Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91521 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

pop ups "from" google in Firefox [Solved]


  • This topic is locked This topic is locked
30 replies to this topic

#1 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 12 January 2014 - 09:08 PM

On this computer, when using Firefox & googling something (anything) a bunch of additional firefox windows would pop up.

 

I ran Malwarebytes Anti-Malware & it found a whole bunch of stuff to remove.

 

I then ran an Avast anti virus scan & it, too, found a whole bunch of stuff to remove.  It suggested & I run a boot time scan, where, again, it found a whole bunch of stuff to remove.

 

The symptoms still existed, so I ran everything again.  This time MBAM only found one item, but Avast found a whole bunch again.  For the boot time scan this time, it didn't find anything. 

 

At this point I haven't rerun anything. I'd rather skip straight to the experts at this point to make sure I get this cleaned up correctly.

 

Thank you for your help.

 

Here is the hijackthis file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:54:51 PM, on 1/12/2014
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16526)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\HP Officejet 6700\Bin\HPNetworkCommunicator.exe
C:\Program Files\BOINC\boinc.exe
C:\Users\Kati\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPToolbar.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPToolbar.dll
O3 - Toolbar: avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [HP Officejet 6700 (NET)] "C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe" -deviceID "CN25J3G0QN05RQ:NW" -scfn "HP Officejet 6700 (NET)" -AutoStart 1
O4 - HKCU\..\Run: [ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon] "C:\Windows\system32\Rundll32.exe" "C:\Users\Kati\AppData\Roaming\ValueApps\CH\TBVerifier.dll",RunConduitFloatingPlugin lcnnhcneegeeojhgpfijnlnocjdmlaon
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Install LastPass FF RunOnce.lnk = C:\Program Files\Common Files\lpuninstall.exe
O4 - Global Startup: Install LastPass IE RunOnce.lnk = C:\Program Files\Common Files\lpuninstall.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Users\Kati\AppData\LocalLow\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Kati\AppData\LocalLow\LastPass\context.html?cmd=fillforms
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll
O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0B6413-E9C5-4947-B6D8-714D4C14D320}: NameServer = 8.8.8.8,8.8.4.4
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe

--
End of file - 6780 bytes
 


Edited by 1695814, 12 January 2014 - 09:09 PM.

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,200 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 13 January 2014 - 03:48 PM

:welcome:

 

I am going to ask you that you do not install or uninstall any software programs , run any other scanners to remove malware until we are done, it would just make things more confusing.  Lets look a bit deeper

 

Download DDS from one of the links below to your desktop
 
 
  •  
  • Double  click the tool to run it.
  • A black Screen   will open, just  read the contents and do nothing.
  • When the  tool  finishes, it  will open 2 reports, DDS.txt and attach.txt
  • Copy/Paste the contents of 'DDS.txt' into your post.
 
 
 
 
 
 

 
Download aswMBR.exe ( 511KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
aswMBR1.png
 
On completion of the scan click save log, save it to your desktop and post in your next reply
aswMBR2.png
 
 

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#3 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 13 January 2014 - 07:42 PM

Thank you for your help / reply.

 

fwiw, while trying to attach aswMBR.txt I had one of those pop-ups in FF.  Avast made a signal "Threat has been detected." & blocked the page from loading.  I didn't catch the address of the page before I instinctively closed it, though.

 

edit:  just now (2 hours later), while trying to change something in my profile, a new tab popped up.  It seemed to cycle through a bunch of different addresses.  I caught one of them before I closed the tab (I'll break this apart so that it's not a live link):

http:// supersavings.getmy-prizequickys. com/FLUflowredirectUS.html

 

Here are the items you requested:

 

