Computer running extremely slow.

November 17, 2013 at 09:08:31
Specs: Windows 7

My entire computer is running extremely slow. It takes approx. 1 to 1 1/2 minutes for a program to open or to navigate between pages on Internet Explorer. Also typing is very slow. When I open IE my home page will not display, but I am able to enter a web address a go to that site after a long wait. I have run malwarebytes and adwcleaner and both have cleaned alot of junk from my computer but the speed has not improved. Also IE will shut down for no reason. I am on wifi network but no other computers or smart phones are having problem I have connected direcly with ethernet and no change.

See More: Computer running extremely slow.

Report •


#1
November 17, 2013 at 14:23:22

Hi stacyeh, I helped you in June, can you Copy & Paste all the contents of the scan logs please.

Report •

#2
November 17, 2013 at 16:56:25

I remeber you Johnw I was hoping you would see my post. I ran malware and adv cleaners yesterday and again today so there will be 2 logs from each.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.16.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
logan :: LOGAN-HP [administrator]

11/16/2013 6:35:36 PM
mbam-log-2013-11-16 (18-35-36).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 548547
Time elapsed: 4 hour(s), 33 second(s)

Memory Processes Detected: 5
C:\Users\logan\AppData\Roaming\Ogomiva\omykofi.exe (Heuristics.Shuriken) -> 1908 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ogomiva\omykofi.exe (Heuristics.Shuriken) -> 10396 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ogomiva\omykofi.exe (Heuristics.Shuriken) -> 10244 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ogomiva\omykofi.exe (Heuristics.Shuriken) -> 13320 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Mozilla\WINC823.exe (Trojan.Agent) -> 1668 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\SEARCHPROTECT (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Caewurydad (Heuristics.Shuriken) -> Data: C:\Users\logan\AppData\Roaming\Ogomiva\omykofi.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|GameServer504 (Trojan.Agent) -> Data: "C:\Users\logan\AppData\Roaming\Mozilla\WINC823.exe" -> Quarantined and deleted successfully.
HKCU\Software\SearchProtect|IELastInstalledTBHomepage (PUP.Optional.SearchProtect.A) -> Data: http://search.conduit.com?SearchSou... -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 47
C:\Users\logan\AppData\Roaming\Ogomiva\omykofi.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\Java_Update_046cfa10.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\Java_Update_54b842e7.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\Java_Update_6a07737a.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\Java_Update_7757090d.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\Java_Update_936f24ce.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\Java_Update_d6abbc12.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\nsoA7F5.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\nst70A0.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\nsyBBB6.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\nsz7841.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\teyefboghoaerakulvp.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\vxoor.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Temp\is357113909\dp.exe (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\6e79a922-51b8e8b1 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Ahrupi\aryqomg.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Almyxegu\idqivey.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Atzoinaw\elogpix.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Bybuap\uwmiec.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Dozyywaz\umcyily.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Fiollum\efakyz.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Gycopy\evdaap.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Ihxedo\suadaq.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Ogyndoes\exleop.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Owabluuw\lyabxuh.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Sezoyp\urpahes.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Tiudug\sicuywg.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Ukxoda\wykehi.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Wediyn\syycr.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Zehionx\owivu.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Roaming\Mozilla\WINC823.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\Tasks\Security Center Update - 1371565059.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 139757748.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 1966112343.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 1977736354.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 2004906098.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 2152364043.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 2394432451.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 2673077009.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 3434704412.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 3608160200.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 3797348418.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 427137030.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 4292338392.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 706371555.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 800907918.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 951920574.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.

(end)


Report •

#3
November 17, 2013 at 16:57:12

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.16.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
logan :: LOGAN-HP [administrator]

11/17/2013 4:06:00 PM
mbam-log-2013-11-17 (16-06-00).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 580857
Time elapsed: 3 hour(s), 15 minute(s), 1 second(s)

Memory Processes Detected: 6
C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe (Heuristics.Shuriken) -> 3964 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe (Heuristics.Shuriken) -> 13608 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe (Heuristics.Shuriken) -> 17980 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe (Heuristics.Shuriken) -> 11584 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe (Heuristics.Shuriken) -> 9500 -> Delete on reboot.
C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe (Heuristics.Shuriken) -> 1588 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Vosicout (Heuristics.Shuriken) -> Data: C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\logan\AppData\Roaming\Ifkiqyri\odedon.exe (Heuristics.Shuriken) -> Delete on reboot.

(end)


Report •

Related Solutions

#4
November 17, 2013 at 17:02:07

I don't know how to get to adwcleaner logs. The button is greyed out..Also when I try to shut down my computer it tells me a program named dllhost.exe is running and I have no idea what that is.

message edited by stacyeh


Report •

#5
November 17, 2013 at 17:07:25

You can find the logfile at C:\AdwCleaner[S1].txt as well.

Report •

#6
November 18, 2013 at 06:12:05

first scan

# AdwCleaner v3.012 - Report created 16/11/2013 at 23:27:13
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : logan - LOGAN-HP
# Running from : C:\Users\logan\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\SpeedyPC Software
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\Searchprotect
Folder Deleted : C:\Program Files (x86)\SoftwareUpdater
Folder Deleted : C:\Program Files (x86)\Savings Ship
Folder Deleted : C:\Program Files (x86)\MixiDJ_V37
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Users\logan\AppData\Local\Conduit
Folder Deleted : C:\Users\logan\AppData\Local\filetypeassistant
Folder Deleted : C:\Users\logan\AppData\Local\visualbeeexe
Folder Deleted : C:\Users\logan\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\logan\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\logan\AppData\LocalLow\MixiDJ_V37
Folder Deleted : C:\Users\logan\AppData\Roaming\DriverCure
Folder Deleted : C:\Users\logan\AppData\Roaming\Searchprotect
Folder Deleted : C:\Users\logan\AppData\Roaming\SpeedyPC Software
Folder Deleted : C:\Users\logan\AppData\Roaming\strongvault
Folder Deleted : C:\Users\logan\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
Folder Deleted : C:\Users\logan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Folder Deleted : C:\Users\logan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncjmdohhlhfibipdhbkakhnaahelkklj
File Deleted : C:\END
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Windows\System32\Tasks\Software Updater

