-
November 22nd, 2014, 01:00 AM
#31
how do I prevent the Malwarebytes from sending me a pop up window every time a website is blocked?
For now you have to live with it. That's some infection causing it.
Some infection may be also messing with restore points.
Skip creating restore point and run MBAR anyway.
-
November 23rd, 2014, 09:50 PM
#32
Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/...t-all-windows/
Download Malwarebytes Anti-Rootkit to your desktop.
•Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
•Double click on downloaded file. OK self extracting prompt.
•MBAR will start. Click "Next" to continue.
•Click in the following screen "Update" to obtain the latest malware definitions.
•Once the update is complete select "Next" and click "Scan".
•When the scan is finished and no malware has been found select "Exit".
•If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
•Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
•"mbar-log-{date} (xx-xx-xx).txt"
•"system-log.txt"
NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes icon in the system tray and click on Exit.
After I downloaded Rootkiller it would not allow me to scan. As you predicted it required me to exit the application. So how do I scan without being in the application?
-
November 23rd, 2014, 09:59 PM
#33
You have to exit MBAM in order to run MBAR.
Right click on MBAM icon in your taskbar and click "Exit".
-
November 24th, 2014, 12:39 AM
#34
The scan ran and said NO malware found.
I did not see an option to save a log or report.
-
November 24th, 2014, 01:01 AM
#35
Please download ComboFix from Here, Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Never rename Combofix unless instructed.
- Close any open browsers.
- Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix. - Double click on combofix.exe & follow the prompts.
- NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.
Make sure, you re-enable your security programs, when you're done with Combofix.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE.
If, for some reason, Combofix refuses to run, try the following...
Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
Restart computer in safe mode
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista or Windows 7 right-click on it and choose Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- Do not reboot until instructed.
- If the tool does not run from any of the links provided, please let me know.
When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.
IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
-
November 28th, 2014, 10:23 PM
#36
-
December 1st, 2014, 10:30 PM
#37
Yes, I'm still with you. Sorry I've been very busy.
I'll run the new combo fix.
Since I last ran the old Combo Fix which seemed to fix all the core problems, some of the old problems like pages not loading and slow Windows Explorer and images and icons not appearing in Windows Explorer are slowly starting to crop back in (not nearly as bad as before). Since then I have re run all the new anti Malware programs you mentioned. They have found NO new malware.
I'll run the new Combo Fix and report back as soon as I'm able.
-
December 1st, 2014, 10:59 PM
#38
Please observe my rules..
Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
All I need is Combofix log.
-
December 6th, 2014, 01:28 PM
#39
Here's the new Combo Fix log. It took only 20 minutes where as the previous Combo Fix log took 2.5 hours. I think there were more things to fix.
ComboFix 14-12-04.01 - John 12/04/2014 22:42:19.2.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.5887.4156 [GMT -5:00]
Running from: c:\users\John\Desktop\ComboFix.exe
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
.
.
((((((((((((((((((((((((( Files Created from 2014-11-05 to 2014-12-05 )))))))))))))))))))))))))))))))
.
.
