Jump to content

BitCoin Miner Trojan. Need Help Removing.


Recommended Posts

So, this has been happening for some time now. Everytime I use the computer (only my user, doesn't seem to be happening to anyone else but I'm not sure) I get this error message saying "Bitcoin-miner has stopped working.". This message pops up once every minute or two. It is EXTREMELY annoying. I've just been working around it but, now I need to remove it. I suspect it's using svchost but, I'm not 100% sure because it always crashes...so I can't really tell which process it may be using. I don't see a performance impact though like many other BTC trojans seem to do. I think I may have removed it partially but, it still trys to run every minute or so. I have run Malwarebytes but it didn't fix it. Thanks in advance.

Link to post
Share on other sites

Hello Komando and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------

In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

16868925

File::

C:\Windows\System32\Drivers\16868925.sys

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

Link to post
Share on other sites

So far (about 6 minutes) and no sign of the error. Think you may have just fixed it. Heres the log, but for some reason when it rebooted it had disabled my DHCP for my LAC. Not sure if it was intentional or not but, its fixed now. Thanks for the help. If it pops up again I'll repost in this topic.

ComboFix 13-06-13.01 - Kyle 06/13/2013 18:25:11.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2222 [GMT -4:00]

Running from: c:\users\Kyle\Desktop\ComboFix.exe

Command switches used :: c:\users\Kyle\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

FILE ::

"c:\windows\System32\Drivers\16868925.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\data

c:\programdata\AMMYY

c:\programdata\AMMYY\hr

c:\programdata\AMMYY\hr3

c:\programdata\AMMYY\settings3.bin

.

---- Previous Run -------

.

c:\users\Naomi\AppData\Local\Microsoft\Windows\Temporary Internet Files\{1A4D0E76-6230-40EC-ADB6-EA4EB10AF427}.xps

c:\users\Naomi\AppData\Local\Microsoft\Windows\Temporary Internet Files\{66C42FFD-BA14-4953-98B9-AF7CCE1A0782}.xps

c:\users\Naomi\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9BF903B7-AB6C-419A-8125-B18B8E159CCC}.xps

c:\users\Naomi\AppData\Local\Microsoft\Windows\Temporary Internet Files\{BDC19639-3478-43BF-BDCA-92CFDBA410B1}.xps

c:\users\Naomi\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E37EE4CC-B52F-4616-9697-DFBB12CA7A96}.xps

c:\users\Naomi\Documents\~WRL1009.tmp

c:\users\Naomi\Documents\~WRL1175.tmp

c:\users\Naomi\Documents\~WRL3050.tmp

c:\windows\SysWow64\frapsvid.dll

E:\install.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_16868925

.

.

((((((((((((((((((((((((( Files Created from 2013-05-13 to 2013-06-13 )))))))))))))))))))))))))))))))

.

.

2013-06-13 22:36 . 2013-06-13 22:36 -------- d-----w- c:\users\Shelia\AppData\Local\temp

2013-06-13 22:36 . 2013-06-13 22:36 -------- d-----w- c:\users\postgres\AppData\Local\temp

2013-06-13 22:36 . 2013-06-13 22:36 -------- d-----w- c:\users\Paul\AppData\Local\temp

2013-06-13 22:36 . 2013-06-13 22:36 -------- d-----w- c:\users\Naomi\AppData\Local\temp

2013-06-13 22:36 . 2013-06-13 22:36 -------- d-----w- c:\users\Guest\AppData\Local\temp

2013-06-13 19:44 . 2013-06-13 20:34 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)

2013-06-13 19:44 . 2013-06-13 19:44 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-06-13 05:40 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B0B501D0-9637-4BAC-B261-D8122866DF1F}\mpengine.dll

2013-06-12 16:23 . 2013-06-12 16:23 9089416 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2013-06-12 06:06 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-06-08 20:44 . 2013-06-08 20:44 -------- d-----w- c:\users\ABC Mouse .com\AppData\Roaming\Sony Corporation

2013-06-02 23:51 . 2013-06-02 23:51 -------- d-----w- c:\users\Kyle\AppData\Local\NBGI

2013-06-02 21:07 . 2013-06-02 21:07 -------- d-----w- c:\users\Kyle\AppData\Roaming\raidcall

