Hijacker removal needed. Firefox and chrome affected.

March 4, 2015 at 18:19:03
Specs: Windows 7
remove hijacker
I think a hijacker is affecting Firefox and Chrome, not explorer though. Tried Tweaks.com but they don't seem to be helping with this type of thing anymore. Here are the reports they had me generate using dds. Thank you.


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16540 BrowserJavaVersion: 10.25.2
Run by Jony at 20:00:06 on 2015-03-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8190.5893 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
C:\Windows\SysWOW64\XSrvSetup.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Gigabyte\ET6\GUI.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Jony\AppData\Local\Akamai\netsession_win.exe
C:\Users\Jony\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
F:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
F:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_16_0_0_305_ActiveX.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://search.entru.com/?s=21983
uProxyOverride = <local>;*.local
mWinlogon: Userinit = userinit.exe
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Gbridge] "F:\Program Files (x86)\Gbridge LLC\Gbridge\pstartw.exe" "F:\Program Files (x86)\Gbridge LLC\Gbridge\Gbridge.exe" -autostart
uRun: [Google Update] "C:\Users\Jony\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "C:\Users\Jony\AppData\Local\Akamai\netsession_win.exe"
uRun: [TornTv Downloader] C:\Users\Jony\AppData\Roaming\TornTV.com\Torntv Downloader.exe /c=startup
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
uRun: [Infigo] C:\Program Files (x86)\Infigo\Infigo.exe onrun
uRun: [GoogleChromeAutoLaunch_52A3D4959491EE3E722A5A7E39050053] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [PCKeeper2] "C:\Program Files\Kromtech\PCKeeper\PCKeeper.exe" /autorun
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "F:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "F:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRunOnce: [EasyTuneVI] C:\Program Files (x86)\Gigabyte\ET6\ETCall.exe
StartupFolder: C:\Users\Jony\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TORNTV~1.LNK - C:\Users\Jony\AppData\Roaming\TornTV.com\TornTV Downloader.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{2470A399-DB22-4C04-9816-819237FE6E99} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{8EE72B80-46A9-47C7-B4D3-D0B79CCEB14F} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{8EE72B80-46A9-47C7-B4D3-D0B79CCEB14F}\16138656164796E676 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{8EE72B80-46A9-47C7-B4D3-D0B79CCEB14F}\66C6163786A7F6E656 : DHCPNameServer = 192.168.1.110
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.76\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jony\AppData\Roaming\Mozilla\Firefox\Profiles\cma7glkd.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Jony\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll
FF - plugin: C:\Users\Jony\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - plugin: F:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: f:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-1-25 268512]
R1 {fe651286-52a1-461b-a17a-f258b4b81968}w64;{fe651286-52a1-461b-a17a-f258b4b81968}w64;C:\Windows\System32\drivers\{fe651286-52a1-461b-a17a-f258b4b81968}w64.sys [2014-8-18 61120]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2011-2-28 21544]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2015-2-9 121936]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-11-10 203776]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2015-2-9 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2015-2-9 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2015-2-9 40384]
R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2011-2-28 68136]
R2 JMB36X;JMB36X;C:\Windows\SysWOW64\XSrvSetup.exe [2011-2-28 72304]
R3 AODDriver;AODDriver;C:\Program Files (x86)\Gigabyte\ET6\amd64\AODDriver.sys [2010-3-12 52280]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2015-2-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2015-2-9 40384]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\System32\drivers\MAudioDelta.sys [2011-2-18 337416]
R3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2011-2-28 30528]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2009-11-20 75776]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2009-11-20 177152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 andnetadb;ADB Interface DriverNet;C:\Windows\System32\drivers\lgandnetadb.sys [2013-9-14 31744]
S3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;C:\Windows\System32\drivers\lgandnetndis64.sys [2013-9-14 93696]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 etdrv;etdrv;C:\Windows\etdrv.sys [2011-2-28 25640]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-5-26 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]