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16526
Run by Kati at 19:16:28 on 2014-01-13
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.2038.904 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\rpcnetp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\HP Officejet 6700\Bin\HPNetworkCommunicator.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [HP Officejet 6700 (NET)] "c:\program files\hp\hp officejet 6700\bin\ScanToPCActivationApp.exe" -deviceID "CN25J3G0QN05RQ:NW" -scfn "HP Officejet 6700 (NET)" -AutoStart 1
uRun: [ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon] "c:\windows\system32\rundll32.exe" "c:\users\kati\appdata\roaming\valueapps\ch\TBVerifier.dll",RunConduitFloatingPlugin lcnnhcneegeeojhgpfijnlnocjdmlaon
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\users\kati\appdata\roaming\micros~1\windows\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla firefox\firefox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\instal~2.lnk - c:\program files\common files\lpuninstall.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\instal~1.lnk - c:\program files\common files\lpuninstall.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: LastPass - c:\users\kati\appdata\locallow\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - c:\users\kati\appdata\locallow\lastpass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1 205.171.2.25
TCP: Interfaces\{80076C00-EDAA-4215-96BE-0E5C5DDC6CF6} : DHCPNameServer = 192.168.0.1 205.171.2.25
TCP: Interfaces\{DD0B6413-E9C5-4947-B6D8-714D4C14D320} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{DD0B6413-E9C5-4947-B6D8-714D4C14D320} : DHCPNameServer = 192.168.0.1 205.171.2.25
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kati\appdata\roaming\mozilla\firefox\profiles\j8w3blzc.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-11-27 09:22; 509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com; c:\users\kati\appdata\roaming\mozilla\firefox\profiles\j8w3blzc.default\extensions\509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-1-11 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-1-11 180248]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-1-11 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-1-11 410528]
R1 MpKsl47bcc495;MpKsl47bcc495;c:\programdata\microsoft\microsoft antimalware\definition updates\{473b4182-bbb4-4481-8867-ce469a58d008}\MpKsl47bcc495.sys [2014-1-13 40392]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-1-11 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-1-11 50344]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 104768]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2014-1-11 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2014-1-11 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2014-1-11 171416]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-14 88192]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
RUnknown rpcnetp;rpcnetp; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-01-13 07:20:40    40392    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{473b4182-bbb4-4481-8867-ce469a58d008}\MpKsl47bcc495.sys
2014-01-13 03:01:16    7760024    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{473b4182-bbb4-4481-8867-ce469a58d008}\mpengine.dll
2014-01-12 03:52:32    --------    d-----w-    c:\windows\system32\appmgmt
2014-01-12 03:44:06    18968    ----a-w-    c:\windows\system32\sdnclean.exe
2014-01-12 03:43:53    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2014-01-12 03:43:35    --------    d-----w-    c:\program files\Spybot - Search & Destroy 2
2014-01-11 18:13:41    --------    d-----w-    c:\windows\Migration
2014-01-11 18:08:38    --------    d-----w-    c:\users\kati\appdata\roaming\AVAST Software
2014-01-11 18:02:04    775952    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-01-11 18:02:04    180248    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-01-11 18:02:03    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-01-11 18:02:02    67824    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-01-11 18:01:41    43152    ----a-w-    c:\windows\avastSS.scr
2014-01-11 16:50:09    7760024    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-01-11 16:37:53    17408    ----a-w-    c:\windows\system32\rpcnetp.exe
2014-01-11 03:32:14    --------    d-----w-    c:\programdata\Licenses
2014-01-11 03:32:00    129872    ----a-w-    c:\windows\system32\MSSTDFMT.DLL
2014-01-11 03:32:00    1070352    ----a-w-    c:\windows\system32\MSCOMCTL.OCX
2014-01-11 03:31:54    --------    d-----w-    c:\program files\SpywareBlaster
2014-01-11 03:15:42    --------    d-----w-    c:\users\kati\appdata\roaming\Malwarebytes
2014-01-11 03:14:26    --------    d-----w-    c:\programdata\Malwarebytes
2014-01-11 03:14:22    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-01-11 03:14:22    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-01-11 03:05:03    --------    d-----w-    c:\program files\dealpaeaaukk
2014-01-11 02:53:39    --------    d-----w-    c:\program files\saviunGotoyouu
2014-01-11 02:33:45    --------    d-----w-    c:\users\kati\appdata\local\SearchProtect
2014-01-11 02:33:01    --------    d-----w-    c:\users\kati\appdata\local\Conduit
2014-01-11 02:33:01    --------    d-----w-    c:\program files\Conduit
2014-01-11 02:32:35    --------    d-----w-    c:\users\kati\appdata\roaming\ValueApps
2014-01-06 02:09:39    17408    ----a-w-    c:\windows\system32\rpcnetp.dll
2014-01-05 16:14:42    --------    d-----w-    c:\programdata\saviunGotoyouu
2014-01-05 16:14:40    --------    d-----w-    c:\programdata\nlhognilkdpjokfgaleihbdfbnpccppd
2014-01-05 16:14:33    --------    d-----w-    c:\programdata\68e13f3284337b31
2014-01-05 16:14:10    --------    d-----w-    c:\programdata\dealpaeaaukk
.
==================== Find3M  ====================
.
2014-01-14 01:06:01    43008    ----a-w-    c:\windows\system32\agremove.exe
2013-12-10 22:23:05    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-10 22:23:05    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-11-19 10:21:30    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-14 22:50:50    1806848    ----a-w-    c:\windows\system32\jscript9.dll
2013-11-14 22:42:41    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-11-14 22:42:32    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-11-14 22:35:52    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-10-30 02:13:01    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12:54    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-10-30 01:43:04    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43:06    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35:24    2050560    ----a-w-    c:\windows\system32\win32k.sys
2013-10-22 07:19:59    158208    ----a-w-    c:\windows\system32\imagehlp.dll
2013-08-09 02:09:46    11019776    ----a-w-    c:\program files\common files\lpuninstall.exe
.
============= FINISH: 19:17:26.71 ===============
 

 