2013-05-26 18:56 . 2013-05-26 18:56 -------- d-----w- c:\users\Paul\AppData\Roaming\Sony Corporation

2013-05-26 18:43 . 2013-05-26 18:43 -------- d-----w- c:\programdata\Sony Corporation

2013-05-26 18:43 . 2013-05-26 18:53 -------- d-----w- c:\program files (x86)\Sony

2013-05-26 18:42 . 2013-05-26 18:42 -------- d-----w- c:\users\Paul\AppData\Roaming\InstallShield

2013-05-23 14:49 . 2013-06-01 01:52 -------- d-----w- c:\users\Kyle\AppData\Roaming\HexChat

2013-05-23 14:49 . 2013-05-23 14:49 -------- d-----w- c:\program files (x86)\HexChat

2013-05-21 06:23 . 2013-05-21 06:23 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2D19BF98-0991-4679-A709-0F77EA1A5857}\gapaengine.dll

2013-05-21 04:33 . 2013-06-10 20:22 -------- d-----w- c:\users\ABC Mouse .com\AppData\Local\Spotify

2013-05-21 04:33 . 2013-06-13 18:53 -------- d-----w- c:\users\ABC Mouse .com\AppData\Roaming\Spotify

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-12 16:23 . 2012-04-01 21:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-06-12 16:23 . 2012-04-01 21:37 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-06-12 07:01 . 2012-04-03 11:41 75825640 ----a-w- c:\windows\system32\MRT.exe

2013-05-30 16:01 . 2009-08-18 15:24 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-05-07 17:37 . 2013-05-07 17:37 61440 ----a-r- c:\users\ABC Mouse .com\AppData\Roaming\Microsoft\Installer\{E9459BCF-0982-498B-ABA7-26C34323493F}\ARPICON.exe

2013-05-07 17:37 . 2013-05-07 17:37 49152 ----a-r- c:\users\ABC Mouse .com\AppData\Roaming\Microsoft\Installer\{E9459BCF-0982-498B-ABA7-26C34323493F}\liteico.exe.827545C6_7013_4DE1_8E6C_DAEE4C57F54A.exe

2013-05-07 17:37 . 2013-05-07 17:37 61440 ----a-r- c:\users\ABC Mouse .com\AppData\Roaming\Microsoft\Installer\{E9459BCF-0982-498B-ABA7-26C34323493F}\pncico.exe.C76E2E86_AE54_4AF5_997C_63EBB83C7651.exe

2013-05-07 17:37 . 2013-05-07 17:37 61440 ----a-r- c:\users\ABC Mouse .com\AppData\Roaming\Microsoft\Installer\{E9459BCF-0982-498B-ABA7-26C34323493F}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe

2013-05-02 15:29 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe

2013-04-30 03:37 . 2013-04-30 03:37 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll

2013-04-30 03:37 . 2013-04-30 03:37 523264 ----a-w- c:\windows\SysWow64\vbscript.dll

2013-04-30 03:37 . 2013-04-30 03:37 226304 ----a-w- c:\windows\system32\elshyph.dll

2013-04-30 03:37 . 2013-04-30 03:37 185344 ----a-w- c:\windows\SysWow64\elshyph.dll

2013-04-30 03:37 . 2013-04-30 03:37 158720 ----a-w- c:\windows\SysWow64\msls31.dll

2013-04-30 03:37 . 2013-04-30 03:37 150528 ----a-w- c:\windows\SysWow64\iexpress.exe

2013-04-30 03:37 . 2013-04-30 03:37 138752 ----a-w- c:\windows\SysWow64\wextract.exe

2013-04-30 03:37 . 2013-04-30 03:37 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe

2013-04-30 03:37 . 2013-04-30 03:37 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe

2013-04-30 03:37 . 2013-04-30 03:37 61952 ----a-w- c:\windows\SysWow64\tdc.ocx

2013-04-30 03:37 . 2013-04-30 03:37 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll

2013-04-30 03:37 . 2013-04-30 03:37 38400 ----a-w- c:\windows\SysWow64\imgutil.dll

