Help with Google redirect

Toshiba Satellite c655-s5082 laptop
October 14, 2012 at 19:40:53
Specs: Windows 7
I've red some of the threads and tried some things with seemingly no improvement.

I already had Malwarebytes on my computer and was able to run it successfully but unfortunately don't have a log. Now I'm getting this error when I try to start it

Run-time error ‘453’:
Can’t find DLL entry point ProtectionNotifyChange in mbam

I'll post the Hijack this log and hopefully can get some help with this.


See More: Help with Google redirect

Report •

#1
October 14, 2012 at 19:41:48
HiJack This Log File

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:28:03 PM, on 10/13/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\PC Tools Security\pctsGui.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Nate\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\Nate\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Freecorder\FLVSrvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Freecorder Toolbar - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files (x86)\freecordertoolbar\vmntemplateX.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Complitly - {D27FC31C-6E3D-4305-8D53-ACDAEFA5F862} - C:\Users\Nate\AppData\Roaming\Complitly\Complitly.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
O3 - Toolbar: Freecorder Toolbar - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files (x86)\freecordertoolbar\vmntemplateX.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SignIn] "C:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe" /autorun
O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Nate\AppData\Local\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Spotify] "C:\Users\Nate\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9835 bytes


Report •

#2
October 14, 2012 at 19:53:24
This is for the FREE version, please let me know if your MBAM is a paid full subscription before doing the following!

You will have to remove MBAM first using the mbam-clean.exe tool from this link:

http://helpdesk.malwarebytes.org/en...
When it finishes, it will ask you to restart your pc. Please allow this to happen.

Now download the latest version of MBAM from this link:
http://www.malwarebytes.org/product...
If it is stopped from downloading please try to rename it, anything you want as long as you remember the new name.

Update it and run a quick scan.
Now we can look at your redirection problem.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#3
October 14, 2012 at 20:16:54
Removed, Downloaded, and Run

Here is the quick scan log:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.15.01

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Nate :: NATE-PC [administrator]

10/14/2012 11:07:58 PM
mbam-log-2012-10-14 (23-15-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200385
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEBENHANCEMENTS (PUP.WebEnhancements) -> No action taken.

Registry Values Detected: 3
HKLM\SOFTWARE\Mozilla\Firefox\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469} (PUP.WebEnhancements) -> Data: -> No action taken.
HKLM\SOFTWARE\Mozilla\Firefox\Extensions|{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469} (PUP.WebEnhancements) -> Data: C:\Program Files (x86)\WebEnhancements\WebEnhancements.xpi -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements|URLInfoAbout (PUP.WebEnhancements) -> Data: http://www.webenhancements.me -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Program Files (x86)\WebEnhancements (PUP.WebEnhancements) -> No action taken.

Files Detected: 8
C:\Windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
C:\Windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U\000000cb.@ (Rootkit.0Access) -> No action taken.
C:\Windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U\80000000.@ (Rootkit.0Access.64) -> No action taken.
C:\Program Files (x86)\WebEnhancements\WebEnhancements.xpi (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\im.exe (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\RealPlayer.exe (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\WebEnhancements.crx (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\Xvid.exe (PUP.WebEnhancements) -> No action taken.

(end)


Report •

Related Solutions

#4
October 14, 2012 at 20:24:35
Great to see MBAM working for you, this will save time.
I see in the scan results no PUP's(Potentially Unwanted Program) were removed. PUP's need to be manually selected for removal.
Run MBAM again and check mark the PUP's for removal.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#5
October 14, 2012 at 20:45:01
I wasn't sure if there was anything specific that you might have noted for removal. Removed and restarting...

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.15.01

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Nate :: NATE-PC [administrator]

10/14/2012 11:37:30 PM
mbam-log-2012-10-14 (23-37-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200485
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEBENHANCEMENTS (PUP.WebEnhancements) -> No action taken.

Registry Values Detected: 3
HKLM\SOFTWARE\Mozilla\Firefox\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469} (PUP.WebEnhancements) -> Data: -> No action taken.
HKLM\SOFTWARE\Mozilla\Firefox\Extensions|{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469} (PUP.WebEnhancements) -> Data: C:\Program Files (x86)\WebEnhancements\WebEnhancements.xpi -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements|URLInfoAbout (PUP.WebEnhancements) -> Data: http://www.webenhancements.me -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Program Files (x86)\WebEnhancements (PUP.WebEnhancements) -> No action taken.

Files Detected: 8
C:\Program Files (x86)\WebEnhancements\WebEnhancements.xpi (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\im.exe (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\RealPlayer.exe (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\WebEnhancements.crx (PUP.WebEnhancements) -> No action taken.
C:\Program Files (x86)\WebEnhancements\Xvid.exe (PUP.WebEnhancements) -> No action taken.
C:\Windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U\80000000.@ (Rootkit.0Access.64) -> Quarantined and deleted successfully.

(end)


Report •

#6
October 14, 2012 at 20:46:25
Also run HJT again and I suggest check marking the following for removal;

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>

O2 - BHO: Freecorder Toolbar - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files (x86)\freecordertoolbar\vmntemplateX.dll

O2 - BHO: Complitly - {D27FC31C-6E3D-4305-8D53-ACDAEFA5F862} - C:\Users\Nate\AppData\Roaming\Complitly\Complitly.dll

O3 - Toolbar: Freecorder Toolbar - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files (x86)\freecordertoolbar\vmntemplateX.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run

O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Nate\AppData\Local\Akamai\netsession_win.exe"

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - .DEFAULT User Startup: Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (User 'Default user')

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#7
October 14, 2012 at 21:04:43
I see in your logs that you have a Rootkit Zero Access on your pc, if you get locked out at any stage during cleaning you will have to go to a clean pc for further instructions.