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : [x64] HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Classes\.bdc
Key Deleted : HKLM\SOFTWARE\Classes\.bgl
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\App24x7Help_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\App24x7Help_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [GenieoUpdaterService]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEF3855C-FC2D-41E6-8D91-D368F51B3055}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C84BABA-BF9D-4E42-A684-5288580631D2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEF3855C-FC2D-41E6-8D91-D368F51B3055}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C84BABA-BF9D-4E42-A684-5288580631D2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEF3855C-FC2D-41E6-8D91-D368F51B3055}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C84BABA-BF9D-4E42-A684-5288580631D2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B0F993-5884-4D4F-81FC-FA40FA25121E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAC99BB8-1C72-4659-98C5-3F3DC0374EAF}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEF3855C-FC2D-41E6-8D91-D368F51B3055}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEF3855C-FC2D-41E6-8D91-D368F51B3055}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{EEF3855C-FC2D-41E6-8D91-D368F51B3055}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\distromatic
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\SpeedyPC Software
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
Key Deleted : HKCU\Software\AppDataLow\Software\MixiDJ_V37
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\SpeedyPC Software
Key Deleted : HKLM\Software\MixiDJ_V37
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Opener Packages
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MixiDJ_V37 Toolbar
Key Deleted : [x64] HKLM\SOFTWARE\Updater By Sweetpacks

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16520


-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\logan\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : icon_url

*************************

AdwCleaner[R0].txt - [12248 octets] - [16/11/2013 23:23:53]
AdwCleaner[S0].txt - [11516 octets] - [16/11/2013 23:27:13]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [11577 octets] ##########


Report •

#7
November 18, 2013 at 06:13:33

2nd scan:

# AdwCleaner v3.012 - Report created 17/11/2013 at 19:39:28
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : logan - LOGAN-HP
# Running from : C:\Users\logan\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\logan\AppData\Local\filetypeassistant

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Secure Search

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16520


-\\ Google Chrome v31.0.1650.57

[ File : C:\Users\logan\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [12248 octets] - [16/11/2013 23:23:53]
AdwCleaner[R1].txt - [1084 octets] - [17/11/2013 19:36:57]
AdwCleaner[S0].txt - [11686 octets] - [16/11/2013 23:27:13]
AdwCleaner[S1].txt - [963 octets] - [17/11/2013 19:39:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1022 octets] ##########


Report •

#8
November 18, 2013 at 06:14:48

I also thought I would let you know I am having to run in Safe Mode w/ networking today to do anything.

Report •

#9
November 18, 2013 at 13:55:13

"Safe Mode w/ networking today to do anything"
Ok, shall continue the cleaning process, it may come good itself ( let me know if it does ) if not I shall repair it.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
Copy & Paste the contents of the log. Let me know if it doesn't produce a log please.

2: Reboot

3: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://tigzyrk.blogspot.fr/2012/11/...
If RougeKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#10
November 19, 2013 at 08:27:38

I am running unhide right now but I wanted to ask you what is a good inexpensive security software because apparently F-Secure through Charter isn't getting the job done. Or is there a routine I need to be following.

Report •

#11
November 19, 2013 at 10:01:55

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 11/19/2013 11:51:01 AM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 442626 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 232 files processed.

The C:\Users\logan\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 11/19/2013 12:46:56 PM
Execution time: 0 hours(s), 55 minute(s), and 55 seconds(s)


Report •

#12
November 19, 2013 at 13:49:18

"F-Secure through Charter isn't getting the job done"
Malware Prevention
http://www.malwarevault.com/prevent...
"There is no magic involved. The majority of malware is installed by the user themselves"
What's that message mean? click, click.

So far most ( not all ) of your problems are the same as before, here is what users are doing.
As you can see from your logs, you had a lot of stuff installed, that you did not know had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.
I use Softpedia, they make you aware the program is Ad-supported & down the bottom of the page, they will advise of what you have to watch out for.
Sample pages.
http://www.softpedia.com/get/CD-DVD...
http://www.softpedia.com/get/Multim...
Users are advised to pay attention while installing this ad-supported application:
· Offers to change the homepage for web browsers installed in the system
· Offers to change the default search engine for web browsers installed in the system
· Offers to install StartNow Toolbar that the program does not require to fully function
SS ( screenshot ) of above.
http://i.imgur.com/CSBplyA.gif

I use Microsoft Security Essentials ( MSE )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.techsupportalert.com/9be...
http://www.techsupportalert.com/bes...
http://www.microsoft.com/security_e...
http://www.microsoft.com/security_e...
System requirements
http://www.microsoft.com/en-us/secu...
Check list for installing Microsoft Security Essentials
http://experts.windows.com/w/expert...
Can Microsoft Security Essentials ( MSE ) protect me from online banking and shopping.
http://answers.microsoft.com/en-us/...
If you choose to use Security Essentials, please follow the steps in this thread first, especially the part about removing all existing realtime antimalware:
http://kb.eset.com/esetkb/index?pag...

Avast is another very good one, both are FREE.
http://www.freewarefiles.com/Avast-...
http://www.avast.com/free-antivirus...
FREE antivirus software with spyware protection: avast! Home Edition
Vista 64 bit.
http://www.avast.com/eng/x64.html


Report •

#13
November 20, 2013 at 12:20:49

ok Johnw, I'm not having much luck w/ Roguekiller. The first time I ran it, it ran for 15 hrs. so I stopped it. I uninstalled and reinstalled and it ran for 6 hrs and didn't get any further than the first time. I'm still in safe mode because I cannot open IE otherwise and safe mode is running slow now. Roguekiller did produce a log but it didn't give me the option to delete.

RogueKiller V8.7.8 _x64_ [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/rog...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : logan [Admin rights]
Mode : Scan [Aborted] -- Date : 11/20/2013 04:18:38

¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] cltmng.exe -- C:\Users\logan\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll [7] -> rundll32.exe KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : GenieoSystemTray ("C:\Users\logan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe" [7]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : Brtion (regsvr32.exe C:\Users\logan\AppData\Local\Brtion\NDISAPI.dll [x][-]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\logan\AppData\Roaming\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : BackgroundContainer ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-774832544-3403919201-2401829686-1000\[...]\Run : GenieoSystemTray ("C:\Users\logan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe" [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-774832544-3403919201-2401829686-1000\[...]\Run : Brtion (regsvr32.exe C:\Users\logan\AppData\Local\Brtion\NDISAPI.dll [x][-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-774832544-3403919201-2401829686-1000\[...]\Run : SearchProtect (C:\Users\logan\AppData\Roaming\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-774832544-3403919201-2401829686-1000\[...]\Run : BackgroundContainer ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x]) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[0]_S_11202013_041838.txt >>



Report •

#14
November 20, 2013 at 13:07:05

"I'm not having much luck w/ Roguekiller"

Lets see if this will run & finish, I am trying to dismantle the infection bit by bit.
Use a flash drive for the first attempt.