S3 gbridge;Gbridge Virtual Miniport;C:\Windows\System32\drivers\gbridge64.sys [2009-10-13 48192]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 133928]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-3-11 347872]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-2-28 347680]
S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8192cu.sys [2010-8-12 748648]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-5-22 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2014-8-15 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-2-28 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2015-03-05 00:56:17 11910896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{398DA576-101A-4156-9508-37DF73EAE8A9}\mpengine.dll
2015-03-04 05:09:05 11910896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-02-23 05:40:08 1188440 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{661D0E78-FB9D-4296-B63E-4605876FB2E9}\gapaengine.dll
2015-02-09 21:31:53 61008 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2015-02-09 21:31:48 38848 ----a-w- C:\Windows\avastSS.scr
2015-02-09 21:31:45 -------- d-----w- C:\ProgramData\Alwil Software
.
==================== Find3M ====================
.
2015-03-03 13:17:35 295552 ------w- C:\Windows\System32\MpSigStub.exe
2015-03-01 04:56:32 30528 ----a-w- C:\Windows\GVTDrv64.sys
2015-03-01 04:56:17 25640 ----a-w- C:\Windows\gdrv.sys
2015-02-06 02:19:23 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-06 02:19:23 701616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 20:00:17.62 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2/28/2011 1:18:15 PM
System Uptime: 2/28/2015 11:58:57 PM (93 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-870A-UD3
Processor: AMD Athlon(tm) II X4 640 Processor | Socket M2 | 3000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 56 GiB total, 13.252 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 244 GiB total, 1 GiB free.
F: is FIXED (NTFS) - 244 GiB total, 65.438 GiB free.
G: is CDROM ()
J: is FIXED (NTFS) - 244 GiB total, 12.027 GiB free.
Z: is FIXED (NTFS) - 98 GiB total, 69.019 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Realtek PCIe GBE Family Controller
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_03\4&3694E160&0&00A9
Manufacturer: Realtek
Name: Realtek PCIe GBE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_03\4&3694E160&0&00A9
Service: RTL8167
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP860: 3/1/2015 1:52:32 AM - Windows Update
RP861: 3/4/2015 7:56:10 PM - Windows Update
.
==== Installed Programs ======================
.
@BIOS
µTorrent
123CopyDVDGold
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe AIR
Adobe Audition 3.0
Adobe Audition 3.0 Vista Compatibility
Adobe Flash Player 16 ActiveX
Adobe Flash Player 16 NPAPI
Adobe Reader X (10.1.12)
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
Akamai NetSession Interface
AMD DnD V1.0.19
ATI AVIVO64 Codecs
ATI Catalyst Install Manager
ATI Problem Report Wizard
Audacity 1.2.6
AutoGreen B10.0517.1
Black & White® 2
Black & White® 2 Battle of the Gods
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
ChordWizard Songtrix Gold 3.0
Comfort Conditioning Calculator version 1.0
D3DX10
Doomsday Engine 1.13.1
Dropbox
Easy Tune 6 B10.0516.1
EasySaver B9.1214.1
EQ2MAP Updater 1.2.10
EverQuest II
EverQuest II Extended
Fallout 3
FormatFactory 2.95
Free Fire Screensaver
Free Sound Recorder 2010 v9.2.1
Gigabyte Raid Configurer
Google Chrome
Google Update Helper
Grand Theft Auto IV
HydraVision
Java 7 Update 25
Java Auto Updater
JavaFX 2.1.1
Junk Mail filter update
LG United Mobile Driver
M-Audio Delta Driver 6.0.5 (x64)
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 34.0.5 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NEC Electronics USB 3.0 Host Controller Driver
Nethack (a FREE GNU licensed Rouglelike Role Playing Game) vers
Octoshape add-in for Adobe Flash Player
ON_OFF Charge B10.0427.1
OpenOffice.org 3.3
Origin
PowerISO
Realtek Ethernet Controller Driver For Windows 7
Realtek HDMI Audio Driver for ATI
Realtek High Definition Audio Driver
Reason 5.0
Revo Uninstaller 1.91
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
SimCardExplorer 1.1.2
SimCity 4
SimCity™
Spelunky HD 1.0
Steam
Synthesia
The Elder Scrolls V: Skyrim
TheMatrix Screen Saver version 1.14
Unity Web Player
Visual Studio 2008 x64 Redistributables
VLC media player 2.1.2
Vyzex MPD26
WinDirStat 1.1.2
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.20 (64-bit)
.
==== Event Viewer Messages From Past Week ========
.
3/4/2015 10:00:01 AM, Error: Service Control Manager [7023] - The SDRSVC service terminated with the following error: SDRSVC is not a valid Win32 application.
2/28/2015 11:56:19 PM, Error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050800d Error description: Some history items could not be displayed. Please wait a few minutes and try again. If that doesn't work, clear the history and then try again. Signature version: 1.193.1289.0;1.193.1289.0 Engine version: 1.1.11400.0
2/28/2015 11:56:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
.
==== End Of File ===========================


