InertiaMike

iLivid & Chitka Pops

27 posts in this topic

On my system I have recurring pop ups from iLivid and Chitka. I have already run full scans with malwarebytes, combofix, MS Security Essentials, ESET Online Scan, TDSSKiller, RogueKiller and Symantec Endpoint Protection in SafeMode and non of these tools has removed whatever it is that is causing these annoying pop ups when browsing the internet either through Internet Explorer or Google Chrome. I have also tried rewriting the boot sector and MBR from the Windows install disk, I have also reset my HOSTS file using the Microsoft fixit utility to no avail. I have also updated Windows, Java, Flash Player, Chrome etc and removed any and all extensions from all browsers. I am hoping someone can help me get rid of these annoying pop ups. Here are some details of my system that might be relevent: Windows 7 Professional SP1 64-bit, Internet Explorer 8 fully patched, latest version of Google Chrome, MS Security Essentials. Thanks!

Share this post


Link to post
Share on other sites

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.17.2

Run by Philip Wooten at 11:25:10 on 2013-03-07

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8165.4722 [GMT -7:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\ProgramData\Bomgar-SCC-000000004F3EFD01\bomgar-scc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\ProgramData\Bomgar-SCC-000000004F3EFD01\bomgar-scc.exe

C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Norton Ghost\Agent\VProSvc.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe

C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe

C:\Windows\SysWOW64\TSSchBkpService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\msdtc.exe

C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe

c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe

C:\Program Files (x86)\PFU\ScanSnap\CardMinder\CardLauncher.exe

C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

C:\Windows\SSDriver\fi5110\SsWiaChecker.exe

C:\Program Files (x86)\Norton Ghost\Agent\VProTray.exe

C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

C:\AMICUS\AMICUS ATTORNEY 2012 SMALL FIRM\AmicusAtt12.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

C:\Windows\splwow64.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\ProgramData\Bomgar-SCC-000000004F3EFD01\bomgar-scc.exe

C:\ProgramData\Bomgar-SCC-000000004F3EFD01\bomgar-scc.exe

C:\ProgramData\Bomgar-SCC-000000004F3EFD01\nstvstub.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.foxnews.com/

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

mRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"

mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"

mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [DeviceDetector] C:\Program Files (x86)\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe

mRun: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mRun: [scanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exe

mRun: [Norton Ghost 14.0] "C:\Program Files (x86)\Norton Ghost\Agent\VProTray.exe"

mRun: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CARDMI~1.LNK - C:\Program Files (x86)\PFU\ScanSnap\CardMinder\CardLauncher.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CONVER~1.LNK - C:\Program Files (x86)\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SCANSN~1.LNK - C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - C:\AMICUS\AMICUS ATTORNEY 2012 SMALL FIRM\Research\GetTags.htm

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://eservices.scottsdaleaz.gov/dmc/downloads/mgaxctrl.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab

TCP: NameServer = 172.16.12.1

TCP: Interfaces\{CE3F80E3-DAA1-43D6-89E4-F99A445D01F1} : DHCPNameServer = 172.16.12.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab

x64-DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - <orphaned>

x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

x64-SSODL: WebCheck - <orphaned>

Hosts: 95.211.0.119 www.google-analytics.com.

Hosts: 95.211.0.119 ad-emea.doubleclick.net.

Hosts: 95.211.0.119 www.statcounter.com.

Hosts: 93.115.241.27 www.google-analytics.com.

Hosts: 93.115.241.27 ad-emea.doubleclick.net.

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Philip Wooten\AppData\Roaming\Mozilla\Firefox\Profiles\9s7x9fie.default\

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-1-31 55856]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-1-31 203776]

R2 bomgar-ps-1329528065-1355306923;Bomgar Jump Client [1329528065-1355306923];C:\ProgramData\Bomgar-SCC-000000004F3EFD01\bomgar-scc.exe [2012-2-17 6560224]

R2 bomgar-scc-1329528065;Bomgar Support Customer Client [1329528065];C:\ProgramData\Bomgar-SCC-000000004F3EFD01\bomgar-scc.exe [2012-2-17 6560224]

R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-23 212944]

R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-8-19 1248256]

R2 RosettaStoneDaemon;RosettaStoneDaemon;C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2011-3-31 1646056]

R2 TSScheduleBackup;TimeslipsBackup;C:\Windows\SysWOW64\TSSchBkpService.exe [2012-2-26 736072]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-1-31 2656280]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2011-9-1 76056]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2011-9-1 15128]

R3 QuickBooksDB22;QuickBooksDB22;C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]

R3 SymSnapService;SymSnapService;C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe [2007-12-20 2550776]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\Windows\System32\dllhost.exe [2009-7-13 9728]

S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]

S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 130008]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]