Run ESET Online Scanner, Copy and Paste the contents of the log please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a flash/thumb/pen drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Which web browsers are compatible with ESET Online Scanner?
http://www.nod32.fi/eset-online-sca...
http://kb.eset.com/esetkb/index?pag...
Online Scanner not working
http://kb.eset.com/esetkb/index?pag...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...



Report •

#15
November 21, 2013 at 04:31:24

If it weren't for bad luck I'd have no luck at all. My laptop somehow became unplugged and the battery died overnight while I was running the scan. I don't know if it finished because I really don't know how to read the log. I see a place on the log where it says finished so I'm hoping that's the case. But I'm going to have to rely on your brilliance to tell me. Here it is:


ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=a65987f5e01cd947b2edecf9a248f9a6
# engine=15967
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-11-21 03:15:09
# local_time=2013-11-20 10:15:09 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 0 136547159 0 0
# scanned=556090
# found=50
# cleaned=50
# scan_time=14072
sh=1742230B01C49DA757FDB23F04CBE01A6EA88230 ft=1 fh=3a85b30d33fb3b59 vn="a variant of Win32/AdWare.iBryte.I.gen application (cleaned by deleting - quarantined)" ac=C fn="C:\$RECYCLE.BIN\S-1-5-21-774832544-3403919201-2401829686-1000\$RME2HV8.exe"
sh=3E02B7FEEA41D15D26F40DDDCE8821444EFDA360 ft=1 fh=1f0a5eeb9736d92a vn="Win32/AdInstaller application (cleaned by deleting - quarantined)" ac=C fn="C:\$RECYCLE.BIN\S-1-5-21-774832544-3403919201-2401829686-1000\$RWTPQ8Y.exe"
sh=0426FF7F92792C8E0202A07286A02371FD4DB89C ft=1 fh=bb71dc653bc49e1b vn="a variant of Win32/Toolbar.Conduit.P application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\MixiDJ_V37\ldrtbMixi.dll.vir"
sh=A54B27FD7BD7B1EC1F3101502836C620D6F11639 ft=1 fh=c01b70bae45c3c6e vn="a variant of Win32/Toolbar.Conduit.B application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\MixiDJ_V37\tbMixi.dll.vir"
sh=392332784CF8AD559EF6B07D6B9D6A3EE746FFDF ft=1 fh=d5ca7b17344753d6 vn="a variant of Win64/Toolbar.Crossrider.A application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Savings Ship\Savings Ship-buttonutil64.exe.vir"
sh=0426FF7F92792C8E0202A07286A02371FD4DB89C ft=1 fh=bb71dc653bc49e1b vn="a variant of Win32/Toolbar.Conduit.P application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Users\logan\AppData\LocalLow\MixiDJ_V37\ldrtbMixi.dll.vir"
sh=A54B27FD7BD7B1EC1F3101502836C620D6F11639 ft=1 fh=c01b70bae45c3c6e vn="a variant of Win32/Toolbar.Conduit.B application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Users\logan\AppData\LocalLow\MixiDJ_V37\tbMixi.dll.vir"
sh=9B3B44428CC80CC43F085AE514E7E16F7963EACC ft=1 fh=4c03fc1250fa29f9 vn="a variant of Win32/Toolbar.Conduit.P application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\InternetHelper3.7\ldrtbInte.dll"
sh=33457E2F2405727124C107D6DEAF24C94E992463 ft=1 fh=e719e166edfd7994 vn="a variant of Win32/Toolbar.Conduit.B application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\InternetHelper3.7\tbInte.dll"
sh=D957B0EC634B5C52AA2B8934223A6248D5152807 ft=1 fh=4c2491a4bea30714 vn="a variant of Win32/InstallCore.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\PDFCreator\message.exe"
sh=50433197412217B98F96972F49007183F4BF25F2 ft=1 fh=ffa63240e4f3939f vn="probably a variant of Win32/Conduit.SearchProtect.C application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\SearchProtect\bin\ChromeModule.dll"
sh=9AD04A7058AC026D71A9DBBB65D3405A0FE1F966 ft=1 fh=27fad6d8e176ad34 vn="a variant of Win32/Conduit.SearchProtect.B application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\SearchProtect\bin\cltmng.exe"
sh=6AFFAC1058EC89B360D9523A5522518AC6CC345B ft=1 fh=6432fa134192634c vn="probably a variant of Win32/Conduit.SearchProtect.C application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\SearchProtect\bin\FirefoxModule.dll"
sh=901D125118A5846E5CA9596978714EFA017A93A3 ft=1 fh=e61e1100b2240fc7 vn="probably a variant of Win32/Conduit.SearchProtect.C application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\SearchProtect\bin\InternetExplorerModule.dll"
sh=FD8B92580C2FF70E2A7B56756ECB5FD6B921FCF2 ft=1 fh=faefea65a273ead1 vn="a variant of Win32/Conduit.SearchProtect.D application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\SearchProtect\bin\SPRunner.exe"
sh=77801D0E0DC02E8C50CDC73562F4D7F13FC1C18B ft=0 fh=0000000000000000 vn="Win32/Conduit.SearchProtect.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\SearchProtect\ffprotect\application.js"
sh=170ACC25B35BA845064591DF61F2D52142823738 ft=0 fh=0000000000000000 vn="Win32/Conduit.SearchProtect.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\SearchProtect\ffprotect\nsprotector.js"
sh=EF1BC6FF7FB12440BB293A5D1B8E9AC67BAD70C8 ft=1 fh=3ffcf36c48973a81 vn="Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Program Files (x86)\CouponAlert_2pEI\Installr\1.bin\2pEIPlug.dll.vir"
sh=E3D37988DE897C809ADF91B0AAD4B7FA310606F2 ft=1 fh=389839cdd3738b2f vn="a variant of Win32/Toolbar.MyWebSearch.Q application (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Program Files (x86)\CouponAlert_2pEI\Installr\1.bin\2pEZSETP.dll.vir"
sh=9E81CE23E24955830FE9F5A77D6ED1E5B44495BC ft=1 fh=aeb7d7910805a687 vn="Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Program Files (x86)\CouponAlert_2pEI\Installr\1.bin\NP2pEISb.dll.vir"
sh=D8894D50A5A7C5D8099C073B2B6590BCCD999B2B ft=0 fh=0000000000000000 vn="Win32/TrojanDownloader.Tracur.V trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Google\Chrome\User Data\Default\Users\ihehbpbmhjpopnggbemmcldkiofecopn\cs.js"
sh=2C21BE1B91D0D12A9C3176AB20DCC76414473BD0 ft=1 fh=ad8e41f99351152c vn="Win32/Agent.PQF trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\hiiy.exe"