ZeroAccess rootkit, also known as Max++, is a nasty piece of malware which is designed to start its persistent campaign just after infiltration. The infiltration of this malware is quite simple and done through security holes together with infected downloads, often Adobe Reader or Java fake updates. It can be said that additional purpose of ZeroAccess rootkit is to set up a stealthy, undetectable and un-removable platform which should help to download malware into the target PC.

First of all how is your pc running? Can you turn it on ok?

Please download and run RougeKiller from this link:
http://majorgeeks.com/RogueKiller_d...

Download and run TDSSkiller from this link:
http://support.kaspersky.com/faq/?q...

Download and run HitManPro3 from this link:
http://www.surfright.nl/en/hitmanpro/
Make sure it's the 64bit version.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#8
October 14, 2012 at 21:09:39
I removed your recommended items after running HiJack This.

Report •

#9
October 14, 2012 at 21:14:58
I believe it was a fake Adobe update, it seemed a little odd looking back on it.

My computer is able to turn on. It seems slowed, I'm getting the Google redirects and various random tabs opening with things like "consumer lifestyles" and a link to buy that awesome 3 wolves and moon shirt on amazon, videos on youtube and espn.com for example are labored and sometimes not working.

I'll work on RougeKiller, TDSSKiller and HitManPro3


Report •

#10
October 14, 2012 at 21:19:08
Please include the logs from any scans that find anything in your next reply.

Then download and run SuperAntiSpyware to remove those PUP's that are still there, it will also remove any nasty tracking cookies at the same time.
http://www.superantispyware.com/

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#11
October 14, 2012 at 21:21:25
This is the results from RogueKiller, I'm prompted with Delete or Fix various options.

RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Website: http://tigzy.geekstogo.com/roguekil...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Nate [Admin rights]
Mode : Scan -- Date : 10/15/2012 00:16:33

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-1632076137-237203472-3750479321-1002\$922e7cb7c242a0899196452b299ab716\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1632076137-237203472-3750479321-1002\$922e7cb7c242a0899196452b299ab716\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1632076137-237203472-3750479321-1002\$922e7cb7c242a0899196452b299ab716\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1632076137-237203472-3750479321-1002\$922e7cb7c242a0899196452b299ab716\L --> FOUND
[Susp.ASLR][FILE] services.exe : C:\windows\system32\services.exe --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS +++++
--- User ---
[MBR] b95ffb64a0fb50c2e3b9146ffad615f3
[BSP] 754b0e4b5f00b52f2f66e3fe4aeb35bd : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 227677 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 469356544 | Size: 9297 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Report •

#12
October 14, 2012 at 21:24:33
Let RougeKiller fix any registry items and delete any infections.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#13
October 14, 2012 at 21:32:56
Forgive my inexperience with this program.


Tabs: Process, Registry, Host,Proxy,DNS,Driver,Files,MBR,Shortcuts

Options(on right vertically): Scan, Delete, Fix Host, Fix Proxy, Fix DNS, Fix Shortcuts


The Registry tab is open with the checked items listed in the report. Should I leave all selected and go down the right vertical clicking?


Report •

#14
October 14, 2012 at 21:53:50
Excuse me MrGoodguy.

•Please quit all programs
•Right-click the RogueKiller file and select "Run as Administrator'
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.
An RKreport (Mode: Delete) is created on the Desktop.
Please provide the RKreport (Mode: Delete) in your reply.
Restart the computer.


Report •

#15
October 14, 2012 at 21:56:44
Thanks Johnw its been a while since I had to use this program. Running Linux :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#16
October 14, 2012 at 22:56:25
When I run TDSS Killer it performs the scan but then closes

It shows that there is one threat detected but I'm unable to advance to the portion of the program to deal with the threat and then restart my computer.


Report •

#17
October 14, 2012 at 23:13:38
Results from the HitManPro3 scan

[code]
HitmanPro 3.6.2.171
www.hitmanpro.com

Computer name . . . . : NATE-PC
Windows . . . . . . . : 6.1.0.7600.X64/1
Safe Mode Boot . . . : NETWORK
User name . . . . . . : Nate-PC\Nate
UAC . . . . . . . . . : Disabled
License . . . . . . . : Free

Scan date . . . . . . : 2012-10-15 01:59:50
Scan mode . . . . . . : Normal
Scan duration . . . . : 8m 16s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 5
Traces . . . . . . . : 121

Objects scanned . . . : 2,081,409
Files scanned . . . . : 55,583
Remnants scanned . . : 1,103,678 files / 922,148 keys

Malware _____________________________________________________________________

C:\Users\Nate\Documents\My Box Files\Salesforce\accounts\Direct Sales Accounts\PG&E\PG&E JLL Schwab 211 Main\211 Main\As Builts\avwin\pfar_zip.dll
Size . . . . . . . : 12,288 bytes
Age . . . . . . . : 352.7 days (2011-10-28 10:20:39)
Entropy . . . . . : 4.9
SHA-256 . . . . . : 2CF643FCF1CF235D0FB07EB7893081A9CA22E56EB74ACBDF76D50DD67D8795BB
Product . . . . . : PAFS
Publisher . . . . : Cimmetry Systems, Inc.
Description . . . : PAFS Import Filter
Version . . . . . : 1.3.0
Copyright . . . . : (c) C.S.I. 1989-1997
> DrWeb . . . . . . : Trojan.DownLoader.origin
Fuzzy . . . . . . : 100.0

C:\windows\assembly\gac_32\Desktop.ini
Size . . . . . . . : 4,608 bytes
Age . . . . . . . : 4.6 days (2012-10-10 12:07:17)
Entropy . . . . . : 3.9
SHA-256 . . . . . : 5DED64AE56E33350D1FB80A8155EE7917BFDEC1A379C8742397EC6ECB0726BE0
> Ikarus . . . . . . : Backdoor.Win32.ZAccess!IK
Fuzzy . . . . . . : 112.0