See More: Hijacker removal needed. Firefox and chrome affected.

Report •

#1
March 4, 2015 at 18:37:49
We have a helper on here (Johnw) from Australia who specialises on virus/malware cleaning. He will be earning some well deserved shut-eye right now but in On the off-chance that he doesn't spot this post I will alert him to it. If he is available I'm sure he will help. in a few hours time.

In the meantime see how many of these will run (all of them if possible):

MalwareBytes:
http://filehippo.com/download_malwa...
(green Download button top right - not anything else on the page)
Run the program but before doing the scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits".

ADWCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the Scan. You then have options to remove whatever it shows under each heading in the table that appears below, although it is usually safe to run "Cleaning".

JRT
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. It might appear to stop at times but just wait and it will complete.

Please copy/paste all the logs on here.

EDIT:
There are various ways to get them running if the virus prevents it. For now there is no harm trying them in Safe Mode, but only if necessary.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#2
March 4, 2015 at 19:18:59
ran them all. found and fixed many issues but not the one i wanted. lol. thanks for the help.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/4/2015
Scan Time: 9:50:27 PM
Logfile: mal log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.04.07
Rootkit Database: v2015.02.25.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jony

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388015
Time Elapsed: 7 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 12
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-1140784956-2213488824-2058186038-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, Quarantined, [7b2e74ae57330333e10f2dea986b12ee],
PUP.Optional.Sanbreel.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\{fe651286-52a1-461b-a17a-f258b4b81968}w64, Quarantined, [2d7c988a6f1b9f97d4d89b895da820e0],
PUP.Optional.SearchProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}, Quarantined, [c9e0fc262862989ef6e0998f0bfae719],
PUP.Optional.SearchProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{cf2797aa-b7ec-e311-8ed9-005056c00008}, Quarantined, [2881e73b3456979f3a9bc4644fb68e72],
PUP.Optional.InstallBrain.A, HKLM\SOFTWARE\WOW6432NODE\InstallIQ, Quarantined, [6049e93923679d99cec13cad9d6605fb],
PUP.Optional.TornTV.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\TornTv Downloader, Quarantined, [ddcceb37afdbf244ec946c461de68e72],
PUP.Optional.GoPhotoIT.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\TheGoPhoto.it V10, Quarantined, [5d4ccf534842ed492bb5f1bd6c974db3],
PUP.Optional.TornTV.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\TornPlusTV_version1.11, Quarantined, [d3d6e240aedc42f4cf3b1d95ee15837d],
PUP.Optional.1ClickDownload.A, HKU\S-1-5-21-1140784956-2213488824-2058186038-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\1ClickDownload, Quarantined, [3475d64c4d3d9f97106d996d3dc89967],
PUP.Optional.ConduitSearch.A, HKU\S-1-5-21-1140784956-2213488824-2058186038-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Conduit_Search_Protect, Quarantined, [63467da5721849ed95ed8b1ca45f29d7],
PUP.Optional.TornTV.A, HKU\S-1-5-21-1140784956-2213488824-2058186038-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\TornTv Downloader, Quarantined, [19905fc3a6e4ba7c3c44634f52b16f91],
PUP.Optional.CrossRider.A, HKU\S-1-5-21-1140784956-2213488824-2058186038-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Crossrider, Quarantined, [832612104e3c3006e96847d22adbba46],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\57E6F5CB325E2F43, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],