Here is the aswMBR.txt:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-01-13 19:26:22
-----------------------------
19:26:22.829    OS Version: Windows 6.0.6002 Service Pack 2
19:26:22.830    Number of processors: 2 586 0x1706
19:26:22.831    ComputerName: GEORGE  UserName: Kati
19:26:24.749    Initialize success
19:26:29.404    AVAST engine defs: 14011300
19:28:21.365    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
19:28:21.369    Disk 0 Vendor: Hitachi_HTS542580K9SA00 BBBOC31P Size: 76319MB BusType: 3
19:28:21.708    Disk 0 MBR read successfully
19:28:21.716    Disk 0 MBR scan
19:28:21.726    Disk 0 Windows VISTA default MBR code
19:28:21.735    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        76316 MB offset 63
19:28:21.752    Disk 0 scanning sectors +156296385
19:28:22.194    Disk 0 scanning C:\Windows\system32\drivers
19:28:39.111    Service scanning
19:28:52.850    Service MpKsl47bcc495 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{473B4182-BBB4-4481-8867-CE469A58D008}\MpKsl47bcc495.sys **LOCKED** 32
19:29:13.067    Modules scanning
19:29:38.391    Disk 0 trace - called modules:
19:29:38.421    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys tcpip.sys NETIO.SYS
19:29:38.761    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84809148]
19:29:38.768    3 CLASSPNP.SYS[87ba18b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x846508a0]
19:29:40.119    AVAST engine scan C:\Windows
19:29:42.751    AVAST engine scan C:\Windows\system32
19:33:06.098    AVAST engine scan C:\Windows\system32\drivers
19:33:20.130    AVAST engine scan C:\Users\Kati
19:34:03.070    Disk 0 MBR has been saved successfully to "C:\Users\Kati\Desktop\MBR.dat"
19:34:03.154    The log file has been saved successfully to "C:\Users\Kati\Desktop\aswMBR.txt"

 

Attached Files


Edited by 1695814, 13 January 2014 - 09:46 PM.


#4 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,200 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 13 January 2014 - 11:43 PM

Hi,

 

Looks like you got a lot of junk installed.  Does this computer belong to the university ?

 

c:\program files\boinc    <-- Are you aware of this program


Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#5 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 14 January 2014 - 12:13 AM

no, this is a "personal" computer.

yes, boinc is the software used by world community grid (among others) for grid computing.


Edited by 1695814, 14 January 2014 - 12:22 AM.


#6 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,200 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 14 January 2014 - 12:56 AM

Run these in order please and post the logs for each one, if they dont all fit into one reply then take as many replies as you need to post them all, I prefer you copy and paste the logs in lew of attaching them

 

Please download GooredFix from one of the locations below and save it to your Desktop
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista, Win 7).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
 
 
 
 
 

AdwCleaner
 
Download AdwCleaner to your desktop.
 
Right click and select "Run as Administrator".
 
  •  
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
 
 
 
 
 
 
 

 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  •  
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
 

 


Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#7 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 14 January 2014 - 08:11 PM

Here is the GooredFix log:

 

GooredFix by jpshortstuff (03.07.10.1)
Log created at 07:41 on 14/01/2014 (Kati)
Firefox version 26.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

C:\Users\Kati\Application Data\Mozilla\Firefox\Profiles\j8w3blzc.default\extensions\
509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com [16:15 05/01/2014]
9.hpeuy@yooe-rioe.co.uk [16:15 05/01/2014]
rear.3r@yafaay.net [16:15 05/01/2014]
support@lastpass.com [18:32 24/11/2013]
{94cd2cc3-083f-49ba-a218-4cda4b4829fd} [02:32 11/01/2014]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:29 08/08/2013]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [18:01 11/01/2014]

-=E.O.F=-

 

 

AdwCleaner gave me two log files.  This is AdwCleaner[R0]:

# AdwCleaner v3.017 - Report created 14/01/2014 at 07:44:08
# Updated 12/01/2014 by Xplode
# Operating System : Windows Vista ™ Business Service Pack 2 (32 bits)
# Username : Kati - GEORGE
# Running from : C:\Users\Kati\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\END
File Found : C:\Program Files\Mozilla Firefox\searchplugins\Web Search.xml
File Found : C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\searchplugins\Web Search.xml
File Found : C:\Windows\System32\Tasks\Browser Updater
File Found : C:\Windows\System32\Tasks\ProtectedSearch
Folder Found : C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\Extensions\{94CD2CC3-083F-49BA-A218-4CDA4B4829FD}
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\MyPC Backup
Folder Found C:\Program Files\optimizer pro
Folder Found C:\Users\Kati\AppData\Local\Conduit
Folder Found C:\Users\Kati\AppData\Local\Searchprotect
Folder Found C:\Users\Kati\AppData\Local\SwvUpdater
Folder Found C:\Users\Kati\AppData\Roaming\ValueApps

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\installedbrowserextensions
Key Found : HKCU\Software\InstalledThirdPartyPrograms
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Found : HKCU\Software\simplytech
Key Found : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322122257}
Key Found : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366126657}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Found : HKLM\SOFTWARE\Classes\speedupmypc
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Found : HKLM\Software\InstalledThirdPartyPrograms
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFD485F0-96BD-47CD-BB6D-CD7DDA95F102}
Key Found : HKLM\Software\SearchProtect
Key Found : HKLM\Software\Uniblue
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon]