sh=B440AB73AEC5EB6C240D821568E00C6E2620B0F8 ft=1 fh=04c63d21fa6e67c5 vn="a variant of Win32/Toolbar.Conduit.B application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\tbWhit.dll"
sh=8E7D9F1AEB7A9F9F544CE537DA336E2FD9D8EB89 ft=1 fh=e5f85f840a14464b vn="a variant of Win32/Toolbar.Babylon.F application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\1E9ED9B9-BAB0-7891-8141-89FA659718FD\Latest\BExternal.dll"
sh=E2BA5F8A7BD2BAF32FF31730BAD873C8E7957030 ft=1 fh=6e8622963c31f56a vn="a variant of Win32/Toolbar.Babylon.P application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\1E9ED9B9-BAB0-7891-8141-89FA659718FD\Latest\BUSolution.dll"
sh=C48D1C278D0434F3BBAF273134265DBA5F720003 ft=1 fh=bedeb8cbd68127e1 vn="a variant of Win32/Toolbar.Babylon.E application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\1E9ED9B9-BAB0-7891-8141-89FA659718FD\Latest\IEHelper.dll"
sh=9F82BB5DC8D4EC6B8B2BB47CB6C329B8AF1C14CE ft=1 fh=c92ed1f3ca58c043 vn="Win32/InstallCore.AZ application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\2094048.Uninstall\uninstaller.exe"
sh=9F82BB5DC8D4EC6B8B2BB47CB6C329B8AF1C14CE ft=1 fh=c92ed1f3ca58c043 vn="Win32/InstallCore.AZ application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\2112081.Uninstall\uninstaller.exe"
sh=E836EAFDEE8834FD08FDBDC8FB3149E2A58BC990 ft=1 fh=85d409ae2251b1ed vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\ct3315828\ieLogic.exe"
sh=8F6F58C5D9BE80529551D99634972A7D9DEB48A2 ft=1 fh=3a5e2eb111fda44c vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\is357113909\PCFixSpeedSetup.exe"
sh=9F82BB5DC8D4EC6B8B2BB47CB6C329B8AF1C14CE ft=1 fh=c92ed1f3ca58c043 vn="Win32/InstallCore.AZ application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\is357113909\uninstaller.exe"
sh=6255191C23A3DBE470494F37C77121693FA577C3 ft=1 fh=c91632637f3fccb0 vn="Win32/TrojanDownloader.Tracur.V trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\nikjcysj\nikjcysj.dll"
sh=7664F6A327E5201011200E703489577A0971AB77 ft=1 fh=c71c0011451c6a93 vn="a variant of Win32/Toolbar.Babylon.P application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\upd77EF\BUSolution.x"
sh=6255191C23A3DBE470494F37C77121693FA577C3 ft=1 fh=c91632637f3fccb0 vn="Win32/TrojanDownloader.Tracur.V trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Windows Live\CyberLink\jogego.dll"
sh=9B3B44428CC80CC43F085AE514E7E16F7963EACC ft=1 fh=4c03fc1250fa29f9 vn="a variant of Win32/Toolbar.Conduit.P application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\LocalLow\InternetHelper3.7\ldrtbInte.dll"
sh=33457E2F2405727124C107D6DEAF24C94E992463 ft=1 fh=e719e166edfd7994 vn="a variant of Win32/Toolbar.Conduit.B application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\LocalLow\InternetHelper3.7\tbInte.dll"
sh=E250B4250155A4E11E3293B51A561D8C7965E862 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.QES trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\30013c04-2136e631"
sh=4940ADFD9BCDF8426797A27B6F8A999B819CBFF6 ft=0 fh=0000000000000000 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\77b94fab-695934a8"
sh=2AA7DE336CB245AE5CF310085D5B5FD2D088AF87 ft=0 fh=0000000000000000 vn="Java/Exploit.Agent.QER trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\5ac2fe3a-22b87cd7"
sh=5D8C221EE4E41C31B0957F9E30224268EA5ACBA9 ft=0 fh=0000000000000000 vn="JS/Agent.NKW trojan (deleted - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\Genieo\Data\unused_visited\2013-10-13\1381638456000_lexcs.org.zhtml"
sh=50433197412217B98F96972F49007183F4BF25F2 ft=1 fh=ffa63240e4f3939f vn="probably a variant of Win32/Conduit.SearchProtect.C application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\SearchProtect\bin\ChromeModule.dll"
sh=9AD04A7058AC026D71A9DBBB65D3405A0FE1F966 ft=1 fh=27fad6d8e176ad34 vn="a variant of Win32/Conduit.SearchProtect.B application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\SearchProtect\bin\cltmng.exe"
sh=6AFFAC1058EC89B360D9523A5522518AC6CC345B ft=1 fh=6432fa134192634c vn="probably a variant of Win32/Conduit.SearchProtect.C application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\SearchProtect\bin\FirefoxModule.dll"
sh=901D125118A5846E5CA9596978714EFA017A93A3 ft=1 fh=e61e1100b2240fc7 vn="probably a variant of Win32/Conduit.SearchProtect.C application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\SearchProtect\bin\InternetExplorerModule.dll"
sh=FD8B92580C2FF70E2A7B56756ECB5FD6B921FCF2 ft=1 fh=faefea65a273ead1 vn="a variant of Win32/Conduit.SearchProtect.D application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\SearchProtect\bin\SPRunner.exe"
sh=77801D0E0DC02E8C50CDC73562F4D7F13FC1C18B ft=0 fh=0000000000000000 vn="Win32/Conduit.SearchProtect.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\SearchProtect\ffprotect\application.js"
sh=170ACC25B35BA845064591DF61F2D52142823738 ft=0 fh=0000000000000000 vn="Win32/Conduit.SearchProtect.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\SearchProtect\ffprotect\nsprotector.js"
sh=9F82BB5DC8D4EC6B8B2BB47CB6C329B8AF1C14CE ft=1 fh=c92ed1f3ca58c043 vn="Win32/InstallCore.AZ application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Roaming\Zip Opener Packages\uninstaller.exe"
sh=57CED9B18AC1C34D346CD4B337207DEA23FDE041 ft=1 fh=41e6101b065a7f89 vn="a variant of Win32/AirAdInstaller.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\Desktop\rogue.exe"
sh=3E02B7FEEA41D15D26F40DDDCE8821444EFDA360 ft=1 fh=1f0a5eeb9736d92a vn="Win32/AdInstaller application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\Downloads\MapsGalaxy.exe"


Report •

#16
November 21, 2013 at 04:55:12

Hard to know for sure. I think it has, keep Eset as a permanent part of your armory.
With what it has removed, we should get a clear run on anything else we use.