2013-04-30 03:37 . 2013-04-30 03:37 361984 ----a-w- c:\windows\SysWow64\html.iec

2013-04-30 03:37 . 2013-04-30 03:37 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2013-04-30 03:37 . 2013-04-30 03:37 12800 ----a-w- c:\windows\SysWow64\mshta.exe

2013-04-30 03:37 . 2013-04-30 03:37 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll

2013-04-30 03:37 . 2013-04-30 03:37 81408 ----a-w- c:\windows\system32\icardie.dll

2013-04-30 03:37 . 2013-04-30 03:37 762368 ----a-w- c:\windows\system32\ieapfltr.dll

2013-04-30 03:37 . 2013-04-30 03:37 452096 ----a-w- c:\windows\system32\dxtmsft.dll

2013-04-30 03:37 . 2013-04-30 03:37 441856 ----a-w- c:\windows\system32\html.iec

2013-04-30 03:37 . 2013-04-30 03:37 281600 ----a-w- c:\windows\system32\dxtrans.dll

2013-04-30 03:37 . 2013-04-30 03:37 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll

2013-04-30 03:37 . 2013-04-30 03:37 216064 ----a-w- c:\windows\system32\msls31.dll

2013-04-30 03:37 . 2013-04-30 03:37 197120 ----a-w- c:\windows\system32\msrating.dll

2013-04-30 03:37 . 2013-04-30 03:37 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2013-04-30 03:37 . 2013-04-30 03:37 1400416 ----a-w- c:\windows\system32\ieapfltr.dat

2013-04-30 03:37 . 2013-04-30 03:37 235008 ----a-w- c:\windows\system32\url.dll

2013-04-30 03:37 . 2013-04-30 03:37 97280 ----a-w- c:\windows\system32\mshtmled.dll

2013-04-30 03:37 . 2013-04-30 03:37 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll

2013-04-30 03:37 . 2013-04-30 03:37 62976 ----a-w- c:\windows\system32\pngfilt.dll

2013-04-30 03:37 . 2013-04-30 03:37 599552 ----a-w- c:\windows\system32\vbscript.dll

2013-04-30 03:37 . 2013-04-30 03:37 51200 ----a-w- c:\windows\system32\imgutil.dll

2013-04-30 03:37 . 2013-04-30 03:37 27648 ----a-w- c:\windows\system32\licmgr10.dll

2013-04-30 03:37 . 2013-04-30 03:37 270848 ----a-w- c:\windows\system32\iedkcs32.dll

2013-04-30 03:37 . 2013-04-30 03:37 247296 ----a-w- c:\windows\system32\webcheck.dll

2013-04-30 03:37 . 2013-04-30 03:37 173568 ----a-w- c:\windows\system32\ieUnatt.exe

2013-04-30 03:37 . 2013-04-30 03:37 167424 ----a-w- c:\windows\system32\iexpress.exe

2013-04-30 03:37 . 2013-04-30 03:37 1509376 ----a-w- c:\windows\system32\inetcpl.cpl

2013-04-30 03:37 . 2013-04-30 03:37 149504 ----a-w- c:\windows\system32\occache.dll

2013-04-30 03:37 . 2013-04-30 03:37 144896 ----a-w- c:\windows\system32\wextract.exe

2013-04-30 03:37 . 2013-04-30 03:37 13824 ----a-w- c:\windows\system32\mshta.exe

2013-04-30 03:37 . 2013-04-30 03:37 136192 ----a-w- c:\windows\system32\iepeers.dll

2013-04-30 03:37 . 2013-04-30 03:37 102912 ----a-w- c:\windows\system32\inseng.dll

2013-04-30 03:37 . 2013-04-30 03:37 52224 ----a-w- c:\windows\system32\msfeedsbs.dll

2013-04-30 03:37 . 2013-04-30 03:37 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2013-04-30 03:37 . 2013-04-30 03:37 77312 ----a-w- c:\windows\system32\tdc.ocx

2013-04-30 03:37 . 2013-04-30 03:37 48640 ----a-w- c:\windows\system32\mshtmler.dll

2013-04-30 03:37 . 2013-04-30 03:37 135680 ----a-w- c:\windows\system32\IEAdvpack.dll

2013-04-30 03:37 . 2013-04-30 03:37 12800 ----a-w- c:\windows\system32\msfeedssync.exe