C:\windows\assembly\gac_64\Desktop.ini
Size . . . . . . . : 6,144 bytes
Age . . . . . . . : 4.6 days (2012-10-10 12:07:17)
Entropy . . . . . : 3.4
SHA-256 . . . . . : D7B6D7016157EF1606125F1DD15DB95A3973CCEF7C1D05F961A5F867751B872E
> G Data . . . . . . : Trojan.Generic.7713809 (Engine A)
> DrWeb . . . . . . : BackDoor.Maxplus.90
> Ikarus . . . . . . : Trojan.Win64!IK
Fuzzy . . . . . . : 112.0

C:\Windows\System32\regilist64.dll
Size . . . . . . . : 59,392 bytes
Age . . . . . . . : 4.6 days (2012-10-10 12:08:04)
Entropy . . . . . : 6.8
SHA-256 . . . . . : D554F14D96ACD4CB2DE1C0B5939DE547F445B46FD60ABEEBD5DB58E19FF04ECE
Product . . . . . : Webroot SecureAnywhere
Publisher . . . . : Webroot Inc
Description . . . : Webroot
Version . . . . . : 7.3.7
Copyright . . . . : Webroot Inc 2011-2012
> G Data . . . . . . : Win32:Trojan-gen
Fuzzy . . . . . . : 111.0

C:\Windows\SysWOW64\regilist.dll
Size . . . . . . . : 56,320 bytes
Age . . . . . . . : 4.6 days (2012-10-10 12:08:02)
Entropy . . . . . : 6.8
SHA-256 . . . . . : 140DE47FEC2E5255DF3FA9F9A9DA686E8F7A4E16141C07990882CCA1BCD18A35
Product . . . . . : Webroot SecureAnywhere
Publisher . . . . : Webroot Inc
Description . . . : Webroot
Version . . . . . : 7.3.7
Copyright . . . . : Webroot Inc 2011-2012
> G Data . . . . . . : Win32:Downloader-QWM [Trj]
> DrWeb . . . . . . : Trojan.PWS.Banker1.5852
> Ikarus . . . . . . : Backdoor.Win32.Papras!IK
Fuzzy . . . . . . : 111.0


Cookies _____________________________________________________________________

C:\Users\Nate\AppData\Local\Temp\Cookies\0UOPM276.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\25SUZWUE.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\2PHYYWGB.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\2QB03V36.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\3NKPHLUU.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\3NZWUB2I.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\BG8MWFGP.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\CWULTFTU.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\DN6QN2NR.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\DS1A1P3I.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\IF6I3VVY.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\J46TY93Q.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\JXGE5MU2.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\KXHLRN6H.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\N3MT52GW.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\NIZZA1EH.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\O1B94ACG.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\P222KHBA.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\TJ9QVWHR.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\UWWUQCM0.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\VKDEVT7X.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\WBTU0246.txt
C:\Users\Nate\AppData\Local\Temp\Cookies\YQ9IBMK7.txt
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:7search.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:a1.interclick.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ad.propellerads.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ad.yieldmanager.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:adbrite.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.ad4game.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.adk2.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.adsbookie.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.bridgetrack.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.depositfiles.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.dothads.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.footar.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.glispa.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.kaktuz.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.lzjl.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.multibam.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.pointroll.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.pubmatic.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.trafficjunky.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.undertone.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.us.e-planning.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ads.whaleads.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:adserve.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:adserve.f-flirts.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:advertising.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:apmebf.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ar.atwola.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:asianpornforum.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:at.atwola.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:atdmt.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:atwola.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:br.rk.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:burstnet.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:casalemedia.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:clicksor.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:collective-media.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:content.yieldmanager.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:doubleclick.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:exoclick.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:fastclick.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:flirt4free.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:f---cams.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:f---ingmotherf---er.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:f---myjeans.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:hislutporn.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:interclick.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:intporn.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:invitemedia.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:kaspersky.122.2o7.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:kontera.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:live-cams-1.livejasmin.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:livejasmin.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:matureporns.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:media6degrees.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:mediaplex.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:myroitracking.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:naked.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:pointroll.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:porn-w.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:pornarcades.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:pornbb.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:pornrush.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:prond.freeforums.xxx
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:questionmarket.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:revsci.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:ru4.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:seaporn.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:serving-sys.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:specificclick.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:stats.adotube.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:statse.webtrendslive.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:streamate.doublepimp.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:tacoda.at.atwola.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:tacoda.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:tribalfusion.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.burstnet.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.flirt4free.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.hislutporn.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.intporn.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.matureporns.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.pornarcades.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.pornative.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.pornbb.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:www.seaporn.org
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:xiti.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:xxxbunker.com
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:xxxfile.net
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\cookies.sqlite:yadro.ru


[/code]


Report •

#18
October 14, 2012 at 23:14:16
You now have to outsmart the infection, here are some options.

1: Try Safe mode or Safe mode with networking.

2: If TDSS dos'nt run, use FixTDSS
http://www.symantec.com/content/en/...
Download FixTDSS and save it to your desktop.
Double click on the FixTDSS.exe icon to run it.
Click the "I Accept" button, then the "Proceed" button to begin
The tool will restart your computer automatically - click OK to allow it to do so
The tool will begin it's scan on reboot > click "run" to begin
It will report if an infected MBR is found > click the "repair" button

3: Rename TDSSKiller
http://forums.majorgeeks.com/showth...
http://www.bleepingcomputer.com/vir...