Files: 22
PUP.Optional.Sanbreel.A, C:\Windows\System32\drivers\{fe651286-52a1-461b-a17a-f258b4b81968}w64.sys, Delete-on-Reboot, [5410c7174c0f432d29a47c297693857e],
PUP.Optional.GoPhotoIT.A, C:\Users\Jony\AppData\Roaming\AC.exe, Quarantined, [347563bfaedc78be2fce734b13ee37c9],
PUP.Optional.CrossRider.A, C:\Users\Jony\AppData\Roaming\AU.exe, Quarantined, [f3b6c45eff8b9b9bde48a16efd0957a9],
PUP.Optional.CrossRider.A, C:\Users\Jony\AppData\Roaming\VSATWNN.exe, Quarantined, [f9b07ea485050036ee383ad531d5a759],
PUP.Optional.GoPhotoIT.A, C:\Users\Jony\AppData\Roaming\YKNWK.exe, Quarantined, [36731a08deaca1953cc1d1ed45bcca36],
PUP.Bundle.Installer.OI, C:\Users\Jony\Downloads\mplayer_Setup.exe, Quarantined, [c2e70d158bffba7c1bdd61601de318e8],
PUP.Optional.InstallIQ, C:\Users\Jony\Downloads\swirlabstractsss.exe, Quarantined, [e6c3d84adeacd6600eadd96b45bc8779],
PUP.Optional.DomaIQ, C:\Users\Jony\Downloads\Setup(2).exe, Quarantined, [5752849e1872082e28ea4ab33cc532ce],
PUP.Optional.DomaIQ, C:\Users\Jony\Downloads\Setup(3).exe, Quarantined, [dbcee042ee9caa8c23ef9964df22e21e],
PUP.Optional.InstallRex, C:\Users\Jony\Downloads\Codec-V.exe, Quarantined, [b3f6849ebfcb96a0863f854cb54cc937],
PUP.Optional.SearchProtect, C:\Windows\AppPatch\AppPatch64\VCLdr64.dll, Quarantined, [317848da8dfd43f3c682c76fd23040c0],
PUP.Optional.Trovi.A, C:\Users\Jony\AppData\Roaming\Mozilla\Firefox\Profiles\cma7glkd.default\searchplugins\trovi-search.xml, Quarantined, [9e0b46dc5b2f92a46c4c548341c252ae],
PUP.Optional.SearchProtect, C:\Windows\AppPatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb, Quarantined, [0f9ada48cac092a479600d1be61f7090],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\20120422140649.log, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\Setup.dat, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\Setup.exe, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\Setup.ico, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\TsuDll.dll, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\_Setup.dll, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Installmate, C:\ProgramData\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\_Setupx.dll, Quarantined, [12973ae87c0e3cfa044ff98fa360649c],
PUP.Optional.Trovi.A, C:\Users\Jony\AppData\Roaming\Mozilla\Firefox\Profiles\cma7glkd.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.trovi.com/?gd=&ctid=CT3322289&octid=EB_ORIGINAL_CTID&ISID=MC8185BD4-52DB-4377-B97E-7D8FB769804A&SearchSource=69&CUI=&SSPV=&Lay=1&UM=6&UP=SP8900DB9F-97E8-4FE5-9600-2C6825D12D0E");), Replaced,[8326ed35aae00b2b289319feaa5c24dc]
PUP.Optional.CrossRider.A, C:\Users\Jony\AppData\Roaming\Mozilla\Firefox\Profiles\cma7glkd.default\prefs.js, Good: (), Bad: (user_pref("extensions.crossrider.bic", "149e3255e6b6aed845ddb7ef1e5d3568");), Replaced,[f2b73ce64545d85ed13468b08c7a6f91]

Physical Sectors: 0
(No malicious items detected)


(end)

# AdwCleaner v4.111 - Logfile created 04/03/2015 at 22:02:32
# Updated 18/02/2015 by Xplode
# Database : 2015-03-02.3 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Jony - JONY-PC
# Running from : C:\Users\Jony\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\ProgramData\Kromtech
Folder Deleted : C:\Program Files (x86)\globalUpdate
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Infigo
Folder Deleted : C:\Users\Jony\AppData\Local\apn
Folder Deleted : C:\Users\Jony\AppData\Local\globalUpdate
Folder Deleted : C:\Users\Jony\AppData\Local\Kromtech
Folder Deleted : C:\Users\Jony\AppData\Roaming\Infigo
File Deleted : C:\END
File Deleted : C:\Windows\Reimage.ini
File Deleted : C:\Users\Jony\AppData\Roaming\Mozilla\Firefox\Profiles\cma7glkd.default\searchplugins\Askcom.xml

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D21A38B2-5C7C-4778-A841-ED44512E3CC3}
Key Deleted : HKCU\Software\Compete
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\GlobalUpdate
Key Deleted : HKCU\Software\powerpack
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\CompeteInc
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\SPPDCOM
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>

***** [ Web browsers ] *****

-\\ Internet Explorer v9.0.8112.16540


-\\ Mozilla Firefox v34.0.5 (x86 en-US)

[cma7glkd.default\prefs.js] - Line Deleted : user_pref("browser.search.order.1", "Ask.com");