2013-04-24 02:29 . 2012-06-13 07:16 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2013-04-16 02:06 . 2013-04-16 02:06 692946 ----a-w- C:\Zelda - A Link to the Past.zip

2013-04-13 05:49 . 2013-05-14 17:32 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49 . 2013-05-14 17:32 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49 . 2013-05-14 17:32 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49 . 2013-05-14 17:32 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45 . 2013-05-14 17:32 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-05-14 17:32 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-12 14:45 . 2013-04-24 09:52 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-10 13:26 . 2013-04-10 13:26 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-04-10 13:26 . 2012-05-11 03:00 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-04-10 13:26 . 2012-04-01 21:44 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-04-10 06:01 . 2013-05-14 17:32 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-04-10 06:01 . 2013-05-14 17:32 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-04-10 03:30 . 2013-05-14 17:32 3153920 ----a-w- c:\windows\system32\win32k.sys

2013-03-19 06:04 . 2013-04-10 04:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 05:53 . 2013-05-14 17:32 48640 ----a-w- c:\windows\system32\wwanprotdim.dll

2013-03-19 05:53 . 2013-05-14 17:32 230400 ----a-w- c:\windows\system32\wwansvc.dll

2013-03-19 05:46 . 2013-04-10 04:04 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 05:04 . 2013-04-10 04:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-10 04:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47 . 2013-04-10 04:04 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-03-19 03:06 . 2013-04-10 04:04 112640 ----a-w- c:\windows\system32\smss.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RAVCpl64.exe"="c:\users\Kyle\AppData\Roaming\Realtek Semiconductor\Realtek HD Audio Manager\1.0.0.653\RAVCpl64.exe" [2012-05-07 2540544]

"AdobeBridge"="" [bU]

"Steam"="e:\steam\steam.exe" [2013-06-06 1641896]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-04-19 18678376]

"Spotify Web Helper"="c:\users\Guest\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-06-02 1104384]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-07-05 295304]

"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"BCSSync"="e:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-12-19 642808]

"PMBVolumeWatcher"="c:\program files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe" [2012-08-20 724576]

.

c:\users\postgres\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe "c:\programdata\Best Buy pc app\Best Buy pc app.application" [2012-1-24 16032]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe "c:\programdata\Best Buy pc app\Best Buy pc app.application" [2012-1-24 16032]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [x]

R3 LeapFrog-USBLAN;LeapFrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys;c:\windows\SYSNATIVE\DRIVERS\btblan.sys [x]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [x]

R3 Synergy;Synergy;c:\program files\Synergy\synergyd.exe;c:\program files\Synergy\synergyd.exe [x]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys;c:\windows\SYSNATIVE\DRIVERS\tap0901t.sys [x]

R3 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe;c:\program files (x86)\Tunngle\TnglCtrl.exe [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R3 WinRing0_1_2_0;WinRing0_1_2_0;e:\gamebooster\Driver\WinRing0x64.sys;e:\gamebooster\Driver\WinRing0x64.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]

S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe;c:\program files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [x]

S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 -D C:/Program Files (x86)/PostgreSQL/8.4/data -w;C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 -D C:/Program Files (x86)/PostgreSQL/8.4/data -w [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys;c:\windows\SYSNATIVE\drivers\ScreamingBAudio64.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]

start [bU]

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-13 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 16:23]

.

2013-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-11 23:41]

.

2013-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-11 23:41]

.

2013-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-526639929-1501987496-3961487347-1001Core.job

- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-22 04:27]

.

2013-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-526639929-1501987496-3961487347-1001UA.job

- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-22 04:27]

.

2013-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-526639929-1501987496-3961487347-1004Core.job

- c:\users\Kyle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20 21:54]

.

2013-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-526639929-1501987496-3961487347-1004UA.job

- c:\users\Kyle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20 21:54]

.

2013-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-526639929-1501987496-3961487347-1005Core.job

- c:\users\Shelia\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-21 21:15]

.