Report •

#19
October 14, 2012 at 23:15:13
That's ok, to get around this try renaming TDSSkiller.exe to iexplore.exe and see if it will run then and finish the whole process?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#20
October 14, 2012 at 23:24:15
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/15/2012 at 02:22 AM

Application Version : 5.6.1010

Core Rules Database Version : 9402
Trace Rules Database Version: 7214

Scan type : Quick Scan
Total Scan Time : 00:06:56

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC Off - Administrator

Memory items scanned : 397
Memory threats detected : 0
Registry items scanned : 60380
Registry threats detected : 0
File items scanned : 10873
File threats detected : 322

Adware.Tracking Cookie
C:\Users\Nate\AppData\Local\Temp\Cookies\3NZWUB2I.txt [ /interclick.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\Y4934Z0O.txt [ /mediaforge.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\O1B94ACG.txt [ /tacoda.net ]
C:\Users\Nate\AppData\Local\Temp\Cookies\96U6KRXN.txt [ /click.livesearchnow.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\UUOWEXF5.txt [ /pro-market.net ]
C:\Users\Nate\AppData\Local\Temp\Cookies\YQ9IBMK7.txt [ /media6degrees.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\VKDEVT7X.txt [ /ru4.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\NIZZA1EH.txt [ /doubleclick.net ]
C:\Users\Nate\AppData\Local\Temp\Cookies\KXHLRN6H.txt [ /atwola.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\3NKPHLUU.txt [ /ad.yieldmanager.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\SSSSLE6E.txt [ /lucidmedia.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\CWULTFTU.txt [ /collective-media.net ]
C:\Users\Nate\AppData\Local\Temp\Cookies\N3MT52GW.txt [ /invitemedia.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\TJ9QVWHR.txt [ /tribalfusion.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\2QB03V36.txt [ /ar.atwola.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\DN6QN2NR.txt [ /zedo.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\WBTU0246.txt [ /adbrite.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\IF6I3VVY.txt [ /at.atwola.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\JXGE5MU2.txt [ /kontera.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\DS1A1P3I.txt [ /serving-sys.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\1DYA9DOX.txt [ /imrworldwide.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\J46TY93Q.txt [ /tacoda.at.atwola.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\N6339Q71.txt [ /estat.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\G6HAU6GD.txt [ /saymedia.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\UWWUQCM0.txt [ /realmedia.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\5IHNAK1H.txt [ /click.searchwebresults.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\BG8MWFGP.txt [ /advertising.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\P222KHBA.txt [ /revsci.net ]
C:\Users\Nate\AppData\Local\Temp\Cookies\2PHYYWGB.txt [ /xiti.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\0UOPM276.txt [ /atdmt.com ]
C:\Users\Nate\AppData\Local\Temp\Cookies\25SUZWUE.txt [ /casalemedia.com ]
hpi.rotator.hadj7.adjuggler.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
hpi.rotator.hadj7.adjuggler.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.rotator.hadj7.adjuggler.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
hpi.rotator.hadj7.adjuggler.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.rotator.hadj7.adjuggler.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.histats.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.histats.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
pornrush.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
pornrush.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornrush.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornrush.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornrush.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.moviefind.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.moviefind.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.hislutporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.hislutporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.f---ingmotherf---er.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.f---ingmotherf---er.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.f---ingmotherf---er.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adultddl.ws [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adultddl.ws [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adultddl.ws [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
adultddl.ws [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.teenbff.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.teenbff.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.teenbff.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.teenbff.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.pornative.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
adserve.f-flirts.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ads.trafficjunky.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
da-tracking.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.www.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warez-home.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.asianpornforum.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.asianpornforum.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.asianpornforum.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
counters.gigya.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.syndication.traffichaus.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.syndication.traffichaus.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.syndication.traffichaus.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
click.get-answers-fast.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.f---cams.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
xxxbunker.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
xxxbunker.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
xxxbunker.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.openstat.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.f---myjeans.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.intporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.intporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.intporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.intporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.intporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.intporn.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
panzertraffic.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.mmtracking.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.mmtracking.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tns-counter.ru [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.rambler.ru [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.trackunions.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.pornarcades.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornarcades.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornarcades.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornarcades.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.pornarcades.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.pornarcades.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.pornarcades.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.matureporns.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.matureporns.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.matureporns.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.matureporns.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ru4.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ru4.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
clickztrax.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
clickztrax.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adfarm1.adition.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adfarm1.adition.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad2.adfarm1.adition.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adfarm1.adition.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.seaporn.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.seaporn.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.seaporn.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.seaporn.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
click.livesearchnow.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
click.livesearchnow.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
tracking.affiliaxe.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
tracking.affiliaxe.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ox-d.adnetxchange.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.amazon-adsystem.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.a1.interclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.a1.interclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.a1.interclick.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adultpartner.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adultpartner.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornbb.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.www.pornbb.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.pornbb.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornbb.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornbb.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pornbb.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.xxxfile.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.xxxfile.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.xxxfile.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.content.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adxpose.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.c.gigcount.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.porn-w.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.porn-w.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.porn-w.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.porn-w.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.porn-w.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.porn-w.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.yadro.ru [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.enoratraffic.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.bridgetrack.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.bridgetrack.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.bridgetrack.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.bridgetrack.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
prond.freeforums.xxx [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
prond.freeforums.xxx [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
prond.freeforums.xxx [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
prond.freeforums.xxx [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ads2.zeusclicks.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ox-d.secure-clicks.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.naked.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.naked.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.waz-warez.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.waz-warez.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.waz-warez.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.waz-warez.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ads2.iweb.cortica.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adxpansion.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
warezusa.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
warezusa.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warezusa.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.warezusa.org [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adserve.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.mediafire.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.mediafire.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.mediafire.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.mediafire.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.mediafire.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.mediafire.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.mediafire.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.clickbooth.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
statse.webtrendslive.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.mediaplex.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.amazon-adsystem.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.xiti.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.kontera.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.lucidmedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
stats.adotube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.mediaplex.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.burstnet.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.www.burstnet.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.burstnet.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.fastclick.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
www.burstnet.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adbrite.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.adbrite.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ads.pointroll.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.ar.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.questionmarket.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.questionmarket.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.clicksor.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.clicksor.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.clicksor.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.clicksor.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.clicksor.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.myroitracking.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tacoda.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.kaspersky.122.2o7.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
.tribalfusion.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\NATE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UJCO97A4.DEFAULT\COOKIES.SQLITE ]


Report •

#21
October 14, 2012 at 23:36:38
Ok any luck with renaming TDSSkiller - (#19 post)
If not try (#18 posts) FixTDSS advice.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#22
October 14, 2012 at 23:55:12
The FixTDSS found nothing.