Run Defogger & then Combofix. Post the logs as usual.

1: Run Defogger
http://majorgeeks.com/Defogger_d708...
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.

2: Run ComboFix & post the contents of the log please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
"There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"

If you think it's frozen look at computer clock.
If it's running Combofix is still working.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#17
November 21, 2013 at 17:10:33

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:08 on 21/11/2013 (logan)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


Report •

#18
November 22, 2013 at 00:28:01

ComboFix 13-11-19.01 - logan 11/21/2013 20:46:49.4.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.85 [GMT -5:00]
Running from: c:\users\logan\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Researcher.lnk
c:\users\logan\AppData\Roaming\SearchProtect
c:\users\logan\AppData\Roaming\SearchProtect\bin\CltMngSvc.exe
c:\users\logan\AppData\Roaming\SearchProtect\bin\rep.dat
c:\users\logan\AppData\Roaming\SearchProtect\bin\SPHook32.dll
c:\users\logan\AppData\Roaming\SearchProtect\bin\SPHook64.dll
c:\users\logan\AppData\Roaming\SearchProtect\bin\SPTool64.exe
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\dialogsApi.js
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\lib\jquery.min.js
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\lib\json2.js
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\bubble.css
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\bubble.js
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\images\information.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spbd\main.html
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spsd\images\warning.png
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spsd\main.html
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spsd\SearchProtector.css
c:\users\logan\AppData\Roaming\SearchProtect\Dialogs\spsd\settings.js
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\abstraction.js
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\dialogsApi.js
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\lib\json2.js
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\bubble.css
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\bubble.js
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\images\information.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spbd\main.html
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spsd\main.html
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\Dialogs\spsd\settings.js
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\popupTransparent.xul
c:\users\logan\AppData\Roaming\SearchProtect\ffprotect\SProtectorRepository\EN
c:\windows\SysWow64\FlashPlayerApp.exe
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-10-22 to 2013-11-22 )))))))))))))))))))))))))))))))
.
.
2013-11-22 02:15 . 2013-11-22 02:15 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-11-22 02:15 . 2013-11-22 02:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-20 23:07 . 2013-11-20 23:07 -------- d-----w- c:\program files (x86)\ESET
2013-11-19 18:13 . 2013-11-19 18:13 -------- d-----w- c:\programdata\Conduit
2013-11-19 18:13 . 2013-11-21 03:14 -------- d-----w- c:\program files (x86)\InternetHelper3.7
2013-11-19 18:13 . 2013-11-19 18:13 -------- d-----w- c:\program files (x86)\SearchProtect
2013-11-19 18:13 . 2013-11-19 18:13 -------- d-----w- c:\users\logan\AppData\Local\NativeMessaging
2013-11-19 18:13 . 2013-11-19 18:13 -------- d-----w- c:\users\logan\AppData\Local\Conduit
2013-11-19 18:12 . 2013-11-19 18:22 -------- d-----w- c:\program files (x86)\Conduit
2013-11-19 18:12 . 2013-11-19 18:20 -------- d-----w- c:\program files (x86)\Free Download Manager
2013-11-18 00:58 . 2013-11-19 18:44 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{780D60B2-AC26-414A-8C33-ED065B8C9FDF}\offreg.dll
2013-11-18 00:40 . 2013-11-18 00:40 -------- d-----w- c:\users\logan\AppData\Local\FileTypeAssistant
2013-11-17 04:23 . 2013-11-18 00:39 -------- d-----w- C:\AdwCleaner
2013-11-17 03:27 . 2013-11-18 00:30 -------- d-----w- c:\users\logan\AppData\Roaming\Ifkiqyri
2013-11-16 22:39 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Atzoinaw
2013-11-16 22:39 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Owabluuw
2013-11-16 22:38 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Zehionx
2013-11-16 22:37 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Fiollum
2013-11-16 22:37 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Tiudug
2013-11-16 22:36 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Ihxedo
2013-11-16 22:35 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Ukxoda
2013-11-16 22:34 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Gycopy
2013-11-16 22:34 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Sezoyp
2013-11-16 22:33 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Wediyn
2013-11-16 22:32 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Almyxegu
2013-11-16 22:32 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Bybuap
2013-11-16 22:31 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Dozyywaz
2013-11-16 22:30 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Ogyndoes
2013-11-16 22:30 . 2013-11-17 03:43 -------- d-----w- c:\users\logan\AppData\Roaming\Ahrupi
2013-11-16 15:56 . 2013-11-20 19:57 -------- d-----w- c:\users\logan\AppData\Local\Brtion
2013-11-15 15:10 . 2013-10-14 07:12 10280728 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{780D60B2-AC26-414A-8C33-ED065B8C9FDF}\mpengine.dll
2013-11-14 13:34 . 2013-10-13 14:48 1346560 ----a-w- c:\windows\system32\urlmon.dll
2013-11-13 14:06 . 2013-10-05 20:25 1474048 ----a-w- c:\windows\system32\crypt32.dll
2013-10-29 15:25 . 2013-10-29 18:38 -------- d-----w- c:\users\logan\AppData\Roaming\SmartDraw
2013-10-29 15:25 . 2013-10-29 15:25 -------- d-----w- c:\program files (x86)\SmartDraw CI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-14 13:30 . 2013-03-27 12:53 82896128 ----a-w- c:\windows\system32\MRT.exe
2013-11-12 20:28 . 2013-08-22 12:09 46368 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2013-10-11 13:08 . 2013-06-20 18:55 566480 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2013-10-08 23:40 . 2011-09-04 12:17 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-03 05:48 . 2013-10-03 05:48 773968 ----a-w- c:\windows\SysWow64\msvcr100.dll
2013-10-03 05:48 . 2013-10-03 05:48 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
2013-09-08 02:30 . 2013-10-10 13:07 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:27 . 2013-10-10 13:07 327168 ----a-w- c:\windows\system32\mswsock.dll
2013-09-08 02:03 . 2013-10-10 13:07 231424 ----a-w- c:\windows\SysWow64\mswsock.dll
2013-09-03 18:35 . 2011-03-01 22:37 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-29 02:17 . 2013-10-10 13:07 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-29 02:16 . 2013-10-10 13:07 1732032 ----a-w- c:\windows\system32\ntdll.dll
2013-08-29 02:16 . 2013-10-10 13:07 243712 ----a-w- c:\windows\system32\wow64.dll
2013-08-29 02:16 . 2013-10-10 13:07 859648 ----a-w- c:\windows\system32\tdh.dll
2013-08-29 02:13 . 2013-10-10 13:07 878080 ----a-w- c:\windows\system32\advapi32.dll
2013-08-29 01:51 . 2013-10-10 13:07 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-10 13:07 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-10 13:07 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-08-29 01:50 . 2013-10-10 13:07 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll
2013-08-29 01:50 . 2013-10-10 13:07 619520 ----a-w- c:\windows\SysWow64\tdh.dll