-\\ Google Chrome v41.0.2272.76

[C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=FF&o=14594&locale=en_US&apn_uid=e1b83f85-7762-4ed6-bec9-769db2372545&apn_ptnrs=FV&apn_sauid=F7275F4B-A45D-4C2E-BE5E-9BAC1A0F24B5&apn_dtid=YYYYYYYYUS&q={searchTerms}
[C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=FF&o=14594&locale=en_US&apn_uid=e1b83f85-7762-4ed6-bec9-769db2372545&apn_ptnrs=FV&apn_sauid=F7275F4B-A45D-4C2E-BE5E-9BAC1A0F24B5&apn_dtid=YYYYYYYYUS&q={searchTerms}
[C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3324774&octid=EB_ORIGINAL_CTID&ISID=ME89F68D6-D7AD-4D32-ACFE-EDBBB904D7B4&SearchSource=58&CUI=&UM=6&UP=SP06B4111C-09FB-4F00-96A7-2ECF6710FA62&q={searchTerms}&SSPV=
[C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [5757 bytes] - [04/03/2015 22:00:09]
AdwCleaner[S0].txt - [5426 bytes] - [04/03/2015 22:02:32]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5485 bytes] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.3 (03.01.2015:1)
OS: Windows 7 Home Premium x64
Ran by Jony on Wed 03/04/2015 at 22:09:28.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
Successfully deleted: [Empty Folder] C:\Users\Jony\appdata\local\{3B447EF8-BF9C-490D-9394-7AA7D798B565}
Successfully deleted: [Empty Folder] C:\Users\Jony\appdata\local\{45E15892-98B1-4FBF-8D59-6C9D8C029C1C}
Successfully deleted: [Empty Folder] C:\Users\Jony\appdata\local\{F46E5F88-B077-4270-869E-DDB94EC156C4}

~~~ FireFox

Emptied folder: C:\Users\Jony\AppData\Roaming\mozilla\firefox\profiles\cma7glkd.default\minidumps [34 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/04/2015 at 22:13:59.06
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#3
March 4, 2015 at 19:19:09
Ok, I'm here, shall wait for the logs.

Report •

Related Solutions

#4
March 4, 2015 at 19:29:33
Sorry John, got my am/pm wrong again. I've slapped my hand...

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#5
March 4, 2015 at 19:35:39
John

See new logs at #2 which overlapped with your #3.

Always pop back and let us know the outcome - thanks


Report •

#6
March 4, 2015 at 20:10:37
"ran them all. found and fixed many issues but not the one i wanted. lol. thanks for the help"
That's normal, we will get you right eventually, just a matter of stripping the nasties, layer by layer.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "Delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#7
March 5, 2015 at 07:42:35
That seemed to help with firefox. Still getting a redirect in chrome. Thank you.

RogueKiller V10.5.1.0 [Mar 5 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jony [Administrator]
Started from : C:\Users\Jony\Desktop\RogueKiller.exe
Mode : Delete -- Date : 03/05/2015 10:14:21

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) GVTDrv64 -- \??\C:\Windows\GVTDrv64.sys[7] -> Stopped

¤¤¤ Registry : 11 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\etdrv -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GVTDrv64 -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\etdrv -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GVTDrv64 -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\etdrv -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GVTDrv64 -> Deleted
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.entru.com/?s=21983 -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 47 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 csc3-2010-crl.verisign.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ocsp.verisign.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 crl.verisign.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 download.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 secure.download.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 loginregistration.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 achievements.gameservices.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 friends.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 avatar.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ecommerce.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 static.cdn.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 tealium.hs.llnwd.net -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 heartbeat.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 web.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 store.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ec2-54-243-231-82.compute-1.amazonaws.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 eaassets-a.akamaihd.net -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ssl.resources.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 akamai.cdn.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 novafusion.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 proxy.novafusion.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ec2-23-23-167-200.compute-1.amazonaws.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 dirtybits.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 chat.dm.origin.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 easo.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 telemetry.simcity.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ec2-54-228-227-181.eu-west-1.compute.amazonaws.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ec2-46-137-177-16.eu-west-1.compute.amazonaws.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 s3-1-w.amazonaws.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 s3-website-eu-west-1.amazonaws.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 static.prod.simcity.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 avatar.simcity.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adsrv-dummy.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adsrv.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 socket.simcity.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 update.prod.simcity.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 worlds.simcity.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 scproddefaultservicenews.s3.amazonaws.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 api.simcity.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 help.ea.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com -> Deleted