The TDSSkiller still abruptly closes after the scan. Even after renaming it.


Report •

#23
October 14, 2012 at 23:59:40
That's the infection blocking it.

1: Try Safe mode or Safe mode with networking.


Report •

#24
October 15, 2012 at 00:02:22
That's ok, its just the virus living up to it's name :)

Try downloading ZeroAccess Removal Tool from this link:


Trojan.Zeroaccess Removal Tool
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.symantec.com/business/se...

This application will allow users to detect and remove any traces left by Trojan.Zeroaccess infections.
If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.

The Removal Tool does the following:
· Terminates the associated processes
· Deletes the associated files
· Removes hidden partition unconditionally if detection occurs. Windows XP / Vista / 7.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#25
October 15, 2012 at 00:03:49
in Safe Mode with Networking currently and when I tried FixTDSS and TDSSkiller

Report •

#26
October 15, 2012 at 00:15:47
ZeroAccess found nothing

Report •

#27
October 15, 2012 at 00:23:04
Ok since we are having trouble with TDSSkiller running we will need to run ESET online scanner, from this link:
http://www.eset.com/us/online-scanner/

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#28
October 15, 2012 at 09:26:57
These are the 3 things ESET found and what it did.

C:\Program Files (x86)\PDFLite Toolbar\ToolbarUpdaterService.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Windows\System32\regilist.dll Win32/PSW.Papras.CE trojan cleaned by deleting (after the next restart) - quarantined
Operating memory a variant of Win32/PSW.Papras.CE trojan


Report •

#29
October 15, 2012 at 13:11:06
GMER found no system modification

Report •

#30
October 15, 2012 at 14:21:57
TDSSkiller successful run log

============================================================
17:16:24.0249 2072 Scan finished
17:16:24.0249 2072 ============================================================
17:16:24.0263 2064 Detected object count: 1
17:16:24.0263 2064 Actual detected object count: 1
17:17:33.0714 2064 c:\program files (x86)\common files\akamai/netsession_win_5891ae0.dll - copied to quarantine
17:17:33.0715 2064 HKLM\SYSTEM\ControlSet001\services\Akamai - will be deleted on reboot
17:17:33.0762 2064 HKLM\SYSTEM\ControlSet002\services\Akamai - will be deleted on reboot
17:17:33.0940 2064 c:\program files (x86)\common files\akamai/netsession_win_5891ae0.dll - will be deleted on reboot
17:17:33.0941 2064 Akamai ( HiddenFile.Multi.Generic ) - User select action: Delete


Report •

#31
October 15, 2012 at 15:24:21
Great now where getting somewhere, we should do a few repairs now.
Download the Windows All In One Repair Tool from this link:
http://www.tweaking.com/content/pag...

1 - Now start the Repair Tool, click the Start Repairs tab far right.
2 - Click the Start button (bottom right)
Note: At this stage it will ask to make a restore point, let it.
3 - UnCheck everything but the following.
4 - Check mark the following:
* Repair Host File
* Remove Temp Files
* Remove Policies Set By Infection
Note: Repair nothing else.
5 - Check mark the Restart System When Finished box.
6 – Now Click the Start button (bottom right)
When finished your pc will shutdown and restart.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#32
October 15, 2012 at 16:22:31
Things are going well now nwicks, MrGoodguy & I will try & steer you in the right direction.
When you have finished his post #31.

Download & run Unhide
http://www.bleepingcomputer.com/vir...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Run Trojan.Zeroaccess Removal Tool again.

Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.


Report •

#33
October 16, 2012 at 12:21:59
All in one repair done.
Unhide done.

Results from AdwCleaner:
# AdwCleaner v2.005 - Logfile created 10/16/2012 at 15:08:14
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Nate - NATE-PC
# Boot Mode : Normal
# Running from : C:\Users\Nate\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Complitly
Folder Deleted : C:\Program Files (x86)\WebEnhancements
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Nate\AppData\Roaming\Complitly

***** [Registry] *****

Key Deleted : HKCU\Software\Ask&Record
Key Deleted : HKCU\Software\Complitly
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D27FC31C-6E3D-4305-8D53-ACDAEFA5F862}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27FC31C-6E3D-4305-8D53-ACDAEFA5F862}
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}
Key Deleted : HKLM\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO
Key Deleted : HKLM\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\defdhglnppeioeflggkmglipcecffkhk
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4FFBB818-B13C-11E0-931D-B2664824019B}_is1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D27FC31C-6E3D-4305-8D53-ACDAEFA5F862}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D27FC31C-6E3D-4305-8D53-ACDAEFA5F862}
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\prefs.js

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\Nate\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2630 octets] - [16/10/2012 15:02:21]
AdwCleaner[S1].txt - [2615 octets] - [16/10/2012 15:08:14]

########## EOF - C:\AdwCleaner[S1].txt - [2675 octets] ##########


Report •

#34
October 16, 2012 at 12:40:56
ZeroAccess found nothing

Report •

#35
October 16, 2012 at 12:43:13
ListParts64 log

ListParts by Farbar Version: 15-10-2012
Ran by Nate (administrator) on 16-10-2012 at 15:41:44
Windows 7 (X64)
Running From: C:\Users\Nate\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 70%
Total physical RAM: 1915.98 MB
Available physical RAM: 559.61 MB
Total Pagefile: 3831.95 MB
Available Pagefile: 1853.19 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI105952W0C) (Fixed) (Total:222.34 GB) (Free:42.61 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 222 GB 1501 MB
Partition 3 Primary 9 GB 223 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105952W0C NTFS Partition 222 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******


Report •

#36
October 16, 2012 at 14:37:08
While we wait for johnw to get back, we will run a tool to fix your deleted service.exe file.