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Default_Page_URL] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Default_Page_URL] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D
Setting Found : HKCU\Software\Microsoft\Internet Explorer\Search [Search Bar] - hxxp://search.certified-toolbar.com?si=75087&tid=8679&ver=5.1&ts=1385320814041&tguid=75087-8679-1385320814041-8D8D8B0B12CAF3B71EBCE8F6F041EC3D&st=chrome&q=
Setting Found : HKCU\Software\Microsoft\Internet Explorer\Search [Search Page] - hxxp://search.certified-toolbar.com?si=75087&tid=8679&ver=5.1&ts=1385320814041&tguid=75087-8679-1385320814041-8D8D8B0B12CAF3B71EBCE8F6F041EC3D&st=chrome&q=
Setting Found : HKCU\Software\Microsoft\Internet Explorer\Search [Start Page] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D
Setting Found : HKCU\Software\Microsoft\Internet Explorer\Search [Start Default_Page_URL] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Bar] - hxxp://search.certified-toolbar.com?si=75087&tid=8679&ver=5.1&ts=1385320814041&tguid=75087-8679-1385320814041-8D8D8B0B12CAF3B71EBCE8F6F041EC3D&st=chrome&q=
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Page] - hxxp://search.certified-toolbar.com?si=75087&tid=8679&ver=5.1&ts=1385320814041&tguid=75087-8679-1385320814041-8D8D8B0B12CAF3B71EBCE8F6F041EC3D&st=chrome&q=
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Start Page] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Start Default_Page_URL] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D
Setting Found : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [(Default)] - hxxp://search.certified-toolbar.com?si=75087&st=bs&tid=8679&ver=5.1&ts=1385320814041&tguid=75087-8679-1385320814041-8D8D8B0B12CAF3B71EBCE8F6F041EC3D&q=%s
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [(Default)] - hxxp://search.certified-toolbar.com?si=75087&st=bs&tid=8679&ver=5.1&ts=1385320814041&tguid=75087-8679-1385320814041-8D8D8B0B12CAF3B71EBCE8F6F041EC3D&q=%s

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\prefs.js ]

Line Found : user_pref("browser.newtabpage.pinned", "[{\"url\":\"hxxps://mail.google.com/mail/u/0/?shva=1#inbox?compose=1414759eee96fa74\",\"title\":\"Inbox - kati.uimari@gmail.com - Gmail\"},{\"url\":\"hxxp://www[...]
Line Found : user_pref("extensions.0qar.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var d=th[...]
Line Found : user_pref("extensions.crossrider.bic", "1428b62e1b1d4c1942070696a4aeb9da");
Line Found : user_pref("extensions.g3dHsVXsT.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var[...]
Line Found : user_pref("wtb8679.homepage", "hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D");
Line Found : user_pref("wtb8679.newtab", "hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Kati\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [7582 octets] - [14/01/2014 07:44:08]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [7642 octets] ##########
 

 

This is AdwCleaner[S0]:

# AdwCleaner v3.017 - Report created 14/01/2014 at 07:45:08
# Updated 12/01/2014 by Xplode
# Operating System : Windows Vista ™ Business Service Pack 2 (32 bits)
# Username : Kati - GEORGE
# Running from : C:\Users\Kati\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\MyPC Backup
Folder Deleted : C:\Program Files\optimizer pro
Folder Deleted : C:\Users\Kati\AppData\Local\Conduit
Folder Deleted : C:\Users\Kati\AppData\Local\Searchprotect
Folder Deleted : C:\Users\Kati\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\Kati\AppData\Roaming\ValueApps
Folder Deleted : C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\Extensions\{94CD2CC3-083F-49BA-A218-4CDA4B4829FD}
File Deleted : C:\END
File Deleted : C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\searchplugins\Web Search.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\Web Search.xml
File Deleted : C:\Windows\System32\Tasks\Browser Updater
File Deleted : C:\Windows\System32\Tasks\ProtectedSearch

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\speedupmypc
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322122257}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366126657}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFD485F0-96BD-47CD-BB6D-CD7DDA95F102}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\installedbrowserextensions
Key Deleted : HKCU\Software\InstalledThirdPartyPrograms
Key Deleted : HKCU\Software\simplytech
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\InstalledThirdPartyPrograms
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Default_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Default_Page_URL]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Search Bar]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Search Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Start Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Start Default_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Bar]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Page]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Start Page]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Start Default_Page_URL]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [(Default)]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [(Default)]

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\prefs.js ]