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net -> Deleted

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 7 ¤¤¤
[FIREFX:Addon] cma7glkd.default : RightToClick [{cd617375-6743-4ee8-bac4-fbf10f35729e}] -> Deleted
[FIREFX:Addon] cma7glkd.default : Video DownloadHelper [{b9db16a4-6edc-47ec-a1f4-b86292ed211d}] -> Deleted
[FIREFX:Addon] cma7glkd.default : ColorfulTabs [{0545b830-f0aa-4d7e-8820-50a4629a56fe}] -> Deleted
[FIREFX:Addon] cma7glkd.default : Linky [linky@gemal.dk] -> Deleted
[FIREFX:Addon] cma7glkd.default : Mozilla Firefox hotfix [firefox-hotfix@mozilla.org] -> Deleted
[FIREFX:Addon] cma7glkd.default : Adobe Acrobat - Create PDF [web2pdfextension@web2pdf.adobedotcom] -> Deleted
[FIREFX:Addon] cma7glkd.default : tTCWscpIhy [{2c68cdc3-a4b5-4788-8b17-566a2887b72c}] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-007BA0 ATA Device +++++
--- User ---
[MBR] cd409226bbcd25b21770812b953220f4
[BSP] 0b2c9996572421e9aba08d9d197f5bce : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Corsair Nova 2 SSD ATA Device +++++
--- User ---
[MBR] 131100eb48f6a3e8bf296f776a7a81dd
[BSP] 6a28af06db4beef088979ce325c16da7 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03052015_101203.log


Report •

#8
March 5, 2015 at 13:37:35
You have installed the Premium version, which is a very good & can be run in conjunction with your current Anti-Virus ( AV ) If you don't want to buy it, do this to avoid the purchase nag screens.
Open Malwarebytes, on the Dashboard, click on ‘End Free Trial’ link which, then will be instantly converted to the free version.

Best you print or write the instructions & check the steps off as you do them.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#9
March 21, 2015 at 19:29:45
Sorry for the delay, been working hard. Couldn't get ZippyShare to work. Posting log file here..

ComboFix 15-03-14.03 - Jony 03/21/2015 21:23:06.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8190.6688 [GMT -4:00]
Running from: c:\users\Jony\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\System32\IME\IMEJP10\imjpuexc.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_6.1.7601.17514_none_696354579779eadf\imjpuexc.exe
.
.
((((((((((((((((((((((((( Files Created from 2015-02-22 to 2015-03-22 )))))))))))))))))))))))))))))))
.
.
2015-03-22 01:29 . 2015-03-22 01:29 -------- d-----w- c:\users\Guest\AppData\Local\temp
2015-03-22 01:29 . 2015-03-22 01:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-03-21 03:30 . 2015-01-29 09:07 11910896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D3E8CF7A-E0F7-479C-8BE1-0D79D16F7E3A}\mpengine.dll
2015-03-20 02:33 . 2015-01-29 09:07 11910896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-03-06 10:55 . 2015-03-06 10:55 -------- d-----w- c:\users\Jony\AppData\Local\CrashDumps
2015-03-06 07:37 . 2015-03-06 07:37 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2015-03-06 07:37 . 2015-03-06 10:55 -------- d-----w- c:\users\Jony\AppData\Roaming\Winamp
2015-03-06 07:37 . 2015-03-06 07:37 -------- d-----w- c:\program files (x86)\Pro PC Cleaner
2015-03-06 07:37 . 2015-03-06 07:37 -------- d-----w- c:\users\Jony\AppData\Roaming\Rainmaker Software Group LLC.?
2015-03-05 15:07 . 2015-03-05 15:22 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-03-05 15:07 . 2015-03-05 15:15 -------- d-----w- c:\programdata\RogueKiller
2015-03-05 03:00 . 2015-03-05 03:02 -------- d-----w- C:\AdwCleaner
2015-03-05 02:49 . 2015-03-19 05:42 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-05 02:49 . 2015-03-05 02:49 -------- d-----w- c:\programdata\Malwarebytes
2015-03-05 02:49 . 2014-11-21 11:14 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-03-05 02:49 . 2014-11-21 11:14 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-03-05 02:49 . 2014-11-21 11:14 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-03-05 02:05 . 2015-03-05 02:05 -------- d-----w- c:\users\Jony\AppData\Roaming\VSRevoGroup
2015-02-23 05:40 . 2014-09-16 21:12 1188440 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{661D0E78-FB9D-4296-B63E-4605876FB2E9}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-22 01:31 . 2011-02-28 18:27 30528 ----a-w- c:\windows\GVTDrv64.sys
2015-03-22 01:31 . 2011-02-28 18:37 25640 ----a-w- c:\windows\gdrv.sys
2015-03-03 13:17 . 2011-02-28 18:53 295552 ------w- c:\windows\system32\MpSigStub.exe
2015-02-06 02:19 . 2012-04-19 21:49 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-06 02:19 . 2011-05-23 03:27 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Jony\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Jony\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Jony\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Akamai NetSession Interface"="c:\users\Jony\AppData\Local\Akamai\netsession_win.exe" [2014-10-30 4673432]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-11 98304]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"Adobe Acrobat Speed Launcher"="f:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-01-03 36760]
"Acrobat Assistant 8.0"="f:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"EasyTuneVI"="c:\program files (x86)\Gigabyte\ET6\ETCall.exe" [2007-07-26 20480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 Andbus;LGE Android Composite USB Device;c:\windows\system32\DRIVERS\lgandbus64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandbus64.sys [x]