Download KillZA from the Foolish IT website. (Cant link site due to censorship)

Note: The download is hard to find, near the bottom of the list on the left.

1 - Scroll to the very bottom of the page, there is a tiny blue arrow pointing down click it.
2 - It will then download a .zip file. Extract the .zip file and run KillZA.
3 - From the desktop icon start KillZA. - The first thing it should do is repair service.exe and then stops.
4 - Please start it again – This time it will pick up any known Zero Access files still left on your pc.

It will the reboot your pc to continue cleaning. KillZA will then ask to rescan to make sure all is gone. Then reboot again.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#37
October 16, 2012 at 15:55:43
nwicks, be aware that as we attempt to dismantle ZeroAccess bit by bit, we will be repeatiing the running of previously run programs.
I shall wait for the KillZA result.

Report •

#38
October 16, 2012 at 17:53:57
KillZA completed.

Report •

#39
October 16, 2012 at 18:03:10
Note: Your system has been compromised, STOP using internet banking, credit cards, email, facebook, etc. To be really safe when the comp is clean, change passwords.

Run ComboFix please.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
When finished, clear away any of the files and folders that were created by ComboFix.
Start > Run, Copy and Paste > ComboFix /uninstall and click OK.
Qoobox is a folder created by Combofix to quarantine any infected files.
How to uninstall combofix
http://www.bleepingcomputer.com/com...


Report •

#40
October 16, 2012 at 18:28:35
Change your router password if it is not strong or still uses the default one.
Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...

Report •

#41
October 17, 2012 at 10:54:31
ComboFix 12-10-17.05 - Nate 10/17/2012 13:23:14.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1916.567 [GMT -4:00]
Running from: c:\users\Nate\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\0tbpw.pad
c:\users\Nate\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-17 to 2012-10-17 )))))))))))))))))))))))))))))))
.
.
2012-10-17 17:43 . 2012-10-17 17:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-17 00:37 . 2012-10-17 00:37 53248 ----a-w- c:\windows\SysWow64\zlib.dll
2012-10-17 00:37 . 2012-10-17 00:39 -------- d-----w- C:\Support
2012-10-16 17:44 . 2012-10-16 17:45 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-10-16 17:35 . 2012-10-16 17:35 -------- d-----w- C:\RegBackup
2012-10-16 17:34 . 2012-10-16 17:44 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2012-10-16 17:34 . 2012-10-16 17:34 -------- d-----w- c:\program files (x86)\Tweaking.com
2012-10-15 21:17 . 2012-10-15 21:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-15 07:23 . 2012-10-15 07:23 -------- d-----w- c:\program files (x86)\ESET
2012-10-15 07:08 . 2012-10-16 19:27 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-10-15 06:15 . 2012-10-15 06:15 -------- d-----w- c:\users\Nate\AppData\Roaming\SUPERAntiSpyware.com
2012-10-15 06:15 . 2012-10-15 06:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-10-15 06:15 . 2012-10-15 06:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-10-15 05:59 . 2012-10-15 05:59 -------- d-----w- c:\program files\HitmanPro
2012-10-15 05:59 . 2012-10-15 22:39 -------- d-----w- c:\programdata\HitmanPro
2012-10-15 03:05 . 2012-10-15 03:05 -------- d-----w- c:\users\Nate\AppData\Roaming\Malwarebytes
2012-10-15 03:05 . 2012-10-15 03:05 -------- d-----w- c:\programdata\Malwarebytes
2012-10-15 03:05 . 2012-10-15 03:05 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-15 03:05 . 2012-09-07 21:04 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-13 23:42 . 2012-10-13 23:42 388096 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-10-13 23:42 . 2012-10-13 23:42 -------- d-----w- c:\program files (x86)\Trend Micro
2012-10-13 22:34 . 2012-10-13 22:34 -------- d-----w- c:\users\Nate\AppData\Local\Macromedia
2012-10-10 22:22 . 2012-10-10 22:55 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-10 22:22 . 2012-10-10 22:55 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-10 22:22 . 2012-10-10 22:22 -------- d-----w- c:\windows\system32\Macromed
2012-10-10 20:46 . 2012-10-10 20:46 110080 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\IconF7A21AF7.exe
2012-10-10 20:46 . 2012-10-10 20:46 110080 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\IconD7F16134.exe
2012-10-10 20:46 . 2012-10-10 20:46 110080 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\Icon1226A4C5.exe
2012-10-10 20:46 . 2012-10-10 21:13 -------- d-----w- C:\sh4ldr
2012-10-10 20:36 . 2012-10-10 20:36 -------- d-----w- c:\users\Nate\AppData\Local\ElevatedDiagnostics
2012-10-10 16:23 . 2012-10-10 16:23 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-10-10 16:08 . 2012-10-10 16:10 -------- d-----w- c:\programdata\8CD3297921AAD99100958CD29480B322
2012-09-23 23:03 . 2012-09-23 23:03 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 16:14 . 2011-02-23 03:25 62134624 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify"="c:\users\Nate\AppData\Roaming\Spotify\spotify.exe" [2012-08-22 5576408]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-08-10 1353080]
"Spotify Web Helper"="c:\users\Nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-22 1193176]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-08 5628288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"ISTray"="c:\program files (x86)\PC Tools Security\pctsGui.exe" [2010-12-01 1589208]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"SignIn"="c:\program files (x86)\Microsoft Online Services\Sign In\SignIn.exe" [2011-03-16 1742704]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2012-07-30 5164632]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-10 250808]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-06-22 35840]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-10 114144]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-01-07 45408]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-02-01 232992]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-02 1255736]
R4 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi64.sys [2010-11-17 331368]
R4 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg64.sys [2010-11-25 92896]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2010-11-25 257232]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys [2010-06-29 452872]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA64.sys [2010-07-16 816016]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-10-15 108392]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-07 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-07 676936]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2011-04-20 169584]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-07 25928]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-10 22:55]
.
2012-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:43]
.
2012-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:43]
.
2012-10-15 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task d6a7a672-7b20-4812-9c6c-c9e5d584fc28.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-10-15 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task df4ae91c-4365-4b29-9170-eb890d34aa0e.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-18 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-18 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-18 410648]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-22 521272]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 2328944]
"HP Color LaserJet CM2320 MFP Series Fax"="c:\program files (x86)\HP\HP Color LaserJet CM2320 MFP Series\hppfaxprintersrv.exe" [2009-09-23 3700736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND/
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\
FF - ExtSQL: 2012-10-15 17:46; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-10-15 18:01; {64312dc5-3fc3-40d1-b183-0e4060fc52ac}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{64312dc5-3fc3-40d1-b183-0e4060fc52ac}
FF - ExtSQL: 2012-10-15 18:07; adblockpopups@jessehakanen.net; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\adblockpopups@jessehakanen.net.xpi
FF - ExtSQL: 2012-10-15 18:07; bettergmail2@ginatrapani.org; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\bettergmail2@ginatrapani.org.xpi
FF - ExtSQL: 2012-10-15 18:07; john@velvetcache.org; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\john@velvetcache.org.xpi
FF - ExtSQL: 2012-10-15 18:07; {0545b830-f0aa-4d7e-8820-50a4629a56fe}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}.xpi
FF - ExtSQL: 2012-10-15 18:07; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2012-10-15 18:07; {398e77b8-2304-11dc-8314-0800200c9a66}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{398e77b8-2304-11dc-8314-0800200c9a66}.xpi
FF - ExtSQL: 2012-10-15 18:07; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2012-10-15 18:07; {8e9008b4-ec7c-4c2a-828e-007d5d2dad22}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{8e9008b4-ec7c-4c2a-828e-007d5d2dad22}.xpi
FF - ExtSQL: 2012-10-15 18:07; {987311C6-B504-4aa2-90BF-60CC49808D42}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi
FF - ExtSQL: 2012-10-15 18:07; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-10-15 18:07; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2012-10-15 18:07; {EF522540-89F5-46b9-B6FE-1829E2B572C6}; c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-40464496.sys
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AddRemove-WebEnhancements - c:\program files (x86)\WebEnhancements\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-10-17 13:49:12
ComboFix-quarantined-files.txt 2012-10-17 17:49
.
Pre-Run: 45,458,030,592 bytes free
Post-Run: 44,915,912,704 bytes free
.
- - End Of File - - 0AD07C52EA4B73598B2070CF18A58F86