Line Deleted : user_pref("browser.newtabpage.pinned", "[{\"url\":\"hxxps://mail.google.com/mail/u/0/?shva=1#inbox?compose=1414759eee96fa74\",\"title\":\"Inbox - kati.uimari@gmail.com - Gmail\"},{\"url\":\"hxxp://www[...]
Line Deleted : user_pref("extensions.0qar.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var d=th[...]
Line Deleted : user_pref("extensions.crossrider.bic", "1428b62e1b1d4c1942070696a4aeb9da");
Line Deleted : user_pref("extensions.g3dHsVXsT.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};var _wlst={lsKey:\"ssjsmn2ja8ddw2a\",get:function(b,a){if(3<b)return a(!1);var[...]
Line Deleted : user_pref("wtb8679.homepage", "hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D");
Line Deleted : user_pref("wtb8679.newtab", "hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385565541220&tguid=75087-8679-1385565541220-8D8D8B0B12CAF3B71EBCE8F6F041EC3D");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Kati\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [7722 octets] - [14/01/2014 07:44:08]
AdwCleaner[S0].txt - [5767 octets] - [14/01/2014 07:45:08]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5827 octets] ##########

 

Finally, here is the JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows Vista ™ Business x86
Ran by Kati on Tue 01/14/2014 at  8:35:26.53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\plus-hd-1.3



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [Folder] C:\Users\Kati\AppData\Roaming\mozilla\firefox\profiles\j8w3blzc.default\extensions\509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com
Emptied folder: C:\Users\Kati\AppData\Roaming\mozilla\firefox\profiles\j8w3blzc.default\minidumps [12 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 01/14/2014 at  8:38:36.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Thank you,

###
 



#8 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,200 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 14 January 2014 - 10:52 PM

Hi,

 

Lots of junk removed.  Just a heads up,  but whenever you download and install a program from the internet or even when you do an update for an existing program you need to take the time and be aware of what your installing , not all but a lot of programs , sometimes even legit ones have add ons, so before clicking NEXT during the install read whats going on.  A good example is updating Java, if a person does not look and just accepts it all it will install the ASK Toolbar during the install and this can be prevented by unchecking it.....so read read read what your installing.

 

I would like you to run Malwarebytes, I see it on your system so open it, go to the update tab and check for updates then run the Quick Scan , check whatever it finds and select Remove Selected, then post the log please. 

 

 

Then run this scanner and post the log, if there are still items to be removed we can use this tool to remove them

 

OTL by OldTimer
  •  
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
 
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
 
 

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#9 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 15 January 2014 - 08:02 PM

Here's the mbam log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.15.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Kati :: GEORGE [administrator]

1/15/2014 8:01:36 PM
mbam-log-2014-01-15 (20-01-36).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 338593
Time elapsed: 2 hour(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 


Edited by 1695814, 15 January 2014 - 11:31 PM.


#10 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 15 January 2014 - 08:03 PM

Here's OTL.Txt:

 

OTL logfile created on: 1/15/2014 7:38:00 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Kati\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 59.92% Memory free
4.21 Gb Paging File | 3.09 Gb Available in Paging File | 73.42% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 11.06 Gb Free Space | 14.84% Space Free | Partition Type: NTFS
 
Computer Name: GEORGE | User Name: Kati | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Kati\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\HP\HP Officejet 6700\Bin\HPNetworkCommunicator.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\BOINC\boincmgr.exe (World Community Grid)
PRC - C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
PRC - C:\Program Files\BOINC\boinc.exe (World Community Grid)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl ()
MOD - C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl ()
MOD - C:\Program Files\BOINC\zlib1.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (SDWSCService) -- C:\Program Files\Spybot File not found
SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (NETw5v32) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV - (NETw3v32) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (GTIPCI21) -- C:\Windows\System32\drivers\gtipci21.sys (Texas Instruments)
DRV - (tifm21) -- C:\Windows\System32\drivers\tifm21.sys (Texas Instruments)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://www.google.com
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2A CB 03 81 75 0E CF 01  [binary data]
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://www.google.com
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = http://www.google.com
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\..\SearchScopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 26.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 26.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2013/08/07 21:05:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kati\AppData\Roaming\Mozilla\Extensions
[2014/01/14 08:38:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\extensions
[2014/01/05 10:15:32 | 000,000,000 | ---D | M] (dealpaeaaukk) -- C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\extensions\9.hpeuy@yooe-rioe.co.uk
[2014/01/05 10:15:31 | 000,000,000 | ---D | M] (saviunGotoyouu) -- C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\extensions\rear.3r@yafaay.net
[2013/11/24 12:32:57 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\extensions\support@lastpass.com
[2013/12/20 11:58:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/12/20 11:59:36 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - Extension: avast! Online Security = C:\Users\Kati\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\9.0.2011.70_0\
CHR - Extension: Google Wallet = C:\Users\Kati\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_0\
 
