32 - 2015-04-11 09:32 - 00000000 ____D () C:\Users\Den\AppData\Local\{8523527E-4C8F-4785-9309-C351E7777B17}
2015-04-10 21:54 - 2015-04-10 21:54 - 00004210 _____ () C:\Users\Den\Desktop\What You Must Know About Living Wills and Other End of Life Documents - Consumer Reports.url
2015-04-10 21:16 - 2015-04-10 21:16 - 00000000 ____D () C:\Users\Den\AppData\Local\{F2E87394-7504-425C-941F-EE24B458E2D7}
2015-04-10 09:14 - 2015-04-10 09:15 - 00000000 ____D () C:\Users\Den\AppData\Local\{1CEA5D9F-FF64-4928-9F12-83414B7F6C91}
2015-04-09 23:28 - 2015-04-09 23:29 - 00000000 ____D () C:\Users\Den\AppData\Local\{10DC94FF-437E-43AE-9FC0-B0009F1AA282}
2015-04-09 09:33 - 2015-04-09 09:33 - 00000000 ____D () C:\Users\Den\AppData\Local\{05AAC503-71FF-44FF-9F9C-B10906954125}
2015-04-08 20:32 - 2015-04-08 20:33 - 00000000 ____D () C:\Users\Den\AppData\Local\{E78BD531-BFA7-4930-A355-E97BD3BCE2BC}
2015-04-08 13:11 - 2015-04-08 13:12 - 00000000 ____D () C:\Users\Den\Desktop\What Browser
2015-04-08 07:29 - 2015-04-08 07:29 - 00000000 ____D () C:\Users\Den\AppData\Local\{1CDDFA22-2107-4C7B-9E29-0647D3940F13}
2015-04-07 10:25 - 2015-04-07 10:25 - 00000000 ____D () C:\Users\Den\AppData\Local\{D83A2E88-AD62-447E-849B-E5CCD172A574}
2015-04-06 22:23 - 2015-04-06 22:24 - 00000000 ____D () C:\Users\Den\AppData\Local\{E728A9B9-5208-492E-AC51-FD2603425DB5}
2015-04-06 07:19 - 2015-04-06 07:19 - 00000000 ____D () C:\Users\Den\AppData\Local\{67877BB2-3462-41B7-BF35-D85914F7C40E}
2015-04-06 06:41 - 2015-04-06 06:41 - 00000000 ____D () C:\Users\Den\AppData\Local\{0DC8054C-D340-4DF2-BE04-135B159C6029}
2015-04-05 18:22 - 2015-04-05 18:22 - 00000000 _____ () C:\Windows\setuperr.log
2015-04-05 18:22 - 2015-04-05 18:22 - 00000000 _____ () C:\Windows\setupact.log
2015-04-05 18:03 - 2015-04-05 18:05 - 44448424 _____ (IObit ) C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe
2015-04-05 13:46 - 2015-04-05 13:46 - 00000000 ____D () C:\Users\Den\AppData\Local\{A5A22256-A501-43E2-B40D-E86A8CA50208}
2015-04-04 22:17 - 2015-04-04 22:18 - 00000000 ____D () C:\Users\Den\AppData\Local\{9AB08C5C-7F21-458C-A9B4-707B2316AD97}
2015-04-04 20:41 - 2015-04-04 20:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
2015-04-04 20:40 - 2015-04-04 20:40 - 00000000 ____D () C:\ProgramData\Shared Space
2015-04-04 20:40 - 2015-04-04 20:40 - 00000000 ____D () C:\Program Files\COMODO
2015-04-04 20:38 - 2015-04-04 20:38 - 00000000 ____D () C:\ProgramData\Comodo Downloader
2015-04-04 20:35 - 2015-04-04 20:45 - 00000000 ____D () C:\ProgramData\Comodo
2015-04-04 20:17 - 2015-04-04 20:17 - 00144592 _____ () C:\Windows\Minidump\Mini040415-01.dmp
2015-04-04 18:53 - 2015-04-04 20:24 - 00000000 ____D () C:\Windows\erdnt
2015-04-04 08:01 - 2015-04-04 08:02 - 00000000 ____D () C:\Users\Den\AppData\Local\{1ED59627-CF5C-4935-8A66-A1266BE746EF}