2013-08-29 01:48 . 2013-10-10 13:07 640512 ----a-w- c:\windows\SysWow64\advapi32.dll
2013-08-29 01:48 . 2013-10-10 13:07 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-08-29 00:49 . 2013-10-10 13:07 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-08-29 00:49 . 2013-10-10 13:07 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-08-29 00:49 . 2013-10-10 13:07 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-08-29 00:49 . 2013-10-10 13:07 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-08-28 01:21 . 2013-10-10 13:07 3155968 ----a-w- c:\windows\system32\win32k.sys
2013-08-28 01:12 . 2013-10-10 13:06 461312 ----a-w- c:\windows\system32\scavengeui.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll" [2013-08-07 1561880]
"{8e2479de-6096-41f3-90ab-83be9946aa2d}"= "c:\program files (x86)\InternetHelper3.7\prxtbInte.dll" [2013-11-06 226592]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CLASSES_ROOT\clsid\{8e2479de-6096-41f3-90ab-83be9946aa2d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}]
2013-07-23 06:46 1451680 ----a-w- c:\program files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{8e2479de-6096-41f3-90ab-83be9946aa2d}]
2013-11-06 16:53 226592 ----a-w- c:\program files (x86)\InternetHelper3.7\prxtbInte.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{8e2479de-6096-41f3-90ab-83be9946aa2d}"= "c:\program files (x86)\InternetHelper3.7\prxtbInte.dll" [2013-11-06 226592]
.
[HKEY_CLASSES_ROOT\clsid\{8e2479de-6096-41f3-90ab-83be9946aa2d}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-08-14 18:12 222832 ----a-w- c:\users\logan\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-08-14 18:12 222832 ----a-w- c:\users\logan\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-08-14 18:12 222832 ----a-w- c:\users\logan\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2013-01-16 2736128]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"MusicManager"="c:\users\logan\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2013-09-23 7342592]
"SkyDrive"="c:\users\logan\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2013-08-14 257136]
"GenieoSystemTray"="c:\users\logan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe" [2013-09-29 539488]
"Brtion"="c:\users\logan\AppData\Local\Brtion\NDISAPI.dll" [2013-11-19 1101824]
"ConduitFloatingPlugin_jhbbmmgbnjalccamlaefhepnajfmgopb"="c:\program files (x86)\Conduit\CT3315828\plugins\TBVerifier.dll" [1623-04-06 296736]
"BackgroundContainer"="c:\users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll" [2013-11-06 319264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-07-02 602680]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files (x86)\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-10-01 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.exe;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.exe [x]
R2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files (x86)\SearchProtect\bin\CltMngSvc.exe;c:\program files (x86)\SearchProtect\bin\CltMngSvc.exe [x]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
R2 Freemake Improver;Freemake Improver;c:\programdata\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe;c:\programdata\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [x]
R2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files (x86)\Freemake\CaptureLib\CaptureLibService.exe;c:\program files (x86)\Freemake\CaptureLib\CaptureLibService.exe [x]
R2 fshoster;F-Secure Dll Hoster;c:\program files (x86)\Charter Security Suite\fshoster32.exe;c:\program files (x86)\Charter Security Suite\fshoster32.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
R2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 OfficeSvc;Microsoft Office Service;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe [x]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [x]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
R2 vToolbarUpdater17.1.2;vToolbarUpdater17.1.2;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.1.2\ToolbarUpdater.exe;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.1.2\ToolbarUpdater.exe [x]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.exe;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys;c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2013-01-16 16:46 454176 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-17 21:15 1210320 ----a-w- c:\program files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-12 23:40]
.
2013-11-21 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files (x86)\FreeFileViewer\FFVCheckForUpdates.exe [2012-11-11 22:24]
.
2013-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-12 21:03]
.
2013-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-12 21:03]
.
2013-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-774832544-3403919201-2401829686-1000Core.job
- c:\users\logan\AppData\Local\Google\Update\GoogleUpdate.exe [2013-01-12 16:50]
.
2013-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-774832544-3403919201-2401829686-1000UA.job
- c:\users\logan\AppData\Local\Google\Update\GoogleUpdate.exe [2013-01-12 16:50]
.
2013-11-17 c:\windows\Tasks\HPCeeScheduleForlogan.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 02:15]
.
2013-11-21 c:\windows\Tasks\SDMsgUpdate (Local).job
- c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2013-10-29 15:18]
.
2013-11-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2013-10-29 15:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-08-14 18:12 261744 ----a-w- c:\users\logan\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-08-14 18:12 261744 ----a-w- c:\users\logan\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-08-14 18:12 261744 ----a-w- c:\users\logan\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2013-10-11 13:08 2328264 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2013-10-11 13:08 2328264 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2013-10-11 13:08 2328264 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-03-13 6234144]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1840720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2013-11-20 21720]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com/?ctid=CT3315828&octid=CT3315828&SearchSource=61&CUI=UN10963718142772044&UM=2&UP=SPED49B617-F5BD-4567-927B-0B6990F53DC5
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>
Trusted Zone: genieo.com\yahoo
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files (x86)\Coupons.com CouponBar\tbcore3.dll
WebBrowser-{8660E5B3-6C41-44DE-8503-98D99BBECD41} - (no file)
AddRemove-FileAssociationManager - c:\program files (x86)\FileAssociationManager\uninstall-fam.exe
AddRemove-Researcher - c:\program files (x86)\Smart Compute\Researcher\uninstaller.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
AddRemove-Zip Opener Packages 81 - c:\users\logan\AppData\Roaming\Zip Opener Packages\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\fshoster]
"ImagePath"="\"c:\program files (x86)\Charter Security Suite\fshoster32.exe\" -hosterid:0"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\F-Secure\My Services Agent\Protected]
@Denied: ) (Everyone)
"AgentIdentifier"="b6db2e14-aa3c-4f02-867a-b50b4509a05b"
"AuthorizationCode"="lZSosZEG1uBdpA4FOOd5IHC2hG77QkjKHNQWvERVX5g2W8y1aZhoNw"
"42626_AgentIdentifier"="b6db2e14-aa3c-4f02-867a-b50b4509a05b"
"42626_AuthorizationCode"="lZSosZEG1uBdpA4FOOd5IHC2hG77QkjKHNQWvERVX5g2W8y1aZhoNw"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-11-21 21:23:13
ComboFix-quarantined-files.txt 2013-11-22 02:23
ComboFix2.txt 2013-06-25 13:46
ComboFix3.txt 2013-06-25 12:07
.
Pre-Run: 391,744,274,432 bytes free
Post-Run: 396,419,575,808 bytes free
.
- - End Of File - - D27C88497ED8F36C5953E2C4C6EEAD6B