Report •

#42
October 17, 2012 at 12:58:10
Ok now we need to re-run a few programs, to double check your pc.

* The re-run RougeKiller again.

* Then update and run a full scan of Malwarebytes, this time go to "Settings" tab and "Scanner Settings", in the "Action for Potentially Unwanted Programs" box select:

"Show In Results List and Check for Removal."

That way any PUP's will be dealt with automatically.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#43
October 17, 2012 at 13:01:19
Remove the previous TDSSKiller, download the new version & run.

Run TFC
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

After running the above, run HijackThis ( HJT ) & post the log please.


Report •

#44
October 17, 2012 at 13:14:00
TDSSkiller found nothing

16:11:40.0646 3516 Scan finished
16:11:40.0646 3516 ============================================================
16:11:40.0661 5100 Detected object count: 0
16:11:40.0661 5100 Actual detected object count: 0


Report •

#45
October 17, 2012 at 13:54:53

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:53:46 PM, on 10/17/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\Nate\AppData\Roaming\Spotify\spotify.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\PC Tools Security\pctsGui.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Users\Nate\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SignIn] "C:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKCU\..\Run: [Spotify] "C:\Users\Nate\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8523 bytes


Report •

#46
October 17, 2012 at 14:00:48
How long can you stay online for nwicks?

Report •

#47
October 17, 2012 at 14:11:04
Download new version AdwCleaner & run again.

Run HJT again.


Report •

#48
October 17, 2012 at 14:38:42
Do you want Spotify running?
http://community.spotify.com/t5/Des...

Report •

#49
October 17, 2012 at 14:39:48
Removal is recommended. :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#50
October 17, 2012 at 14:49:44
# AdwCleaner v2.005 - Logfile created 10/17/2012 at 17:21:56
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Nate - NATE-PC
# Boot Mode : Normal
# Running from : C:\Users\Nate\Desktop\adwcleaner(1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\ujco97a4.default\prefs.js

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\Nate\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2630 octets] - [16/10/2012 15:02:21]
AdwCleaner[S1].txt - [2734 octets] - [16/10/2012 15:08:14]
AdwCleaner[R2].txt - [1055 octets] - [17/10/2012 17:21:17]
AdwCleaner[S2].txt - [988 octets] - [17/10/2012 17:21:56]

########## EOF - C:\AdwCleaner[S2].txt - [1047 octets] ##########


Report •

#51
October 17, 2012 at 14:51:51
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:51:16 PM, on 10/17/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\PC Tools Security\pctsGui.exe
C:\Users\Nate\AppData\Roaming\Spotify\spotify.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Nate\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SignIn] "C:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKCU\..\Run: [Spotify] "C:\Users\Nate\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\PC Tools Security\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8258 bytes


Report •

#52
October 17, 2012 at 14:57:17
I changed the preferences on Spotify to not open automatically. I don't need it running but I'd like to not remove it if necessary, but I guess I could just reinstall it after.