O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (LastPass Vault) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [boincmgr] C:\Program Files\BOINC\boincmgr.exe (World Community Grid)
O4 - HKLM..\Run: [boinctray] C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent File not found
O4 - HKU\S-1-5-21-2483566027-3356467828-3086520822-1000..\Run: [HP Officejet 6700 (NET)] C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Users\Kati\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: LastPass - file://C:\Users\Kati\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Kati\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 File not found
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O9 - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.2.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{80076C00-EDAA-4215-96BE-0E5C5DDC6CF6}: DhcpNameServer = 192.168.0.1 205.171.2.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DD0B6413-E9C5-4947-B6D8-714D4C14D320}: DhcpNameServer = 192.168.0.1 205.171.2.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DD0B6413-E9C5-4947-B6D8-714D4C14D320}: NameServer = 8.8.8.8,8.8.4.4
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
O24 - Desktop WallPaper: C:\Users\Kati\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kati\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{ee927a7e-3250-11e3-ac07-00e0b8cdabba}\Shell - "" = AutoRun
O33 - MountPoints2\{ee927a7e-3250-11e3-ac07-00e0b8cdabba}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sdnclean.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/01/15 08:02:54 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kati\Desktop\OTL.exe
[2014/01/14 20:02:36 | 091,412,976 | ---- | C] (AVAST Software) -- C:\Users\Kati\Desktop\avast_free_antivirus_setup.exe
[2014/01/14 08:35:19 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/01/14 07:42:16 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/14 07:41:39 | 000,000,000 | ---D | C] -- C:\Users\Kati\Desktop\GooredFix Backups
[2014/01/14 07:40:22 | 001,037,068 | ---- | C] (Thisisu) -- C:\Users\Kati\Desktop\JRT.exe
[2014/01/14 07:38:24 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Kati\Desktop\GooredFix.exe
[2014/01/12 16:57:55 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Kati\Desktop\HiJackThis.exe
[2014/01/11 21:52:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2014/01/11 21:44:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2014/01/11 21:44:06 | 000,018,968 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2014/01/11 21:43:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2014/01/11 21:43:35 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2014/01/11 12:13:41 | 000,000,000 | ---D | C] -- C:\Windows\Migration
[2014/01/11 12:08:38 | 000,000,000 | ---D | C] -- C:\Users\Kati\AppData\Roaming\AVAST Software
[2014/01/11 12:01:41 | 000,043,152 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2014/01/10 21:32:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Licenses
[2014/01/10 21:32:00 | 001,070,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSCOMCTL.OCX
[2014/01/10 21:32:00 | 000,129,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSSTDFMT.DLL
[2014/01/10 21:32:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
[2014/01/10 21:31:54 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2014/01/10 21:15:42 | 000,000,000 | ---D | C] -- C:\Users\Kati\AppData\Roaming\Malwarebytes
[2014/01/10 21:14:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2014/01/10 21:14:22 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2014/01/10 21:14:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2014/01/10 21:05:03 | 000,000,000 | ---D | C] -- C:\Program Files\dealpaeaaukk
[2014/01/10 20:53:39 | 000,000,000 | ---D | C] -- C:\Program Files\saviunGotoyouu
[2014/01/05 10:14:42 | 000,000,000 | ---D | C] -- C:\ProgramData\saviunGotoyouu
[2014/01/05 10:14:40 | 000,000,000 | ---D | C] -- C:\ProgramData\nlhognilkdpjokfgaleihbdfbnpccppd
[2014/01/05 10:14:33 | 000,000,000 | ---D | C] -- C:\ProgramData\68e13f3284337b31
[2014/01/05 10:14:10 | 000,000,000 | ---D | C] -- C:\ProgramData\dealpaeaaukk
[2013/12/20 11:58:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/08/08 20:09:39 | 011,019,776 | ---- | C] (LastPass) -- C:\Program Files\Common Files\lpuninstall.exe
 
========== Files - Modified Within 30 Days ==========
 
[2014/01/15 19:40:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/01/15 19:09:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/01/15 17:51:01 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/01/15 17:51:01 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/01/15 08:03:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kati\Desktop\OTL.exe
[2014/01/15 08:01:26 | 000,000,616 | ---- | M] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2014/01/15 07:39:00 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/01/14 20:43:37 | 091,412,976 | ---- | M] (AVAST Software) -- C:\Users\Kati\Desktop\avast_free_antivirus_setup.exe
[2014/01/14 08:19:55 | 000,000,644 | ---- | M] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2014/01/14 07:50:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/01/14 07:50:02 | 2137,448,448 | -HS- | M] () -- C:\hiberfil.sys
[2014/01/14 07:40:36 | 001,037,068 | ---- | M] (Thisisu) -- C:\Users\Kati\Desktop\JRT.exe
[2014/01/14 07:39:30 | 001,236,282 | ---- | M] () -- C:\Users\Kati\Desktop\AdwCleaner.exe
[2014/01/14 07:38:29 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Kati\Desktop\GooredFix.exe
[2014/01/14 07:37:34 | 000,043,008 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\agremove.exe
[2014/01/13 19:34:03 | 000,000,512 | ---- | M] () -- C:\Users\Kati\Desktop\MBR.dat
[2014/01/13 19:23:40 | 000,002,153 | ---- | M] () -- C:\Users\Kati\Desktop\attach.zip
[2014/01/12 20:48:40 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2014/01/12 18:56:03 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2014/01/12 16:58:06 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Kati\Desktop\HiJackThis.exe
[2014/01/12 12:14:09 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2014/01/11 21:44:18 | 000,001,918 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2014/01/11 12:21:29 | 000,642,218 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/01/11 12:21:29 | 000,119,378 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/01/11 12:01:41 | 000,043,152 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2014/01/10 21:32:00 | 000,000,836 | ---- | M] () -- C:\Users\Public\Desktop\SpywareBlaster.lnk
[2014/01/10 21:14:32 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
 