2013-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-526639929-1501987496-3961487347-1005UA.job

- c:\users\Shelia\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-21 21:15]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2013-04-16 20:10 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2013-04-16 20:10 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2013-04-16 20:10 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2013-04-16 20:10 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-06-11 12503184]

"Greenshot"="c:\program files\Greenshot\Greenshot.exe" [2012-10-31 462848]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]

"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 190536]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://search.privitize.com/?aff=7

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - e:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105

TCP: Interfaces\{275E56AF-E1B8-4A22-B8FF-CFBFE099698B}: NameServer = 75.75.75.75,8.8.8.8,75.75.76.76,8.8.4.4

FF - ProfilePath - c:\users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\9qc0f4jk.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.privitize.com/?aff=7&q=

FF - prefs.js: network.proxy.type - 1

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

AddRemove-Afterburner - c:\program files (x86)\MSI Afterburner\uninstall.exe

AddRemove-ArnA 2: Combined Operations - e:\new folder\uninstall.exe

AddRemove-BattlEye A2 Free - e:\steam\steamapps\common\arma 2 freeBattlEye\UnInstallBE.exe

AddRemove-Fallout New Vegas_is1 - e:\fallout new vegas complete\Fallout New Vegas\unins000.exe

AddRemove-LAME_is1 - e:\program files (x86)\Audacity\unins001.exe

AddRemove-mIRC - c:\program files (x86)\mIRC\uninstall.exe

AddRemove-nginx_is1 - c:\nginx\unins000.exe

AddRemove-Postal 2_is1 - e:\portal 2\unins000.exe

AddRemove-Project 64_is1 - c:\program files (x86)\Project64 2.0\unins000.exe

AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe

AddRemove-{0B7C79A5-5CB2-4ABD-A9C1-92A6213CE8DD}_is1 - c:\program files (x86)\MSI Kombustor 2.3\unins000.exe

AddRemove-{5C13C5F3-6E30-449F-8872-DF8AC35AE285}_is1 - e:\1aa bukkit\CraftBukkit\unins000.exe

AddRemove-{AEE602B3-C188-4A90-9F75-2B164A7D37F5}_is1 - e:\utor\torrents\rzr-skrm\The Elder Scrolls V Skyrim\skyrim\unins000.exe

AddRemove-{F5D4DC40-70D8-450F-B59E-103D6E1C487C}_is1 - e:\utor\torrents\Hitman Blood Money Install\Hitman. ???????? ??????\unins000.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\postgresql-8.4]

"ImagePath"="C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files (x86)/PostgreSQL/8.4/data\" -w"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\postgresql-8.4]

"ImagePath"="C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files (x86)/PostgreSQL/8.4/data\" -w"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe

c:\windows\SysWOW64\PnkBstrA.exe

c:\program files (x86)\PostgreSQL\8.4\bin\pg_ctl.exe

c:\program files (x86)\PostgreSQL\8.4\bin\postgres.exe

c:\program files (x86)\PostgreSQL\8.4\bin\postgres.exe

c:\program files (x86)\PostgreSQL\8.4\bin\postgres.exe

c:\program files (x86)\PostgreSQL\8.4\bin\postgres.exe

c:\program files (x86)\PostgreSQL\8.4\bin\postgres.exe

.

**************************************************************************

.

Completion time: 2013-06-13 18:44:04 - machine was rebooted

ComboFix-quarantined-files.txt 2013-06-13 22:44

.

Pre-Run: 9,416,589,312 bytes free

Post-Run: 4,682,743,808 bytes free

.

- - End Of File - - B64A3EFC4A546A0A0164056158A657CF

8F558EB6672622401DA993E1E865C861

Link to post
Share on other sites

Your system looks a whole lot better. Please run the following scans to see what else needs cleaning:

----------Step 1----------------

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------Step 2----------------

We need to create a New FULL OTL Report

  • Please download OTL from here if you have not done so already:

    [*]Save it to your desktop.

    [*]Double click on the OTL icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Change the "Extra Registry" option to "SafeList"

    [*]Push the Run Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

----------Step 3 (note: this scan may take a little time)----------------

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    [*]Check esetAcceptTerms.png

    [*]Click the esetStart.png button.

    [*]Accept any security warnings from your browser.

    [*]Check esetScanArchives.png

    [*]Push the Start button.

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, push esetListThreats.png

    [*]Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    [*]Push the esetBack.png button.