2015-04-03 18:45 - 2015-04-24 15:57 - 00000000 ____D () C:\Users\Den\Desktop\Susan's washer
2015-04-03 11:09 - 2015-04-03 11:10 - 00000000 ____D () C:\Users\Den\AppData\Local\{7176EAB6-22AF-4394-BF08-EB377D1D5B86}
2015-04-02 22:57 - 2015-04-02 22:57 - 00000000 ____D () C:\Users\Den\AppData\Local\{B0B4DF55-4111-4E5F-BB4B-3B95D07076F1}
2015-04-02 10:28 - 2015-04-02 10:28 - 00000000 ____D () C:\Users\Den\AppData\Local\{1261530E-8D82-4756-A200-2EBABB44A689}
2015-04-01 22:26 - 2015-04-01 22:27 - 00000000 ____D () C:\Users\Den\AppData\Local\{AE6DE021-D146-4095-9FCB-F4DE2BA69613}
2015-04-01 07:04 - 2015-04-01 07:05 - 00000000 ____D () C:\Users\Den\AppData\Local\{B7C51BF6-3661-4D3F-AFCD-39C6B300972A}
2015-03-31 10:08 - 2015-03-31 10:08 - 00000000 ____D () C:\Users\Den\AppData\Local\{3FACDD5D-2CE5-487D-B6D6-6FC54EF0E233}
2015-03-30 19:00 - 2015-04-21 18:54 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-03-30 19:00 - 2015-03-30 19:00 - 00000000 ____D () C:\Users\Den\AppData\Roaming\SUPERAntiSpyware.com
2015-03-30 19:00 - 2015-03-30 19:00 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-03-30 19:00 - 2015-03-30 19:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-03-30 18:15 - 2015-03-30 18:15 - 00000000 ____D () C:\Windows\pss
2015-03-30 17:20 - 2015-03-30 18:07 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-03-30 12:25 - 2015-03-30 12:25 - 00000257 _____ () C:\Users\Den\Desktop\Project Gutenberg Australia free ebooks.url
2015-03-30 12:25 - 2015-03-30 12:25 - 00000220 _____ () C:\Users\Den\Desktop\Free ebooks - Project Gutenberg.url
2015-03-29 21:56 - 2015-03-29 21:56 - 00000000 ____D () C:\Users\Den\AppData\Local\{8DF8C402-9F42-4A40-B25C-1BA71C8E6869}
2015-03-28 22:55 - 2015-03-28 22:55 - 00000000 ____D () C:\Users\Den\AppData\Local\{8A669104-5D76-4A15-AB38-973CC2911089}
2015-03-28 22:50 - 2015-03-29 18:46 - 00000000 ____D () C:\Users\Den\Documents\tdsskiller
2015-03-28 22:06 - 2015-04-05 17:54 - 00000000 ____D () C:\Windows\Minidump
2015-03-28 22:06 - 2015-04-04 20:17 - 319000903 _____ () C:\Windows\MEMORY.DMP
2015-03-28 22:01 - 2015-03-28 22:02 - 16727128 _____ () C:\Users\Den\Downloads\RogueKiller2.exe
2015-03-28 16:22 - 2015-03-28 16:22 - 00000842 _____ () C:\Users\Den\Desktop\Tampatec - YouTube.url
2015-03-28 09:42 - 2015-03-28 09:42 - 00000000 ____D () C:\Users\Den\AppData\Local\{2FF63A89-0C28-4B7A-B83C-A24E2184FF7E}
2015-03-27 13:22 - 2015-03-27 13:22 - 00000000 ____D () C:\Users\Den\AppData\Local\{ED821CB0-29DA-43A8-B9F9-E5D12207D232}
2015-03-26 22:53 - 2015-03-26 22:53 - 00000000 ____D () C:\Users\Den\AppData\Local\{FD441B24-206C-4FF5-A411-17FFDFCEE292}
2015-03-26 14:06 - 2015-04-15 16:01 - 00000000 ____D () C:\Users\Den\Desktop\Larry Jerry
2015-03-26 10:43 - 2015-03-26 10:43 - 00000000 ____D () C:\Users\Den\AppData\Local\{A4054DA9-FCB6-4467-AEDE-3308A0BFE63E}