========== Files Created - No Company Name ==========
 
[2014/01/14 07:39:04 | 001,236,282 | ---- | C] () -- C:\Users\Kati\Desktop\AdwCleaner.exe
[2014/01/13 19:34:03 | 000,000,512 | ---- | C] () -- C:\Users\Kati\Desktop\MBR.dat
[2014/01/13 19:23:40 | 000,002,153 | ---- | C] () -- C:\Users\Kati\Desktop\attach.zip
[2014/01/11 21:44:49 | 000,000,446 | ---- | C] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2014/01/11 21:44:46 | 000,000,616 | ---- | C] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2014/01/11 21:44:43 | 000,000,644 | ---- | C] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2014/01/11 21:44:18 | 000,001,930 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2014/01/11 21:44:18 | 000,001,918 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2014/01/11 10:37:53 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.exe
[2014/01/10 21:32:00 | 000,000,836 | ---- | C] () -- C:\Users\Public\Desktop\SpywareBlaster.lnk
[2014/01/10 21:14:32 | 000,000,866 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/01/05 20:09:39 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2013/08/27 20:44:44 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2013/08/11 13:37:48 | 000,003,584 | ---- | C] () -- C:\Users\Kati\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/08/09 02:09:08 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2013/08/09 02:09:07 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2013/08/09 02:08:21 | 000,643,072 | ---- | C] () -- C:\Windows\System32\autochk.exe
[2013/08/09 02:06:49 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2013/08/08 19:49:50 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys.sum
[2013/08/08 19:49:50 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSP.sys.sum
[2013/08/08 19:49:50 | 000,000,175 | ---- | C] () -- C:\Windows\System32\drivers\aswSnx.sys.sum
[2013/08/07 21:49:12 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2013/08/07 20:29:20 | 000,001,356 | ---- | C] () -- C:\Users\Kati\AppData\Local\d3d9caps.dat
 
========== ZeroAccess Check ==========
 
[2006/11/02 06:54:18 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2013/12/25 16:54:58 | 000,000,000 | ---D | M] -- C:\Users\Kati\AppData\Roaming\.minecraft
[2014/01/11 12:08:38 | 000,000,000 | ---D | M] -- C:\Users\Kati\AppData\Roaming\AVAST Software
[2013/09/15 19:00:02 | 000,000,000 | ---D | M] -- C:\Users\Kati\AppData\Roaming\OpenOffice
[2013/08/16 06:29:14 | 000,000,000 | ---D | M] -- C:\Users\Kati\AppData\Roaming\Origin
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >
 


    Advertisements

Register to Remove


#11 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 15 January 2014 - 08:03 PM

Here's Extras.Txt:

 

OTL Extras logfile created on: 1/15/2014 7:38:00 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Kati\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 59.92% Memory free
4.21 Gb Paging File | 3.09 Gb Available in Paging File | 73.42% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 11.06 Gb Free Space | 14.84% Space Free | Partition Type: NTFS
 