2014-12-05 04:01 . 2014-12-05 04:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-12-01 04:12 . 2014-10-01 16:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-12-01 04:12 . 2014-10-01 16:11 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-12-01 04:12 . 2014-10-01 16:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-12-01 04:12 . 2014-12-01 04:12 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-24 02:46 . 2014-11-24 04:38 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-11-24 02:46 . 2014-12-01 04:14 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-19 05:54 . 2014-12-03 23:07 -------- d-----w- c:\users\John\AppData\Local\CrashDumps
2014-11-19 04:05 . 2014-11-22 03:39 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-11-19 04:04 . 2014-11-19 04:04 -------- d-----w- c:\programdata\RogueKiller
2014-11-18 18:56 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-18 18:56 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-18 18:56 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-18 18:56 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-11-12 21:15 . 2014-11-24 02:47 -------- d-----w- c:\programdata\Malwarebytes
2014-11-12 21:11 . 2014-11-12 21:11 -------- d-sh--w- c:\users\John\AppData\Local\EmieBrowserModeList
2014-11-12 00:15 . 2014-11-06 03:54 49664 ----a-w- c:\program files\Internet Explorer\DiagnosticsHub_is.dll
2014-11-12 00:12 . 2014-09-19 09:42 342016 ----a-w- c:\windows\system32\schannel.dll
2014-11-12 00:12 . 2014-09-19 09:42 309760 ----a-w- c:\windows\system32\ncrypt.dll
2014-11-12 00:12 . 2014-09-19 09:23 248832 ----a-w- c:\windows\SysWow64\schannel.dll
2014-11-12 00:12 . 2014-09-19 09:23 221184 ----a-w- c:\windows\SysWow64\ncrypt.dll
2014-11-12 00:12 . 2014-09-19 09:42 314880 ----a-w- c:\windows\system32\msv1_0.dll
2014-11-12 00:12 . 2014-09-19 09:23 259584 ----a-w- c:\windows\SysWow64\msv1_0.dll
2014-11-12 00:12 . 2014-09-19 09:42 210944 ----a-w- c:\windows\system32\wdigest.dll
2014-11-12 00:12 . 2014-09-19 09:42 86528 ----a-w- c:\windows\system32\TSpkg.dll
2014-11-12 00:12 . 2014-09-19 09:23 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
2014-11-12 00:12 . 2014-09-19 09:23 65536 ----a-w- c:\windows\SysWow64\TSpkg.dll
2014-11-12 00:12 . 2014-09-19 09:42 22016 ----a-w- c:\windows\system32\credssp.dll
2014-11-12 00:12 . 2014-09-19 09:23 17408 ----a-w- c:\windows\SysWow64\credssp.dll
2014-11-12 00:10 . 2014-10-25 01:57 77824 ----a-w- c:\windows\system32\packager.dll
2014-11-12 00:10 . 2014-10-25 01:32 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-11-12 00:10 . 2014-10-10 00:57 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-11-12 00:09 . 2014-10-14 02:13 3241984 ----a-w- c:\windows\system32\msi.dll
2014-11-12 00:09 . 2014-10-14 01:50 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-11-12 00:08 . 2014-10-18 02:05 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-12 00:08 . 2014-10-18 01:33 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-04 10:15 . 2014-06-16 10:50 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-11-12 08:12 . 2012-12-11 01:24 103374192 ----a-w- c:\windows\system32\MRT.exe
2014-09-29 00:51 . 2014-09-29 00:51 0 ----a-w- c:\users\John\AppData\Roaming\pftgfhl.dll
2014-09-25 02:08 . 2014-09-30 19:49 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-09-30 19:49 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-09 22:11 . 2014-09-23 21:17 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-23 21:17 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{ABD3B5E1-B268-407B-A150-2641DAB8D898}]
2009-06-08 21:41 120104 ----a-w- c:\program files (x86)\Common Files\Homepage Protection\HomepageProtection.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-07-16 1668664]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2013-03-06 1020816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-05-26 656896]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-05-13 581480]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2012-09-13 204136]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2014-09-16 296520]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CodecPackUpdateChecker.lnk - c:\windows\SysWOW64\C2MP\UpdateChecker.exe [2013-8-29 48200]
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2009-6-3 430080]
RealPlayer Cloud Service UI.lnk - c:\program files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe [2014-9-16 1011808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 RealPlayerUpdateSvc;RealPlayer Update Service;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C270(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 Browser Manager;Browser Manager; [x]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 RealPlayer Cloud Service;RealPlayer Cloud Service;c:\program files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe;c:\program files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe [x]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys;c:\windows\SYSNATIVE\DRIVERS\tmevtmgr.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-03 c:\windows\Tasks\HPCeeScheduleForJohn.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-09-17 21:38]
.
2014-12-01 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-06-10 11:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-18 16334368]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-07-08 610360]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 2184520]
"MRT"="c:\windows\system32\MRT.exe" [2014-11-12 103374192]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\eh4o8hn2.default\
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar_i.excTlbr - false
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109220&tt=4912_4
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar.rvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Browser Manager]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-04 23:04:28
ComboFix-quarantined-files.txt 2014-12-05 04:04
ComboFix2.txt 2014-11-13 00:39
.
Pre-Run: 289,531,756,544 bytes free
Post-Run: 290,399,920,128 bytes free
.
- - End Of File - - DC2D6167FC4D08967FCE26A55C4E4B2C
51455802D44EB9D2B2CF4BDD6AE287DF
-
December 6th, 2014, 08:21 PM
#40
Please download AdwCleaner by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on adwcleaner.exe to run the tool.