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-25 15:21 - 2006-11-02 08:45 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-25 15:21 - 2006-11-02 08:45 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-25 14:47 - 2014-07-19 17:37 - 00015120 _____ () C:\Users\Den\Desktop\RAYS 2012.txt
2015-04-25 14:47 - 2014-07-19 17:37 - 00011475 _____ () C:\Users\Den\Desktop\MARLINS 2012.txt
2015-04-25 14:47 - 2014-07-19 17:37 - 00008638 _____ () C:\Users\Den\Desktop\CUBS 2012.txt
2015-04-25 13:47 - 2015-01-26 16:10 - 00000000 ____D () C:\AdwCleaner
2015-04-25 10:14 - 2014-07-19 14:17 - 02067090 _____ () C:\Windows\WindowsUpdate.log
2015-04-25 10:03 - 2014-07-19 16:07 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-04-25 09:55 - 2014-07-19 17:17 - 00000000 ____D () C:\Users\Den\Desktop\1RECYCLE
2015-04-25 09:25 - 2006-11-02 06:33 - 00837094 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-25 09:21 - 2006-11-02 08:58 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-24 19:58 - 2006-11-02 08:58 - 00032600 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-24 18:00 - 2014-07-19 17:21 - 00000000 ___RD () C:\Users\Den\Desktop\Bevel Auctions
2015-04-24 16:05 - 2014-07-27 16:43 - 00000000 ____D () C:\Program Files\thinkorswim
2015-04-24 16:05 - 2014-07-21 09:34 - 00000000 ____D () C:\Users\Den\.thinkorswim
2015-04-23 11:26 - 2014-09-14 06:25 - 00000000 ____D () C:\Users\Den\AppData\Local\CrashDumps
2015-04-23 09:03 - 2014-12-04 18:04 - 00000000 ____D () C:\ProgramData\ProductData
2015-04-22 12:23 - 2014-08-05 10:24 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2015-04-22 06:35 - 2014-07-19 12:28 - 00000000 ____D () C:\Windows\system32\MRT
2015-04-22 06:30 - 2006-11-02 06:24 - 125832184 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-04-21 21:21 - 2014-07-19 17:40 - 00000000 ____D () C:\Users\Den\Documents\.Bob Rankin
2015-04-21 19:37 - 2014-07-19 17:30 - 00000000 ____D () C:\Users\Den\Desktop\Malware tools
2015-04-21 18:06 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\system32\Msdtc
2015-04-21 18:05 - 2006-11-02 06:22 - 38273024 _____ () C:\Windows\system32\config\software_previous
2015-04-21 18:05 - 2006-11-02 06:22 - 38010880 _____ () C:\Windows\system32\config\components_previous
2015-04-21 18:05 - 2006-11-02 06:22 - 30670848 _____ () C:\Windows\system32\config\system_previous
2015-04-21 18:05 - 2006-11-02 06:22 - 00262144 _____ () C:\Windows\system32\config\security_previous
2015-04-21 18:05 - 2006-11-02 06:22 - 00262144 _____ () C:\Windows\system32\config\sam_previous
2015-04-21 18:05 - 2006-11-02 06:22 - 00262144 _____ () C:\Windows\system32\config\default_previous
2015-04-21 18:04 - 2014-12-04 18:05 - 00000000 ____D () C:\Users\Den\AppData\Roaming\ProductData
2015-04-21 18:04 - 2014-12-04 18:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 8
2015-04-21 18:04 - 2014-08-09 09:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-04-21 18:04 - 2014-08-09 09:45 - 00000000 ____D () C:\Program Files\Java
2015-04-21 18:04 - 2014-07-19 21:13 - 00000000 ____D () C:\Users\Den\Downloads\acv311
2015-04-21 18:04 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\system32\spool
2015-04-21 18:04 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\registration
2015-04-17 19:50 - 2014-07-19 17:29 - 00000000 ____D () C:\Users\Den\Desktop\Guitars
2015-04-17 17:34 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-04-17 08:54 - 2014-08-03 23:37 - 00001214 _____ () C:\Users\Den\AppData\Roaming\wklnhst.dat
2015-04-15 17:30 - 2014-08-09 09:45 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-04-15 17:28 - 2014-07-20 19:18 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-04-15 17:28 - 2014-07-20 19:18 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-04-09 15:07 - 2014-09-04 18:08 - 00000000 ____D () C:\Users\Den\Desktop\Softball
2015-04-09 10:34 - 2014-07-19 17:23 - 00000000 ____D () C:\Users\Den\Desktop\DUCATI sites
2015-04-07 15:33 - 2014-07-19 18:38 - 00000000 ___RD () C:\Users\Den\Desktop\Songs from DELL HD
2015-04-05 17:59 - 2015-02-02 07:52 - 37748736 _____ () C:\Windows\system32\config\COMPONENTS.iobit
2015-04-05 17:59 - 2015-02-02 07:52 - 36839424 _____ () C:\Windows\system32\config\SOFTWARE.iobit
2015-04-05 17:59 - 2015-02-02 07:52 - 00208896 _____ () C:\Windows\system32\config\DEFAULT.iobit
2015-04-05 17:59 - 2015-02-02 07:52 - 00057344 _____ () C:\Windows\system32\config\SAM.iobit
2015-04-05 17:59 - 2015-02-02 07:52 - 00024576 _____ () C:\Windows\system32\config\SECURITY.iobit
2015-04-04 20:29 - 2014-07-19 11:28 - 00075704 _____ () C:\Users\Den\AppData\Local\GDIPFONTCACHEV1.DAT
2015-04-04 20:28 - 2006-11-02 08:44 - 00296936 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-04-04 19:27 - 2006-11-02 07:18 - 00000000 __RHD () C:\Users\Default
2015-04-04 19:27 - 2006-11-02 07:18 - 00000000 ___RD () C:\Users\Public
2015-04-04 19:25 - 2006-11-02 06:23 - 00000215 _____ () C:\Windows\system.ini
2015-04-04 19:23 - 2014-07-19 11:23 - 00000000 ____D () C:\Users\Den\AppData\Local\Adobe
2015-04-04 17:07 - 2014-07-19 18:02 - 00000000 ____D () C:\Users\Den\Desktop\Katy
2015-04-01 21:32 - 2014-07-20 23:25 - 00008192 _____ () C:\Users\Den\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-04-01 17:39 - 2014-07-19 17:40 - 00000000 ____D () C:\Users\Den\Documents\Dwaine Williams
2015-04-01 13:49 - 2015-01-30 12:27 - 00622192 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2015-04-01 13:49 - 2015-01-30 12:27 - 00091200 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2015-04-01 13:49 - 2015-01-30 12:27 - 00040736 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2015-04-01 13:49 - 2015-01-30 12:27 - 00017088 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2015-04-01 13:48 - 2015-01-30 12:27 - 00444472 _____ (COMODO) C:\Windows\system32\guard32.dll
2015-04-01 13:48 - 2015-01-30 12:27 - 00033520 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2015-04-01 13:45 - 2015-01-30 12:27 - 00288472 _____ (COMODO) C:\Windows\system32\cmdvrt32.dll
2015-04-01 13:45 - 2015-01-30 12:27 - 00040664 _____ (COMODO) C:\Windows\system32\cmdkbd32.dll
2015-03-30 19:23 - 2014-07-19 17:19 - 00000000 ____D () C:\Users\Den\Desktop\Baseball Instructions
2015-03-30 14:40 - 2014-07-19 17:17 - 00000000 ____D () C:\Users\Den\Desktop\.Ricks Buckets Parrot Jacks
2015-03-30 13:55 - 2014-12-11 18:19 - 00000328 _____ () C:\Users\Den\Desktop\Walgreens Photo Center MSN dh3232323.url
2015-03-29 19:15 - 2014-07-20 19:28 - 00000052 _____ () C:\Windows\system32\DOErrors.log
2015-03-29 18:46 - 2015-02-04 08:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-03-29 18:46 - 2014-07-20 17:49 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-03-28 22:09 - 2014-07-20 17:49 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-28 15:50 - 2015-03-16 22:01 - 00000000 ____D () C:\Users\Den\Desktop\Dynex DX-220LD150A11