Report •

#19
November 22, 2013 at 03:41:39

Very good, run ESET again & post the log please.

Report •

#20
November 22, 2013 at 14:32:44

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=a65987f5e01cd947b2edecf9a248f9a6
# engine=15991
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-11-22 10:16:37
# local_time=2013-11-22 05:16:37 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 0 136702047 0 0
# scanned=305681
# found=3
# cleaned=3
# scan_time=22628
sh=898A3E585C98DD7E994B788940C059E532AD0EC2 ft=1 fh=c71c0011ab188431 vn="Win32/Boaxxe.G trojan (cleaned by deleting (after the next restart) - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Brtion\NDISAPI.dll"
sh=60F37196C1580F1B7CCA36D457B806F62DE405A3 ft=1 fh=c71c001148954511 vn="a variant of Win32/InstallCore.DK application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G79JFK9A\Adobe-Reader.exe"
sh=60F37196C1580F1B7CCA36D457B806F62DE405A3 ft=1 fh=c71c001148954511 vn="a variant of Win32/InstallCore.DK application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\logan\AppData\Local\Temp\ICReinstall_Adobe-Reader.exe"

Report •

#21
November 22, 2013 at 14:46:24

ESET finished this time, very good.

Download the latest version of RogueKiller & run again.


Report •

#22
November 22, 2013 at 15:07:23

I shut down my computer and when I restarted I got a RegSvr32 message. I tried to do Add a Screen Capture but don't know how to upload.

The message says:

The module
"C:\Users\logan\AppData\Local\Brtion\NDISAPI.dll" failed to load.

Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files.

The specified module could not be found.


Report •

#23
November 22, 2013 at 15:27:30

" I tried to do Add a Screen Capture but don't know how to upload"
Use Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru
How to use for images.
http://i.imgur.com/mWxzNlv.gif
http://i.imgur.com/ODCCcPf.gif
http://i.imgur.com/zalhLtW.gif

Report •

#24
November 22, 2013 at 15:39:42

http://i.imgur.com/rHsNYN8.gif

Report •

#25
November 22, 2013 at 15:44:20

Nice work, trillions of error messages out there, just googled that error.

Download the latest version of RogueKiller & run again

"ndisapi.dll is a library file that contains malicious code, which implements main parasite functions. This file usually needs to be loaded by executables or other pest files. However, some threats inject ndisapi.dll in the system, so it works as an independent component, for example, as a harmful web browser plugin or hidden system service.
The ndisapi.dll file is installed and used by Alpha Antivirus.
You have to delete the ndisapi.dll file immediately after you have found it. The parasite will continue to violate your privacy and harm your computer unless ndisapi.dll and all related objects will not be completely removed from the system"


Report •

#26
November 22, 2013 at 15:46:45

RogueKiller V8.7.8 [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/rog...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : logan [Admin rights]
Mode : Remove -- Date : 11/22/2013 18:44:50
| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH][DLL] rundll32.exe -- C:\Users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll [7] -> rundll32.exe KILLED [TermProc]
[SUSP PATH] gentray.exe -- C:\Users\logan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe [7] -> KILLED [TermProc]
[SUSP PATH] genupdater.exe -- C:\Users\logan\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe [7] -> KILLED [TermProc]
[HIDDEN] genieutils.exe -- C:\Users\logan\AppData\Roaming\Genieo\Application\Engine\lib\genieutils.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : GenieoSystemTray ("C:\Users\logan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe" [7]) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : Brtion (regsvr32.exe C:\Users\logan\AppData\Local\Brtion\NDISAPI.dll [x][x]) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : BackgroundContainer ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-774832544-3403919201-2401829686-1000\[...]\Run : GenieoSystemTray ("C:\Users\logan\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe" [7]) -> [0x2] The system cannot find the file specified.
[RUN][SUSP PATH] HKUS\S-1-5-21-774832544-3403919201-2401829686-1000\[...]\Run : Brtion (regsvr32.exe C:\Users\logan\AppData\Local\Brtion\NDISAPI.dll [x][x]) -> [0x2] The system cannot find the file specified.
[RUN][SUSP PATH] HKUS\S-1-5-21-774832544-3403919201-2401829686-1000\[...]\Run : BackgroundContainer ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x]) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] BackgroundContainer Startup Task : "C:\Windows\SysWOW64\Rundll32.exe" - "C:\Users\logan\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS725050A9A364 +++++
--- User ---
[MBR] 87e875778970b14844d970d00f4cf266
[BSP] 0ea5069140f28449c6543addd708168b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 459190 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 940830720 | Size: 17446 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk Cruzer Switch USB Device +++++
--- User ---
[MBR] 33a0f33fb7e7f518f64aedcb9dad35b0
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7633 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_D_11222013_184450.txt >>
RKreport[0]_S_11202013_041838.txt;RKreport[0]_S_11222013_184238.txt


Report •

#27
November 22, 2013 at 15:53:49

After a reboot what issues do you have?