Computer Name: GEORGE | User Name: Kati | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_USERS\S-1-5-21-2483566027-3356467828-3086520822-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0EFF3DA1-4C0B-4438-ABFF-B7B7183B4D53}" = dir=in | app=c:\users\kati\appdata\local\gcc\controller.exe |
"{49EA8334-9B51-4B0B-9685-894D7F550AC1}" = dir=in | app=c:\program files\hp\hp officejet 6700\bin\faxapplications.exe |
"{4CA6A03F-D1FB-4C56-B380-D1F623CC105E}" = dir=in | app=c:\users\kati\appdata\local\gcc\controller.exe |
"{57B6DFB0-DA5A-428C-AAAA-0BB3EA8F332E}" = dir=in | app=c:\program files\hp\hp officejet 6700\bin\hpnetworkcommunicator.exe |
"{A674A406-6B96-42B7-919A-69C5CEEBCCDD}" = dir=in | app=c:\program files\hp\hp officejet 6700\bin\hpnetworkcommunicatorcom.exe |
"{B65FFC48-21E2-41CD-B2E9-C769E5EBCCDA}" = dir=in | app=c:\program files\hp\hp officejet 6700\bin\sendafax.exe |
"{DF3AB433-C38C-4B3D-89E7-11C1981D979F}" = dir=in | app=c:\program files\hp\hp officejet 6700\bin\digitalwizards.exe |
"{E3A0F91D-5150-4653-A2A9-B474D91A8439}" = dir=in | app=c:\program files\hp\hp officejet 6700\bin\devicesetup.exe |
"TCP Query User{5B0A7179-ECD4-4044-B3C2-F2105EE9DFCE}C:\program files\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe |
"UDP Query User{B389CFD9-7E28-4CBB-B66A-BC2E72F08125}C:\program files\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{020B8F22-46A5-44FE-89F3-5A8E131BFE4B}" = HP Officejet 6700 Basic Device Software
"{0A5B39D2-7ED6-4779-BCC9-37F381139DB3}" = Adobe AIR
"{0CD47142-BA4F-46B0-AA92-2675864928B8}" = Microsoft Security Client
"{31B25CCC-C459-4A7B-8059-0D9913D4FAA1}" = World Community Grid
"{415FA9AD-DA10-4ABE-97B6-5051D4795C90}" = HP FWUpdateEDO2
"{4903D172-DCCB-392F-93A3-34CA9D47FE3D}" = Microsoft .NET Framework 4.5.1
"{55E61709-D7D4-43C0-B45D-BFAF5C09A02D}" = OpenOffice 4.0.0
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{97486FBE-A3FC-4783-8D55-EA37E9D171CC}" = HP Update
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C12631C6-804D-4B32-B0DD-8A496462F106}" = The Sims™ 3 Pets
"{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DB21639E-FE55-432C-BCA2-0C5249E3F79E}" = The Sims™ 3 Island Paradise
"{E1AE0CB7-1333-4728-8520-CB3F88A252B4}" = HP Officejet 6700 Help
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E6B88BD6-E4B2-4701-A648-B6DAC6E491CC}" = The Sims™ 3 Generations
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F26DE8EF-F2CF-40DC-8CDA-CC0D82D11B36}" = The Sims™ 3 University Life
"{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = TIPCI
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Google Chrome" = Google Chrome
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Photo Creations" = HP Photo Creations
"InstallShield_{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"LastPass" = LastPass(uninstall only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 26.0 (x86 en-US)" = Mozilla Firefox 26.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Origin" = Origin
"SpywareBlaster_is1" = SpywareBlaster 5.0
 
========== Last 20 Event Log Errors ==========
 
[ System Events ]
Error - 1/15/2014 9:44:00 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume C:.
 
Error - 1/15/2014 9:46:14 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:46:14 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:46:14 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:49:22 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:49:22 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:49:22 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:49:25 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:49:25 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
Error - 1/15/2014 9:49:25 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume \Device\HarddiskVolume1.
 
 
< End of report >
 



#12 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,200 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 16 January 2014 - 07:11 AM

Good Morning,

Cant find any info on these, i am sure there bad, do you know what they are ?

C:\Program Files\dealpaeaaukk
C:\Program Files\saviunGotoyouu



Possibly an error on your hard drive, how old is this computer ?
Error - 1/15/2014 9:49:25 PM | Computer Name = George | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume \Device\HarddiskVolume1.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#13 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 16 January 2014 - 07:33 AM

Those two Program Files look like the websites I was being redirected to.

 

I got the computer about a year ago from work (used, of course).  They usually have a three year life span there, so at least 4-5 years old.

 

I'll runk chkdsk & report back.



#14 1695814

1695814

    Authentic Member

  • Authentic Member
  • PipPip
  • 84 posts

Posted 16 January 2014 - 07:38 AM

I ran chkdsk.  It started doing some stuff...stage 1 of 3 verifying files, found some errors / attritbute record is corrupt, then chkdsk cannot continue.



#15 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,200 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 16 January 2014 - 07:46 AM

Get out of chkdsk, lets get rid of those entries and then I will send you over to a good windows forum for help with the disk

When you input this script, it has to start with :OTL and end with [reboot] so make sure you get it all

Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    [2014/01/05 10:15:32 | 000,000,000 | ---D | M] (dealpaeaaukk) -- C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\extensions\9.hpeuy@yooe-rioe.co.uk
    [2014/01/05 10:15:31 | 000,000,000 | ---D | M] (saviunGotoyouu) -- C:\Users\Kati\AppData\Roaming\Mozilla\Firefox\Profiles\j8w3blzc.default\extensions\rear.3r@yafaay.net
    [2014/01/10 21:05:03 | 000,000,000 | ---D | C] -- C:\Program Files\dealpaeaaukk
    [2014/01/10 20:53:39 | 000,000,000 | ---D | C] -- C:\Program Files\saviunGotoyouu
    [2014/01/05 10:14:42 | 000,000,000 | ---D | C] -- C:\ProgramData\saviunGotoyouu
    [2014/01/05 10:14:40 | 000,000,000 | ---D | C] -- C:\ProgramData\nlhognilkdpjokfgaleihbdfbnpccppd
    [2014/01/05 10:14:33 | 000,000,000 | ---D | C] -- C:\ProgramData\68e13f3284337b31
    [2014/01/05 10:14:10 | 000,000,000 | ---D | C] -- C:\ProgramData\dealpaeaaukk
    
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    
    
    :Commands
    [purity]
    [resethosts]
    [EMPTYJAVA] 
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces
Then run a new scan with OTL and post the new log please

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users