==================== Files in the root of some directories =======

2014-07-20 18:35 - 2014-07-20 18:51 - 0000637 _____ () C:\Users\Den\AppData\Roaming\pacemaker.ini
2014-07-20 18:35 - 2014-07-20 18:35 - 0000010 _____ () C:\Users\Den\AppData\Roaming\pacemaker_songparams.txt
2014-07-19 16:08 - 2014-07-28 18:30 - 0031007 _____ () C:\Users\Den\AppData\Roaming\UserTile.png
2014-08-03 23:37 - 2015-04-17 08:54 - 0001214 _____ () C:\Users\Den\AppData\Roaming\wklnhst.dat
2014-07-19 16:24 - 2014-08-01 11:22 - 0001356 _____ () C:\Users\Den\AppData\Local\d3d9caps.dat
2014-07-20 23:25 - 2015-04-01 21:32 - 0008192 _____ () C:\Users\Den\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-21 00:21 - 2014-07-21 00:21 - 0000057 _____ () C:\ProgramData\Ament.ini
2008-08-25 09:13 - 2008-08-25 09:14 - 0000349 _____ () C:\ProgramData\hpzinstall.log

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-04-25 09:27

==================== End Of Log ============================

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 26 April 2015 - 10:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove thie YTD video Downloader using the Add/Remove Programs applet.
YTD Video Downloader 4.8.4 (HKLM\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.8.4 - GreenTree Applications SRL) <==== ATTENTION
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CreateRestorePoint:
CloseProcesses:

ShellIconOverlayIdentifiers: [SlowFile Icon Overlay] -> {7D688A77-C613-11D0-999B-00C04FD655E1} => C:\WINDOWS\SYSTEM\SHELL32.DLL No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://toolbar.i-lookup.com/search.html
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-lookup.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.i-lookup.com/search.html
BHO: AdPopper Class -> {34D516EA-40E3-4E3B-8BA8-505112738ED5} -> C:\WINDOWS\SYSTEM\CTAVP3.DLL No File
BHO: BHO Class -> {61D029AC-972B-49FE-A155-962DFA0A37BB} -> C:\WINDOWS\SYSTEM\INEB.DLL No File
BHO: No Name -> {FFFFFEF0-5B30-21D4-945D-000000000000} -> C:\PROGRA~1\STARDO~1\SDIEINT.DLL No File
Toolbar: HKLM - &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX No File
Toolbar: HKLM - Search Bar - {B418B139-414D-4374-820F-EE74520C5A0D} - C:\WINDOWS\SYSTEM\CTAVP3.DLL No File
Toolbar: HKLM - I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL No File
DPF: {4580026C-022A-4FDA-87BC-EDA848D0B7A6} http://66.51.29.59/ctavp.cab
DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} http://toolbar.i-lookup.com/ineb.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INFORMATION RETRIEVAL\ITSS50.DLL No File
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM\MSHTML.DLL No File
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\SYSTEM\MSDXM.OCX No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\SYSTEM\SHDOC401.DLL No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin HKU\.DEFAULT: @adobe.com/Acrobat,version=5.1 -> C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll No File
CHR Extension: (avast! Online Security) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-07-19]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-04]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-03]
R3 cpuz136; \??\C:\Users\Den\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [X]
U0x03000000 DcArdv; \SystemRoot\System32\Drivers\DcArdv.sys [X]
U0x03000000 DcCam; \SystemRoot\System32\Drivers\DcCam.sys [X]
U0x03000000 DcFpoint; \SystemRoot\System32\Drivers\DcFpoint.sys [X]
U0x03000000 DcLps; \SystemRoot\System32\Drivers\DcLps.sys [X]
U0x03000000 DcPtp; \SystemRoot\System32\Drivers\DcPtp.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000}; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [X]
U0x01000000 WDMFS; \SystemRoot\System32\Drivers\wdmfs.sys [X]
AlternateDataStreams: C:\Windows\system32\clfs.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\clfsw32.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\dxtmsft.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\FlashPlayerApp.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\gdi32.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ieui.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ieUnatt.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\Windows\system32\jscript.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\jsproxy.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\MpSigStub.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mrt.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msfeedsbs.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msfeedssync.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mshta.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msxml3.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ntkrnlpa.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ntoskrnl.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\url.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\wininet.dll:$CmdTcID
AlternateDataStreams: C:\Users\Den\Desktop\adwcleaner_4.202.exe:$CmdTcID
AlternateDataStreams: C:\Users\Den\Desktop\adwcleaner_4.202.exe:$CmdZnID
AlternateDataStreams: C:\Users\Den\Desktop\FRST.exe:$CmdTcID
AlternateDataStreams: C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe:$CmdTcID
AlternateDataStreams: C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe:$CmdZnID
AlternateDataStreams: C:\Users\Den\Documents\View your 2010 prescription claims summary today_.eml:OECustomProperty

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#4 Den.

Den.
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 26 April 2015 - 09:07 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-04-2015
Ran by Den at 2015-04-26 20:33:31 Run:1
Running from C:\Users\Den\Desktop\BLEEPING
Loaded Profiles: Den (Available profiles: Den)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CreateRestorePoint:
CloseProcesses:

ShellIconOverlayIdentifiers: [SlowFile Icon Overlay] -> {7D688A77-C613-11D0-999B-00C04FD655E1} => C:\WINDOWS\SYSTEM\SHELL32.DLL No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://toolbar.i-lookup.com/search.html
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-lookup.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.i-lookup.com/search.html
BHO: AdPopper Class -> {34D516EA-40E3-4E3B-8BA8-505112738ED5} -> C:\WINDOWS\SYSTEM\CTAVP3.DLL No File
BHO: BHO Class -> {61D029AC-972B-49FE-A155-962DFA0A37BB} -> C:\WINDOWS\SYSTEM\INEB.DLL No File
BHO: No Name -> {FFFFFEF0-5B30-21D4-945D-000000000000} -> C:\PROGRA~1\STARDO~1\SDIEINT.DLL No File
Toolbar: HKLM - &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX No File
Toolbar: HKLM - Search Bar - {B418B139-414D-4374-820F-EE74520C5A0D} - C:\WINDOWS\SYSTEM\CTAVP3.DLL No File
Toolbar: HKLM - I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL No File
DPF: {4580026C-022A-4FDA-87BC-EDA848D0B7A6} http://66.51.29.59/ctavp.cab
DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} http://toolbar.i-lookup.com/ineb.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\INFORMATION RETRIEVAL\ITSS50.DLL No File
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\MSDAIPP.DLL No File []
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM\MSHTML.DLL No File
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\SYSTEM\MSDXM.OCX No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM\urlmon.dll No File
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\SYSTEM\SHDOC401.DLL No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin HKU\.DEFAULT: @adobe.com/Acrobat,version=5.1 -> C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll No File
CHR Extension: (avast! Online Security) - C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-07-19]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-04]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-03]
R3 cpuz136; \??\C:\Users\Den\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [X]
U0x03000000 DcArdv; \SystemRoot\System32\Drivers\DcArdv.sys [X]
U0x03000000 DcCam; \SystemRoot\System32\Drivers\DcCam.sys [X]
U0x03000000 DcFpoint; \SystemRoot\System32\Drivers\DcFpoint.sys [X]
U0x03000000 DcLps; \SystemRoot\System32\Drivers\DcLps.sys [X]
U0x03000000 DcPtp; \SystemRoot\System32\Drivers\DcPtp.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000}; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [X]
U0x01000000 WDMFS; \SystemRoot\System32\Drivers\wdmfs.sys [X]
AlternateDataStreams: C:\Windows\system32\clfs.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\clfsw32.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\dxtmsft.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\FlashPlayerApp.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\gdi32.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ieui.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ieUnatt.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\Windows\system32\jscript.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\jsproxy.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\MpSigStub.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mrt.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msfeedsbs.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msfeedssync.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mshta.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\msxml3.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ntkrnlpa.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\ntoskrnl.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\url.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\wininet.dll:$CmdTcID
AlternateDataStreams: C:\Users\Den\Desktop\adwcleaner_4.202.exe:$CmdTcID
AlternateDataStreams: C:\Users\Den\Desktop\adwcleaner_4.202.exe:$CmdZnID
AlternateDataStreams: C:\Users\Den\Desktop\FRST.exe:$CmdTcID
AlternateDataStreams: C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe:$CmdTcID
AlternateDataStreams: C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe:$CmdZnID
AlternateDataStreams: C:\Users\Den\Documents\View your 2010 prescription claims summary today_.eml:OECustomProperty