Report •

#28
November 22, 2013 at 16:41:30

No problems. Everything is running smoothly. Thanks so much for your help. You have spent a lot of time helping me and I greatly appreciate it. Great to know there are good people still in this world that are willing to help.
Does it matter which post I select as best answer?

message edited by stacyeh


Report •

#29
November 22, 2013 at 16:48:27

Good, now update & run MBAM again, post the log.

message edited by Johnw


Report •

#30
November 22, 2013 at 18:23:06

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.23.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
logan :: LOGAN-HP [administrator]

Protection: Enabled

11/22/2013 8:05:29 PM
mbam-log-2013-11-22 (20-05-29).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 512094
Time elapsed: 1 hour(s), 8 minute(s), 54 second(s)

Memory Processes Detected: 1
C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe (PUP.Optional.Conduit.A) -> 1692 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\SEARCHPROTECT (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3315828 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ConduitFloatingPlugin_jhbbmmgbnjalccamlaefhepnajfmgopb (Trojan.Agent) -> Data: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Program Files (x86)\Conduit\CT3315828\plugins\TBVerifier.dll",RunConduitFloatingPlugin jhbbmmgbnjalccamlaefhepnajfmgopb -> Quarantined and deleted successfully.
HKCU\Software\SearchProtect|IELastInstalledTBHomepage (PUP.Optional.SearchProtect.A) -> Data: http://search.conduit.com?SearchSou... -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit.A) -> Bad: (http://search.conduit.com/?ctid=CT3315828&octid=CT3315828&SearchSource=61&CUI=UN10963718142772044&UM=2&UP=SPED49B617-F5BD-4567-927B-0B6990F53DC5) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 8
C:\Program Files (x86)\SearchProtect\Dialogs (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\lib (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\images (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd\images (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE\CT3315828 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 31
C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe (PUP.Optional.Conduit.A) -> Delete on reboot.
C:\Program Files (x86)\InternetHelper3.7\InternetHelper3.7ToolbarHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\bin\SPHook32.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\bin\SPHook64.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\bin\SPTool64.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\bin\uninstall.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\logan\AppData\Roaming\SearchProtect\bin\CltMngSvc.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\logan\AppData\Roaming\SearchProtect\bin\SPHook32.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\logan\AppData\Roaming\SearchProtect\bin\SPHook64.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\logan\AppData\Roaming\SearchProtect\bin\SPTool64.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\logan\AppData\Local\Conduit\CT3315828\InternetHelper3.7AutoUpdateHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\dialogsApi.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\lib\jquery.min.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\lib\json2.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\bubble.css (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\bubble.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\main.html (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\images\information.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd\main.html (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd\SearchProtector.css (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd\settings.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd\images\ok-button.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd\images\separation-line.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SearchProtect\Dialogs\spsd\images\warning.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE\CT3315828\configutaion.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE\CT3315828\SetupIcon.ico (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\Conduit\IE\CT3315828\UninstallerUI.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)


Report •

#31
November 22, 2013 at 18:36:41

Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Copy and Paste the contents into your reply.
If Listparts won't run. May get the message > The disk management services could not complete the operation
1: Restart the computer. Any messages after the reboot?
2: Delete your copy of ListParts and download the latest ListParts and this time put in on the root of C drive (start => My Computer => C drive). Run ListParts, Copy & Paste the contents the log in your next reply.
Run ListParts, Copy & Paste the contents of the log please.

Report •

#32
November 24, 2013 at 06:24:33

ListParts by Farbar Version: 20-10-2013
Ran by logan (administrator) on 24-11-2013 at 09:22:54
Windows 7 (X64)
Running From: C:\Users\logan\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 56%
Total physical RAM: 3893.86 MB
Available physical RAM: 1701.48 MB
Total Pagefile: 7785.9 MB
Available Pagefile: 5246.84 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:448.43 GB) (Free:371.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:17.04 GB) (Free:2.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 1D505CB8

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 448 GB 200 MB
Partition 3 Primary 17 GB 448 GB
Partition 4 Primary 103 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 448 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 17 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 HP_TOOLS FAT32 Partition 103 MB Healthy

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 1D505CB8
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=448 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=17 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)


****** End Of Log ******


Report •

#33
November 24, 2013 at 12:59:31

"ListParts by Farbar Version: 20-10-2013"
Good result stacyeh, no active hidden partitions.

"Malwarebytes Anti-Malware (Trial) 1.75.0.1300"

"11/22/2013 8:05:29 PM
mbam-log-2013-11-22 (20-05-29).txt
Scan type: Full scan (C:\|D:\|)"

Uninstall MBAM, reboot & install this way, no need for a Full scan.

http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://i.imgur.com/3DtG68Y.gif
http://www.malwarebytes.org/mbam.php
http://www.spywareinfoforum.com/ind...
http://www.bleepingcomputer.com/vir...
Make sure you uncheck > Enable free trial < during install.
http://i.imgur.com/tUFCbYz.gif
If your MBAM log indicates "No action taken." That's usually a result of NOT clicking the Remove Selected button after the scan.
Quick Scan versus Full Scan
http://forums.malwarebytes.org/inde...

Run MBAM again to make sure the last deletions have stuck.

message edited by Johnw


Report •

#34
November 24, 2013 at 17:22:32

when I reinstalled mbam there was not an option that said enable trial version of mbam pro so I didn't have the option to uncheck. Anyway here is the log:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.24.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
logan :: LOGAN-HP [administrator]

Protection: Disabled

11/24/2013 8:12:08 PM
mbam-log-2013-11-24 (20-12-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231604
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

message edited by stacyeh


Report •

#35
November 24, 2013 at 17:39:36

"Anyway here is the log"
All good, you should be Ok.

Any other issues?

John in Western Australia.
http://www.timeanddate.com/worldclo...


Report •

#36
November 25, 2013 at 06:43:27

One more question. When I hover the mouse over the mbam icon on the taskbar it says Trial - 11 days remaining. Is the software going to expire in 11 days?

http://i.imgur.com/gOa4ZID.gif

Also, totally off the subject its awesome that you live in Australia. Australia is on my bucket list. I live in a very small town in Georgia just across the Tennessee line in the US. But I have to visit "down under" one day. Also, thanks a million for all your help.

message edited by stacyeh


Report •

#37
November 25, 2013 at 13:49:33

"Is the software going to expire in 11 days?"
I have never used the version you have installed, but all I think happens is, you get a nag screen.
The uncheck trial comes right at the end of the install ( I have done several installs since you tried ) as per my previous SS below.
http://i.imgur.com/tUFCbYz.gif

"But I have to visit "down under" one day"
You won't regret it, allow plenty of time, we are about the same size as the US.

For example, when we went to NZ, 6 weeks.
When we have been to Europe, 6 - 8 weeks.

PS. Logan was my mothers maiden name.


Report •

#38
November 25, 2013 at 16:39:38

Logan is my middle son's name. This was his computer and he handed it down to me when he purchased a Mac.

Thanks again for all your help!


Report •

#39
December 22, 2013 at 17:18:39

Good to hear this is solved

Report •


Ask Question