- Click on Scan button.
- When the scan has finished click on Clean button.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the contents of that logfile with your next reply.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
Please download Junkware Removal Tool to your desktop.
- Shut down your protection software now to avoid potential conflicts.
- Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
- The tool will open and start scanning your system.
- Please be patient as this can take a while to complete depending on your system's specifications.
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
- Post the contents of JRT.txt into your next message.
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
-
December 9th, 2014, 01:42 AM
#41
I'm still here. Just really busy and getting busier the closer we get to Christmas.
Here's the AdwCleaner Log. I'm taking it on faith it was OK to do a "clean."
# AdwCleaner v4.105 - Report created 08/12/2014 at 23:35:18
# Updated 08/12/2014 by Xplode
# Database : 2014-12-08.2 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : John - JOHN-PC
# Running from : C:\Users\John\Downloads\adwcleaner_4.105.exe
# Option : Clean
***** [ Services ] *****
[x] Not Deleted : Browser Manager
***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\Tarma Installer
[x] Not Deleted : C:\ProgramData\ytd video downloader
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader
Folder Deleted : C:\Program Files (x86)\Application Updater
Folder Deleted : C:\Program Files (x86)\BabylonToolbar
Folder Deleted : C:\Program Files (x86)\GreenTree Applications
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Program Files (x86)\Red Sky
Folder Deleted : C:\Program Files (x86)\WinZip Registry Optimizer
Folder Deleted : C:\Windows\SysWOW64\SearchProtect
Folder Deleted : C:\Users\John\AppData\Local\iLivid
Folder Deleted : C:\Users\John\AppData\Local\PutLockerDownloader
Folder Deleted : C:\Users\John\AppData\Roaming\Babylon
Folder Deleted : C:\Users\John\AppData\Roaming\BabylonToolbar
Folder Deleted : C:\Users\John\AppData\Roaming\NCH Software
Folder Deleted : C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Manager
Folder Deleted : C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DownTango
[!] Folder Deleted : C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\eh4o8hn2.default\Extensions\ftdownloader@ftdownloader.com.xpi
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Users\John\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\iLivid.lnk
File Deleted : C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk
File Deleted : C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\eh4o8hn2.default\invalidprefs.js
File Deleted : C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\eh4o8hn2.default\user.js
***** [ Scheduled Tasks ] *****
Task Deleted : Browser Manager
***** [ Shortcuts ] *****
***** [ Registry ] *****
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{58BD07EB-0EE0-4DF0-8121-DC9B693373DF}]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd
Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd.1
Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore
Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore.1
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\FTDownloader
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKCU\Software\aeda8ab438b941
Key Deleted : HKLM\SOFTWARE\aeda8ab438b941
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{98889811-442D-49DD-99D7-DC866BE87DBC}]
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1A70C952-4CEC-479F-A9BF-6F5407FD2909}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1A70C952-4CEC-479F-A9BF-6F5407FD2909}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1A70C952-4CEC-479F-A9BF-6F5407FD2909}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DownTango
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\Microsoft\Babylon
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\DownTango
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E55E7026-EF2A-4A17-AAA7-DB98EA3FD1B1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\6207E55EA2FE71A4AA7ABD89AEF31D1B
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\6207E55EA2FE71A4AA7ABD89AEF31D1B
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\30C16B15B255BD349A1157B8A83E2AF9
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6207E55EA2FE71A4AA7ABD89AEF31D1B
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dailysweeties.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.dailysweeties.com
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420
-\\ Mozilla Firefox v34.0 (x86 en-US)
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.admin", false);
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.autoRvrt", "false");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.rvrt", "false");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "base");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=109220&tt=4912_4");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar_i.excTlbr", false);
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar_i.newTab", false);
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
[eh4o8hn2.default\prefs.js] - Line Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.8.4.916:56:07");
*************************
AdwCleaner[R0].txt - [9934 octets] - [08/12/2014 23:21:31]
AdwCleaner[S0].txt - [9880 octets] - [08/12/2014 23:35:18]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9940 octets] ##########
-
December 9th, 2014, 09:58 PM
#42
-
December 14th, 2014, 04:08 PM
#43
-
December 19th, 2014, 07:25 PM
#44
This topic is marked as abandoned and closed due to inactivity.
This member will NOT be eligible to receive any more help in malware removal forum.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|