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SlowFile Icon Overlay" => Key deleted successfully.
"HKCR\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-4092789914-3921467535-3769324934-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34D516EA-40E3-4E3B-8BA8-505112738ED5}" => Key deleted successfully.
HKCR\CLSID\{34D516EA-40E3-4E3B-8BA8-505112738ED5} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61D029AC-972B-49FE-A155-962DFA0A37BB}" => Key deleted successfully.
HKCR\CLSID\{61D029AC-972B-49FE-A155-962DFA0A37BB} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFEF0-5B30-21D4-945D-000000000000}" => Key deleted successfully.
"HKCR\CLSID\{FFFFFEF0-5B30-21D4-945D-000000000000}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8E718888-423F-11D2-876E-00A0C9082467} => value deleted successfully.
"HKCR\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{B418B139-414D-4374-820F-EE74520C5A0D} => Value not found.
HKCR\CLSID\{B418B139-414D-4374-820F-EE74520C5A0D} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} => Value not found.
HKCR\CLSID\{8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} => Key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4580026C-022A-4FDA-87BC-EDA848D0B7A6}" => Key deleted successfully.
"HKCR\CLSID\{4580026C-022A-4FDA-87BC-EDA848D0B7A6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D35A69A7-7A34-4C67-814A-3F508C0BF371}" => Key deleted successfully.
"HKCR\CLSID\{D35A69A7-7A34-4C67-814A-3F508C0BF371}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\gopher" => Key deleted successfully.
"HKCR\CLSID\{79eac9e4-baf9-11ce-8c82-00aa004ba90b}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\http\0x00000001" => Key deleted successfully.
"HKCR\CLSID\{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\https\0x00000001" => Key deleted successfully.
HKCR\CLSID\{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} => Key not found.
"HKCR\PROTOCOLS\Handler\ms-its50" => Key deleted successfully.
"HKCR\CLSID\{F8606A00-F5CF-11D1-B6BB-0000F80149F6}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\msdaipp\0x00000001" => Key deleted successfully.
HKCR\CLSID\{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} => Key not found.
"HKCR\PROTOCOLS\Handler\sysimage" => Key deleted successfully.
"HKCR\CLSID\{76E67A63-06E9-11D2-A840-006008059382}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\vnd.ms.radio" => Key deleted successfully.
"HKCR\CLSID\{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020}" => Key deleted successfully.
"HKCR\PROTOCOLS\Filter\deflate" => Key deleted successfully.
"HKCR\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311}" => Key deleted successfully.
"HKCR\PROTOCOLS\Filter\gzip" => Key deleted successfully.
HKCR\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311} => Key not found.
"HKCR\PROTOCOLS\Filter\lzdhtml" => Key deleted successfully.
HKCR\CLSID\{8f6b0360-b80d-11d0-a9b3-006097942311} => Key not found.
"HKCR\PROTOCOLS\Filter\text/webviewhtml" => Key deleted successfully.
"HKCR\CLSID\{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0" => Key deleted successfully.
"HKU\.DEFAULT\Software\MozillaPlugins\@adobe.com/Acrobat,version=5.1" => Key deleted successfully.
C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll not found.
C:\Users\Den\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => Moved successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => Key deleted successfully.
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => Key deleted successfully.
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
cpuz136 => Service deleted successfully.
U0x03000000 DcArdv; \SystemRoot\System32\Drivers\DcArdv.sys [X] => Error: No automatic fix found for this entry.
U0x03000000 DcCam; \SystemRoot\System32\Drivers\DcCam.sys [X] => Error: No automatic fix found for this entry.
U0x03000000 DcFpoint; \SystemRoot\System32\Drivers\DcFpoint.sys [X] => Error: No automatic fix found for this entry.
U0x03000000 DcLps; \SystemRoot\System32\Drivers\DcLps.sys [X] => Error: No automatic fix found for this entry.
U0x03000000 DcPtp; \SystemRoot\System32\Drivers\DcPtp.sys [X] => Error: No automatic fix found for this entry.
IpInIp => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.
PCD5SRVC{BD6912E3-AC9D80E8-05040000} => Service deleted successfully.
U0x01000000 WDMFS; \SystemRoot\System32\Drivers\wdmfs.sys [X] => Error: No automatic fix found for this entry.
"C:\Windows\system32\clfs.sys" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\clfsw32.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\dxtmsft.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\dxtrans.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\FlashPlayerApp.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\gdi32.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\ieframe.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\iertutil.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\ieui.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\ieUnatt.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\inetcpl.cpl" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\jscript.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\jscript9.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\jsproxy.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\MpSigStub.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\mrt.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\msfeeds.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\msfeedsbs.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\msfeedssync.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\mshta.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\mshtml.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\mshtmled.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\msxml3.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\ntdll.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\ntkrnlpa.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\ntoskrnl.exe" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\url.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\urlmon.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\vbscript.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\wininet.dll" => ":$CmdTcID" ADS not found.
"C:\Users\Den\Desktop\adwcleaner_4.202.exe" => ":$CmdTcID" ADS not found.
C:\Users\Den\Desktop\adwcleaner_4.202.exe => ":$CmdZnID" ADS removed successfully.
"C:\Users\Den\Desktop\FRST.exe" => ":$CmdTcID" ADS not found.
"C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe" => ":$CmdTcID" ADS not found.
C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe => ":$CmdZnID" ADS removed successfully.
C:\Users\Den\Documents\View your 2010 prescription claims summary today_.eml => ":OECustomProperty" ADS removed successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-04-26 20:36:11)<=