R3 AndDiag;LGE Android USB Serial Port;c:\windows\system32\DRIVERS\lganddiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lganddiag64.sys [x]
R3 AndGps;LGE Android USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandgps64.sys [x]
R3 ANDModem;LGE Android USB Modem;c:\windows\system32\DRIVERS\lgandmodem64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandmodem64.sys [x]
R3 andnetadb;ADB Interface DriverNet;c:\windows\system32\Drivers\lgandnetadb.sys;c:\windows\SYSNATIVE\Drivers\lgandnetadb.sys [x]
R3 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetndis64.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe;c:\windows\SYSNATIVE\AppleChargerSrv.exe [x]
R3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\DRIVERS\gbridge64.sys;c:\windows\SYSNATIVE\DRIVERS\gbridge64.sys [x]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys;c:\windows\GVTDrv64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192cu.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AppleCharger.sys [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [x]
S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe;c:\windows\SysWOW64\XSrvSetup.exe [x]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\MAudioDelta.sys;c:\windows\SYSNATIVE\DRIVERS\MAudioDelta.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-03-21 17:43 1061704 ----a-w- c:\program files (x86)\Google\Chrome\Application\41.0.2272.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-03-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 02:19]
.
2015-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-12-02 21:32]
.
2015-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-12-02 21:32]
.
2015-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1140784956-2213488824-2058186038-1000Core.job
- c:\users\Jony\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-28 17:59]
.
2015-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1140784956-2213488824-2058186038-1000UA.job
- c:\users\Jony\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-28 17:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Jony\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Jony\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Jony\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Jony\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-06 10144288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Jony\AppData\Roaming\Mozilla\Firefox\Profiles\cma7glkd.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1140784956-2213488824-2058186038-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1140784956-2213488824-2058186038-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-1140784956-2213488824-2058186038-1000\Software\SecuROM\License information*]
"datasecu"=hex:6e,a6,ff,58,7c,b7,5d,76,1e,a7,67,73,53,4c,25,7a,03,0f,3a,5d,f9,
7e,79,49,ec,7e,bf,45,91,9f,37,c1,e4,df,97,38,e0,e7,37,5b,5b,b0,fc,c4,24,12,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
.
**************************************************************************
.
Completion time: 2015-03-21 21:40:56 - machine was rebooted
ComboFix-quarantined-files.txt 2015-03-22 01:40
ComboFix2.txt 2015-03-05 23:07
.
Pre-Run: 14,840,471,552 bytes free
Post-Run: 14,709,252,096 bytes free
.
- - End Of File - - A621E906CC69B6DAA0B0FEAFEFF45F0B
A36C5E4F47E84449FF07ED3517B43A31


Report •

#10
March 22, 2015 at 00:24:54
You have been busy, here is the next step. Upload to any site of your choosing, or try ZippyShare again.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/


Report •

#11
Report •

#12
March 22, 2015 at 14:18:45
Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1140784956-2213488824-2058186038-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1140784956-2213488824-2058186038-1000 -> DefaultScope {8275B3C9-A8F7-4C6C-BF74-0D1195DEABF1} URL = https://www.google.com/search?q={se...
SearchScopes: HKU\S-1-5-21-1140784956-2213488824-2058186038-1000 -> {8275B3C9-A8F7-4C6C-BF74-0D1195DEABF1} URL = https://www.google.com/search?q={se...
Toolbar: HKU\S-1-5-21-1140784956-2213488824-2058186038-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 -> F:\New folder\VLC\npvlc.dll No File
CHR HomePage: Default -> hxxp://g.msn.com/USCON/1
CHR StartupUrls: Default -> "hxxp://search.fantastigames.com/455", "hxxp://www.kongregate.com/games/Tukkun/anti-idle-the-game"
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (AVG Internet Security) - C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll No File
CHR Plugin: (registryAccess) - C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapoldfpilohhfkhihnhdckpackghi\7.15.1.0_0\background/registryAccess.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.310.5) - F:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Plugin: (Google Update) - C:\Users\Jony\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (VLC Web Plugin) - F:\New folder\VLC\npvlc.dll No File
S3 Andbus; system32\DRIVERS\lgandbus64.sys [X]
S3 AndDiag; system32\DRIVERS\lganddiag64.sys [X]
S3 AndGps; system32\DRIVERS\lgandgps64.sys [X]
S3 ANDModem; system32\DRIVERS\lgandmodem64.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#13
March 25, 2015 at 17:54:52
Followed instructions. Firefox seems ok but chrome still getting lots of redirects.


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Jony at 2015-03-25 20:51:20 Run:1
Running from C:\Users\Jony\Desktop
Loaded Profiles: Jony (Available profiles: Jony & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1140784956-2213488824-2058186038-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1140784956-2213488824-2058186038-1000 -> DefaultScope {8275B3C9-A8F7-4C6C-BF74-0D1195DEABF1} URL = https://www.google.com/search?q={se...
SearchScopes: HKU\S-1-5-21-1140784956-2213488824-2058186038-1000 -> {8275B3C9-A8F7-4C6C-BF74-0D1195DEABF1} URL = https://www.google.com/search?q={se...