Report •

#53
October 17, 2012 at 15:01:31
Just to recap, we are waiting on post #42 new MBAM & RogueKiller logs.
Post #43, did you run TFC?

I shall now be offline for a few hours.

Check these in HJT & down the bottom, click on > Fix checked. reboot & a new HJT log please. Some of these may not be in the latest HJT log.

R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

After clean up using HJT, Run ListParts again please.

Update ESET & run again.


Report •

#54
October 17, 2012 at 15:17:22
nwicks , you can copy and paste your HJT log into:
http://hijackthis.de
There you will see what you can delete...looks like you have quite a few red X's in there....good luck....it's also real easy to google the questionable results to see if they should be removed

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#55
October 17, 2012 at 15:29:24
Didn't see #42 initially.

RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Website: http://tigzy.geekstogo.com/roguekil...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Nate [Admin rights]
Mode : Remove -- Date : 10/17/2012 18:27:39

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] HijackThis.exe -- C:\Users\Nate\Desktop\HijackThis.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U --> REMOVED
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> REMOVED
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS +++++
--- User ---
[MBR] b95ffb64a0fb50c2e3b9146ffad615f3
[BSP] 754b0e4b5f00b52f2f66e3fe4aeb35bd : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 227677 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 469356544 | Size: 9297 Mo
User = LL1 ... OK!
User = LL2 ... OK!


Report •

#56
October 17, 2012 at 16:11:29
nwicks please do as Johnw and I ask, you are doing fine, no need to go to the HJT checking website. A lot of entries wont be on their list.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#57
October 17, 2012 at 16:14:58
nwicks do you have any info on the 3rd hidden partition? If not we will now look at removing it.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#58
October 17, 2012 at 16:40:24
I have not done any partitioning so no info on that.

Report •

#59
October 17, 2012 at 16:55:00
Ok, have a look at the following;
How to use Gparted to see & remove an infected partition.
http://forums.majorgeeks.com/showth...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#60
October 17, 2012 at 17:07:43
Note:
When you get to the MBRCheck at the bottom, place your logs in this thread please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#61
October 17, 2012 at 18:06:46
nwicks
"I have not done any partitioning so no info on that"

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
Or.
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 469356544 | Size: 9297 Mo

World's stealthiest rootkit gets a makeover
http://www.theregister.co.uk/2011/1...
"This is what we are up against, malware has installed an infected hidden partition within your Master Boot Record and set that partition as active so everytime you boot up your system it boots from the infected partition and the malware is activated."


Report •

#62
October 17, 2012 at 19:10:24
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Website: http://tigzy.geekstogo.com/roguekil...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Nate [Admin rights]
Mode : Remove -- Date : 10/17/2012 18:27:39

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] HijackThis.exe -- C:\Users\Nate\Desktop\HijackThis.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{922e7cb7-c242-a089-9196-452b299ab716}\U --> REMOVED
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> REMOVED
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS +++++
--- User ---
[MBR] b95ffb64a0fb50c2e3b9146ffad615f3
[BSP] 754b0e4b5f00b52f2f66e3fe4aeb35bd : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 227677 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 469356544 | Size: 9297 Mo
User = LL1 ... OK!
User = LL2 ... OK!


Report •

#63
October 17, 2012 at 19:16:46
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.15.01

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Nate :: NATE-PC [administrator]

10/17/2012 6:34:31 PM
mbam-log-2012-10-17 (18-34-31).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 396773
Time elapsed: 1 hour(s), 41 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEBENHANCEMENTS (PUP.WebEnhancements) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Mozilla\Firefox\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469} (PUP.WebEnhancements) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Mozilla\Firefox\Extensions|{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469} (PUP.WebEnhancements) -> Data: C:\Program Files (x86)\WebEnhancements\WebEnhancements.xpi -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements|URLInfoAbout (PUP.WebEnhancements) -> Data: http://www.webenhancements.me -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#64
October 17, 2012 at 19:18:55
this has gotten a bit jumbled with me missing #42 and all the additions

previously you had listed to do

TDSkiller
TFC
HijackThis
AdwCleaner
HijackThis

or am I dealing with the problem of this hidden partition


Report •

#65
October 17, 2012 at 19:55:30
nwicks, what we are doing is prepping your comp, prior to removing the infected partition.

Here is what to do next.

1: Run TFC

2: Update ESET & run again.

3: Run ListParts again please.

Then we will decide what to do next.


Report •

#66
October 18, 2012 at 18:00:13
TFC
ESET and
ListParts done.

ListParts by Farbar Version: 16-10-2012
Ran by Nate (administrator) on 18-10-2012 at 20:58:38
Windows 7 (X64)
Running From: C:\Users\Nate\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 78%
Total physical RAM: 1915.98 MB
Available physical RAM: 415.17 MB
Total Pagefile: 3831.95 MB
Available Pagefile: 1127.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI105952W0C) (Fixed) (Total:222.34 GB) (Free:48.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 222 GB 1501 MB
Partition 3 Primary 9 GB 223 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105952W0C NTFS Partition 222 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******


Report •

#67
October 18, 2012 at 18:14:48
Did Eset find anything? If not continue with Post #59 and #60.
We need to remove the hidden partition now, as it will most likely re-infect your pc every time it starts.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#68
October 19, 2012 at 15:04:51
More Gparted how to's:
http://thisisudax.blogspot.co.uk/20...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#69
October 19, 2012 at 15:47:32
Thanks for researching that MrGoodguy,

Report •

Ask Question