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx" => File could not move.
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => File could not move.

==== End of Fixlog 20:36:12 ====

 

 

 

# AdwCleaner v4.202 - Logfile created 26/04/2015 at 21:36:23
# Updated 23/04/2015 by Xplode
# Database : 2015-04-23.2 [Server]
# Operating system : Windows Vista ™ Home Basic Service Pack 2 (x86)
# Username : Den - DEN-PC
# Running from : C:\Users\Den\Desktop\adwcleaner_4.202.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Program Files\GreenTree Applications
Folder Found : C:\ProgramData\ParetoLogic
Folder Found : C:\Users\Den\AppData\LocalLow\Toolbar4
Folder Found : C:\Users\Den\AppData\Roaming\DriverCure
Folder Found : C:\Users\Den\AppData\Roaming\ParetoLogic

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKCU\Software\ParetoLogic
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKLM\SOFTWARE\Description
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKLM\SOFTWARE\ParetoLogic

***** [ Web browsers ] *****

-\\ Internet Explorer v9.0.8112.16636

-\\ Google Chrome v

*************************

AdwCleaner[R1].txt - [2479 bytes] - [26/01/2015 16:10:19]
AdwCleaner[R2].txt - [2495 bytes] - [25/04/2015 13:45:27]
AdwCleaner[R4].txt - [1931 bytes] - [26/04/2015 21:36:23]

########## EOF - C:\AdwCleaner\AdwCleaner[R4].txt - [1990 bytes] ##########

 

 

 

I un-installed the YTD video downloader. But I am wondering what was bad/wrong with it? Then, since I am not sure what is a false positive or not, I did not Clean after running ADWCleaner; please advise. I did test motogp.com and it is still being redirected to whatbrowser.org. Another odd thing started this morning. The icons on the desktop that are shortcuts to websites have changed. They no longer have the curved arrow in the corner. They now have something I do not recognize. I will attach a small screen shot to show you.

 

EDIT: I almost forgot to mention that I think I resolved the email hijacking by going on line to the VERIZON website and logging in and changing my email password. Since I did that the only notices I have only gotten are four each of Delivery has been delayed and Delivery has timed out and failed.

 

EDIT 2: I just noticed that the program ADVANCED SYSTEMCARE 8 has disappeared. Was this part of the FRST fix?

Attached Files


Edited by Den., 26 April 2015 - 09:46 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 27 April 2015 - 07:53 AM

AlternateDataStreams: C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe:$CmdTcID
AlternateDataStreams: C:\Users\Den\Downloads\advanced-systemcare-setup (1).exe:$CmdZnID

The only entries I removed from the Advanced systemcare are these.
The Setup should not be run from an AlternateDatastreams.
If you wish to use this tool I suggest you re-install the application in a normally manner.
I suspect that COMODO is creating these AlternateDataStreams which is not normal.
===
 

EDIT: I almost forgot to mention that I think I resolved the email hijacking by going on line to the VERIZON website and logging in and changing my email password. Since I did that the only notices I have only gotten are four each of Delivery has been delayed and Delivery has timed out and failed.


I think you will continue to get these messages.
Your e-mail address is being used to spam others and when the address is not good then you get the delivery error.
If it does not stop you will have to get a new e-mail address. Give it to your contacts and when all have confirmed that they changed your e-mail cancel the old one.
===
 

The icons on the desktop that are shortcuts to websites have changed

Right click on the Icons and look at the properties.

What has changed in the PATH?
It may just be that the file extension has been changed. We can possibly correct this.

#6 Den.