    [*]Push esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

----------Step 4----------------

Please post the AdwCleaner logfile, the OTL.txt and Extras.txt, and the ESET online scan log in your next reply.

Let me know how things go.

Link to post
Share on other sites

AdwCleaner Log

# AdwCleaner v2.303 - Logfile created 06/15/2013 at 12:37:45

# Updated 08/06/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Kyle - KENYA

# Boot Mode : Normal

# Running from : C:\Users\Kyle\Desktop\AdwCleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\END

Folder Found : C:\ProgramData\InstallMate

Folder Found : C:\ProgramData\Premium

Folder Found : C:\ProgramData\Zoomex

Folder Found : C:\Users\Kyle\AppData\Local\PackageAware

Folder Found : C:\Users\Paul\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Found : HKCU\Software\PrivitizeVPNInstallDates

Key Found : HKCU\Software\Softonic

Key Found : HKCU\Software\StartSearch

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16611

[OK] Registry is clean.

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\nnplv4bj.default\prefs.js

[OK] File is clean.

File : C:\Users\Naomi\AppData\Roaming\Mozilla\Firefox\Profiles\spvh6gu3.default\prefs.js

[OK] File is clean.

File : C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\9qc0f4jk.default\prefs.js

[OK] File is clean.

File : C:\Users\Shelia\AppData\Roaming\Mozilla\Firefox\Profiles\5f6y7uhq.default\prefs.js

[OK] File is clean.

File : C:\Users\ABC Mouse .com\AppData\Roaming\Mozilla\Firefox\Profiles\l38amyfe.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v27.0.1453.110

File : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Shelia\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.3514] : urls_to_restore_on_startup = [ "hxxp://www.delta-search.com/?affID=119351&babsrc=HP_ss&mntrId=260F864BF54E12B3" ]

File : C:\Users\ABC Mouse .com\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2187 octets] - [15/06/2013 12:37:45]

########## EOF - C:\AdwCleaner[R1].txt - [2247 octets] ##########

OTL Logs (Attached)

ESET Online Scan Log

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{08F061BD-86E4-4FEB-B490-1B33030ABCD9}-MW2 Liberation V1.05 By Ackilla10.rar multiple threats

C:\ProgramData\Zoomex\50be9143a3d7b.ocx Win32/Adware.MultiPlug.E application

C:\ProgramData\Zoomex\50be9143a3db4.html Win32/Adware.MultiPlug.H application

C:\ProgramData\Zoomex\ogpapdgblenccodmcmfjaejdjookbpok.crx Win32/Adware.MultiPlug.H application

C:\ProgramData\Zoomex\settings.ini Win32/Adware.MultiPlug.F application

C:\Users\ABC Mouse .com\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js Win32/Adware.MultiPlug.H application

C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{08F061BD-86E4-4FEB-B490-1B33030ABCD9}-MW2 Liberation V1.05 By Ackilla10.rar multiple threats

C:\Users\All Users\Zoomex\50be9143a3d7b.ocx Win32/Adware.MultiPlug.E application

C:\Users\All Users\Zoomex\50be9143a3db4.html Win32/Adware.MultiPlug.H application

C:\Users\All Users\Zoomex\ogpapdgblenccodmcmfjaejdjookbpok.crx Win32/Adware.MultiPlug.H application

C:\Users\All Users\Zoomex\settings.ini Win32/Adware.MultiPlug.F application

C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js Win32/Adware.MultiPlug.H application

C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\68edc5ae-6a331f69 a variant of Java/TrojanDownloader.Agent.NBN trojan

C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\28609089-1bf0a008 a variant of Java/Exploit.CVE-2012-4681.CC trojan

C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js Win32/Adware.MultiPlug.H application

C:\Users\Kyle\Desktop\Fairlight\xlive.dll a variant of Win32/Packed.VMProtect.AAN trojan

C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js Win32/Adware.MultiPlug.H application

C:\Users\Shelia\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js Win32/Adware.MultiPlug.H application

E:\Dark Souls\xlive.dll a variant of Win32/Packed.VMProtect.AAN trojan

E:\Dark_Souls_Prepare_To_Die_Edition-FLT\flt-dspd.iso a variant of Win32/Packed.VMProtect.AAN trojan