Toolbar: HKU\S-1-5-21-1140784956-2213488824-2058186038-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 -> F:\New folder\VLC\npvlc.dll No File
CHR HomePage: Default -> hxxp://g.msn.com/USCON/1
CHR StartupUrls: Default -> "hxxp://search.fantastigames.com/455", "hxxp://www.kongregate.com/games/Tukkun/anti-idle-the-game"
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (AVG Internet Security) - C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll No File
CHR Plugin: (registryAccess) - C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapoldfpilohhfkhihnhdckpackghi\7.15.1.0_0\background/registryAccess.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.310.5) - F:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Plugin: (Google Update) - C:\Users\Jony\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (VLC Web Plugin) - F:\New folder\VLC\npvlc.dll No File
S3 Andbus; system32\DRIVERS\lgandbus64.sys [X]
S3 AndDiag; system32\DRIVERS\lganddiag64.sys [X]
S3 AndGps; system32\DRIVERS\lgandgps64.sys [X]
S3 ANDModem; system32\DRIVERS\lgandmodem64.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1140784956-2213488824-2058186038-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-1140784956-2213488824-2058186038-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-1140784956-2213488824-2058186038-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8275B3C9-A8F7-4C6C-BF74-0D1195DEABF1}" => Key deleted successfully.
HKCR\CLSID\{8275B3C9-A8F7-4C6C-BF74-0D1195DEABF1} => Key not found.
HKU\S-1-5-21-1140784956-2213488824-2058186038-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.0.1" => Key deleted successfully.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\ppGoogleNaClPluginChrome.dll not found.
C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.89\gcswf32.dll not found.
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll not found.
C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll not found.
C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapoldfpilohhfkhihnhdckpackghi\7.15.1.0_0\background/registryAccess.dll not found.
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll not found.
F:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll not found.
C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll not found.
C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll not found.
C:\Users\Jony\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found.
F:\New folder\VLC\npvlc.dll not found.
Andbus => Service deleted successfully.
AndDiag => Service deleted successfully.
AndGps => Service deleted successfully.
ANDModem => Service deleted successfully.
catchme => Service deleted successfully.
EmptyTemp: => Removed 444.2 MB temporary data.


The system needed a reboot.

==== End of Fixlog 20:51:33 ====

message edited by ergoxxulous


Report •

#14
March 25, 2015 at 17:57:53
Update & run Malwarebytes Threat Scan again.
Post the log please.

Report •

#15
March 28, 2015 at 10:44:43
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/26/2015
Scan Time: 11:55:23 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.27.02
Rootkit Database: v2015.03.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jony

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 578506
Time Elapsed: 47 min, 45 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 6
RiskWare.Tool.CK, E:\Reason 4 + Keygen + Patch RPS\Reason4 Keygen.zip, , [1b05d674ddad072f0c00eaa3b54d23dd],
PUP.Optional.InstallRex, F:\Downloads\Codec-V.exe, , [e63a222899f1f44272cc7b5961a040c0],
PUP.Optional.SelectNGo.A, C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.selectgo00.selectgo.net_0.localstorage, , [39e7331765252511d9cf2898c34037c9],
PUP.Optional.SelectNGo.A, C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.selectgo00.selectgo.net_0.localstorage-journal, , [d54b1139b6d4b383634501bf956e31cf],
PUP.Optional.SelectNGo.A, C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.select-n-go00.select-n-go.com_0.localstorage, , [3fe197b35b2f4aec3f09e706cf34db25],
PUP.Optional.SelectNGo.A, C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.select-n-go00.select-n-go.com_0.localstorage-journal, , [fe224efc1c6e62d46adee508986b40c0],

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#16
March 28, 2015 at 16:04:19
Thanks, run Malwarebytes again, Quarantine all it finds & post the new log please,

Report •

#17
April 13, 2015 at 08:10:45
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/13/2015
Scan Time: 10:11:33 AM
Logfile: mallog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.04.13.05
Rootkit Database: v2015.03.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jony

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 573656
Time Elapsed: 48 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
RiskWare.Tool.CK, E:\Reason 4 + Keygen + Patch RPS\Reason4 Keygen.zip, Quarantined, [40d3aca0a9e11f17d6d4b8e33dc54eb2],
PUP.Optional.SelectNGo.A, C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.select-n-go00.select-n-go.com_0.localstorage, Quarantined, [4fc4f359800a94a2055b5c9916edd52b],
PUP.Optional.SelectNGo.A, C:\Users\Jony\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.select-n-go00.select-n-go.com_0.localstorage-journal, Quarantined, [66ad490393f7bb7b223eb2436e95ea16],

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#18
April 13, 2015 at 14:50:20
Download Security Check by screen317 from one of the following links and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
Please restart the computer before running this security check..
* Double click SecurityCheck.exe. If you run Windows Vista or 7/8, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; Please Copy and Paste the contents into your reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Report •

Ask Question