Den.
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 27 April 2015 - 07:55 PM

You wrote:

I think you will continue to get these messages.
Your e-mail address is being used to spam others and when the address is not good then you get the delivery error.
If it does not stop you will have to get a new e-mail address. Give it to your contacts and when all have confirmed that they changed your e-mail cancel the old one.

 

I haven't received a failure message for 20 hours. Am I to understand that the emails are NOT being sent from my computer and that the email are being sent from another computer and they're using my email address?

 

 

You wrote:

Right click on the Icons and look at the properties.
What has changed in the PATH?
It may just be that the file extension has been changed. We can possibly correct this.

 

In Properties/General tab the Type of file is being shown as Internet Shortcut (.url)

 

 

This question wasn't addressed:

I un-installed the YTD video downloader. But I am wondering what was bad/wrong with it?

 

 

Also, I still have this concern ...

"since I am not sure what is a false positive or not, I did not Clean after running ADWCleaner; please advise."

 

 

... and this problem:

"I did test motogp.com (a few times) and it is still being redirected to whatbrowser.org."



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 28 April 2015 - 09:55 AM

Sorry I missed you note.

Yes run the AdwCleaner and clean all that is identified.

How is the computer running now?

#8 Den.

Den.
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 28 April 2015 - 11:51 AM

I ran AdwCleaner and cleaned everything that was identified. The desktop icons are still messed up and still missing the arrow as pictured in an earlier post. And the motogp.com website is still being redirected to whatbrowser.org."

 

 

These topics from my last post haven't been addressed:

 

You wrote:

I think you will continue to get these messages.
Your e-mail address is being used to spam others and when the address is not good then you get the delivery error.
If it does not stop you will have to get a new e-mail address. Give it to your contacts and when all have confirmed that they changed your e-mail cancel the old one.

 

I haven't received a failure message for 20 hours. Am I to understand that the emails are NOT being sent from my computer and that the email are being sent from another computer and they're using my email address?

 

 

You wrote:

Right click on the Icons and look at the properties.
What has changed in the PATH?
It may just be that the file extension has been changed. We can possibly correct this.

 

In Properties/General tab the Type of file is being shown as Internet Shortcut (.url)

 

 

This question wasn't addressed:

I un-installed the YTD video downloader. But I am wondering what was bad/wrong with it?


Edited by Den., 28 April 2015 - 11:52 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 29 April 2015 - 07:20 AM

And the motogp.com website is still being redirected to whatbrowser.org."


Is this on all the browsers?

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===


I haven't received a failure message for 20 hours. Am I to understand that the emails are NOT being sent from my computer and that the email are being sent from another computer and they're using my email address?

Yes messages being sent from an other computer using you e-mail address.

If it's stop then just keep an eye on future notices.
===

In Properties/General tab the Type of file is being shown as Internet Shortcut (.url)


Rebuild The Icon Cache
http://www.thewindowsclub.com/rebuild-the-icon-cache-windows

===

I un-installed the YTD video downloader. But I am wondering what was bad/wrong with it?


It's considered as Adware. You can reinstall it after all is well.
Decide then if you want to keep it. Your call.
===

Keep me posted.

#10 Den.

Den.
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 02 May 2015 - 09:39 PM

Thanks for your continued help. As of yesterday, Saturday 05-01, I am able to access motogp.com website. Rebuilding the Icon Cache didn't work but as the result of a Google search I found a site with a workaround for the shortcut overlay problem  http://www.sevenforums.com/tutorials/3606-shortcut-arrow-change-remove-restore.html  .

 

But, starting this morning my computer started slowing down to a crawl. Looking at the Processes tab in the Task Manager I found that hundreds of instances of javaws.exe have started or are trying to start. I am attaching a screen capture of the tab in Task Manager. Please advise.

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 03 May 2015 - 07:41 AM

Do me a favor.
Disable Comodo and see Check these javaws.exe processes are still running.

Do not forget to reset Comodo.

#12 Den.

Den.
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 05 May 2015 - 03:47 PM

Do me a favor.
Disable Comodo and see Check these javaws.exe processes are still running.

Do not forget to reset Comodo.

On May 4, I got a pop-up notification from my system tray that an update was available for JAVA. I performed the update. During the update old versions of JAVA were uninstalled. Since then the system slowdown I described eariler hasn't happened again. I didn't ever get to try disabling COMODO.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 06 May 2015 - 07:14 AM


Download and run the Java uninstaller.

Instructions on this page.

https://www.java.com/en/download/faq/uninstaller_toolinfo.xml

After the restart of the computer DO NO re-install it.

How is the computer running?

#14 Den.

Den.
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 06 May 2015 - 07:34 PM

I ran the uninstaller. The instructions stated that this would remove all older versions that it finds but not the current version. It found JAVA version 8 update 45. And it reported no out of date versions found.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:47 AM

Posted 07 May 2015 - 08:26 AM

Looks like you have the latest version.

How is the computer running?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users