OTL.Txt

Extras.Txt

Link to post
Share on other sites

----------Step 1----------------

We need to run an OTL Fix

  • Please reopen otlicon.png on your desktop.
  • Copy and Paste the following code into the customscanfix.png textbox.
    :OTL
    [2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2013/02/27 01:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 00:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 23:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    :Files
    C:\ProgramData\Zoomex\50be9143a3d7b.ocx
    C:\ProgramData\Zoomex\50be9143a3db4.html
    C:\ProgramData\Zoomex\ogpapdgblenccodmcmfjaejdjookbpok.crx
    C:\ProgramData\Zoomex\settings.ini
    C:\Users\ABC Mouse .com\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js
    C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{08F061BD-86E4-4FEB-B490-1B33030ABCD9}-MW2 Liberation V1.05 By Ackilla10.rar
    C:\Users\All Users\Zoomex\50be9143a3d7b.ocx
    C:\Users\All Users\Zoomex\50be9143a3db4.html
    C:\Users\All Users\Zoomex\ogpapdgblenccodmcmfjaejdjookbpok.crx
    C:\Users\All Users\Zoomex\settings.ini C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js
    C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\68edc5ae-6a331f69
    C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\28609089-1bf0a008
    C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js
    C:\Users\Kyle\Desktop\Fairlight\xlive.dll
    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js
    C:\Users\Shelia\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js
    E:\Dark Souls\xlive.dll
    E:\Dark_Souls_Prepare_To_Die_Edition-FLT\flt-dspd.iso
    C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{08F061BD-86E4-4FEB-B490-1B33030ABCD9}-MW2 Liberation V1.05 By Ackilla10.rar

    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]


  • Push runfix.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

----------Step 2----------------

Instructions for DELETE:

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

Afterwards, please reboot the computer.

----------Step 3----------------

Please post the OTL and AdwCleaner reports in your next reply. How are things running now?

Link to post
Share on other sites

OTL Log

All processes killed

========== OTL ==========

C:\Windows\assembly\Desktop.ini moved successfully.

File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.

File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.

File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 not found.

File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found.

File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.

File EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.

Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64\ not found.

Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found.

Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64\ not found.

Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found.

========== FILES ==========

C:\ProgramData\Zoomex\50be9143a3d7b.ocx moved successfully.

C:\ProgramData\Zoomex\50be9143a3db4.html moved successfully.

C:\ProgramData\Zoomex\ogpapdgblenccodmcmfjaejdjookbpok.crx moved successfully.

C:\ProgramData\Zoomex\settings.ini moved successfully.

C:\Users\ABC Mouse .com\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js moved successfully.

C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{08F061BD-86E4-4FEB-B490-1B33030ABCD9}-MW2 Liberation V1.05 By Ackilla10.rar moved successfully.

File\Folder C:\Users\All Users\Zoomex\50be9143a3d7b.ocx not found.

File\Folder C:\Users\All Users\Zoomex\50be9143a3db4.html not found.

File\Folder C:\Users\All Users\Zoomex\ogpapdgblenccodmcmfjaejdjookbpok.crx not found.

File\Folder C:\Users\All Users\Zoomex\settings.ini C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js not found.

C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\68edc5ae-6a331f69 moved successfully.

C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\28609089-1bf0a008 moved successfully.

C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js moved successfully.

C:\Users\Kyle\Desktop\Fairlight\xlive.dll moved successfully.

C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js moved successfully.

C:\Users\Shelia\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogpapdgblenccodmcmfjaejdjookbpok\3.2_0\50be9143a3b577.39416240.js moved successfully.

E:\Dark Souls\xlive.dll moved successfully.

E:\Dark_Souls_Prepare_To_Die_Edition-FLT\flt-dspd.iso moved successfully.

File\Folder C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{08F061BD-86E4-4FEB-B490-1B33030ABCD9}-MW2 Liberation V1.05 By Ackilla10.rar not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: ABC Mouse .com

->Temp folder emptied: 1448 bytes

->Temporary Internet Files folder emptied: 294682555 bytes

->Java cache emptied: 295451 bytes

->FireFox cache emptied: 416703554 bytes

->Google Chrome cache emptied: 7108986 bytes

->Flash cache emptied: 113001 bytes

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 56475 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 203423470 bytes

->Java cache emptied: 978024 bytes

->FireFox cache emptied: 489816488 bytes

->Google Chrome cache emptied: 323222795 bytes

->Flash cache emptied: 119597 bytes

User: Kyle

->Temp folder emptied: 565247 bytes

->Temporary Internet Files folder emptied: 6671903 bytes

->Java cache emptied: 6610346 bytes

->FireFox cache emptied: 432915648 bytes

->Google Chrome cache emptied: 110893527 bytes

->Flash cache emptied: 43543 bytes

User: Naomi

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32542978 bytes

->Java cache emptied: 1 bytes

->FireFox cache emptied: 192568792 bytes

->Flash cache emptied: 12380 bytes

User: Paul

->Temp folder emptied: 757 bytes

->Temporary Internet Files folder emptied: 29259217 bytes

->Java cache emptied: 70 bytes

->FireFox cache emptied: 165877952 bytes

->Google Chrome cache emptied: 120886721 bytes

->Flash cache emptied: 21771 bytes

User: postgres

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

User: Shelia

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 137771940 bytes

->Java cache emptied: 12328 bytes

->FireFox cache emptied: 659146263 bytes

->Google Chrome cache emptied: 280017684 bytes

->Flash cache emptied: 67277 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 38108491 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 78282914 bytes

%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes

RecycleBin emptied: 14 bytes

Total Files Cleaned = 3,842.00 mb

[EMPTYJAVA]

User: ABC Mouse .com

->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Guest

->Java cache emptied: 0 bytes

User: Kyle

->Java cache emptied: 0 bytes

User: Naomi

->Java cache emptied: 0 bytes

User: Paul

->Java cache emptied: 0 bytes

User: postgres

User: Public

User: Shelia

->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: ABC Mouse .com

->Flash cache emptied: 0 bytes

User: All Users

User: Default

->Flash cache emptied: 0 bytes

User: Default User

->Flash cache emptied: 0 bytes

User: Guest

->Flash cache emptied: 0 bytes

User: Kyle

->Flash cache emptied: 0 bytes

User: Naomi

->Flash cache emptied: 0 bytes

User: Paul

->Flash cache emptied: 0 bytes

User: postgres

User: Public

User: Shelia

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 06162013_103029

Files\Folders moved on Reboot...

C:\Users\Kyle\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

C:\Users\Kyle\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Adwcleaner Log

# AdwCleaner v2.303 - Logfile created 06/16/2013 at 10:45:47

# Updated 08/06/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Kyle - KENYA

# Boot Mode : Normal

# Running from : C:\Users\Kyle\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\END

Folder Deleted : C:\ProgramData\InstallMate

Folder Deleted : C:\ProgramData\Premium

Folder Deleted : C:\ProgramData\Zoomex

Folder Deleted : C:\Users\Kyle\AppData\Local\PackageAware

Folder Deleted : C:\Users\Paul\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Deleted : HKCU\Software\PrivitizeVPNInstallDates

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKCU\Software\StartSearch

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16611

[OK] Registry is clean.

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\nnplv4bj.default\prefs.js

[OK] File is clean.

File : C:\Users\Naomi\AppData\Roaming\Mozilla\Firefox\Profiles\spvh6gu3.default\prefs.js

[OK] File is clean.

File : C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\9qc0f4jk.default\prefs.js

[OK] File is clean.

File : C:\Users\Shelia\AppData\Roaming\Mozilla\Firefox\Profiles\5f6y7uhq.default\prefs.js

[OK] File is clean.

File : C:\Users\ABC Mouse .com\AppData\Roaming\Mozilla\Firefox\Profiles\l38amyfe.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v27.0.1453.110

File : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Shelia\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.3514] : urls_to_restore_on_startup = [ "hxxp://www.delta-search.com/?affID=119351&babsrc=HP_ss&mntrId[...]

File : C:\Users\ABC Mouse .com\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2316 octets] - [15/06/2013 12:37:45]

AdwCleaner[s1].txt - [2254 octets] - [16/06/2013 10:45:47]

########## EOF - C:\AdwCleaner[s1].txt - [2314 octets] ##########

Link to post
Share on other sites

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.