S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-2-12 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2013-03-07 18:24:40 7680 ----a-w- C:\ProgramData\Z@!-c2006e94-d1b8-46b1-8e15-532522888384.tmp

2013-03-07 18:24:40 7168 ----a-w- C:\ProgramData\Z@S!-cbd296dd-ab12-4e8b-901c-c679eed0e51b.tmp

2013-03-07 05:34:29 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AD621F71-DADB-4024-937A-61F32E5CD1D1}\offreg.dll

2013-03-06 21:23:14 9162192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AD621F71-DADB-4024-937A-61F32E5CD1D1}\mpengine.dll

2013-03-06 21:04:01 -------- d-----w- C:\Program Files (x86)\VS Revo Group

2013-03-06 20:55:43 -------- d-sh--w- C:\$RECYCLE.BIN

2013-03-06 20:50:50 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll

2013-03-06 20:50:25 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-06 20:32:40 -------- d-----w- C:\ComboFix

2013-03-05 01:57:13 9162192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-02-28 00:02:57 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys

2013-02-28 00:02:05 -------- d-----w- C:\Program Files\iPod

2013-02-28 00:02:02 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-02-28 00:02:02 -------- d-----w- C:\Program Files\iTunes

2013-02-28 00:02:02 -------- d-----w- C:\Program Files (x86)\iTunes

2013-02-26 17:29:56 -------- d-----w- C:\Users\Philip Wooten\AppData\Local\Bomgar

2013-02-26 17:29:43 -------- d-----w- C:\Program Files\Bomgar

2013-02-26 16:30:30 -------- d-----w- C:\Program Files (x86)\ESET

2013-02-18 23:51:25 98816 ----a-w- C:\Windows\sed.exe

2013-02-18 23:51:25 256000 ----a-w- C:\Windows\PEV.exe

2013-02-18 23:51:25 208896 ----a-w- C:\Windows\MBR.exe

2013-02-15 22:31:48 186432 ----a-w- C:\Program Files (x86)\Mozilla Firefox\Plugins\nppdf32.dll

2013-02-14 05:24:28 -------- d-----w- C:\Users\Philip Wooten\AppData\Local\Programs

2013-02-13 23:11:20 -------- d-----w- C:\Users\Philip Wooten\AppData\Roaming\SpeedyPC Software

2013-02-13 23:11:20 -------- d-----w- C:\Users\Philip Wooten\AppData\Roaming\DriverCure

2013-02-13 23:10:43 -------- d-----w- C:\ProgramData\SpeedyPC Software

2013-02-13 21:13:06 -------- d-----w- C:\Users\Philip Wooten\AppData\Local\CRE

2013-02-13 21:12:06 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin

2013-02-13 21:12:05 -------- d-----w- C:\ProgramData\Strongvault Online Backup

2013-02-13 21:11:54 -------- d-----w- C:\AI_RecycleBin

.

==================== Find3M ====================

.

2013-03-06 20:50:48 963488 ----a-w- C:\Windows\System32\deployJava1.dll

2013-03-06 20:50:48 1085344 ----a-w- C:\Windows\System32\npdeployJava1.dll

2013-03-06 20:50:22 861088 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll

2013-03-06 20:50:22 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-02-27 08:28:18 71024 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-02-27 08:28:18 691568 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-01-30 10:53:22 273840 ------w- C:\Windows\System32\MpSigStub.exe

2013-01-20 22:59:04 230320 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

2013-01-20 22:59:04 130008 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

2013-01-13 21:17:03 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-01-13 21:17:02 2560 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-01-13 21:16:42 10752 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-01-13 21:12:46 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-01-13 21:11:21 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll

2013-01-13 21:11:08 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-01-13 21:11:07 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll

2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-01-13 20:35:31 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-01-13 20:35:31 2560 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-01-13 20:35:18 10752 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-01-13 20:32:07 3584 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-01-13 20:31:48 4096 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll

2013-01-13 20:31:41 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-01-13 20:31:40 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll

2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-01-13 20:31:00 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll

2013-01-13 20:22:22 1988096 ----a-w- C:\Windows\SysWow64\d3d10warp.dll

2013-01-13 20:20:31 293376 ----a-w- C:\Windows\SysWow64\dxgi.dll

2013-01-13 20:09:00 249856 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll

2013-01-13 20:08:43 220160 ----a-w- C:\Windows\SysWow64\d3d10core.dll

2013-01-13 20:08:35 1504768 ----a-w- C:\Windows\SysWow64\d3d11.dll

2013-01-13 19:59:04 1643520 ----a-w- C:\Windows\System32\DWrite.dll

2013-01-13 19:58:28 1175552 ----a-w- C:\Windows\System32\FntCache.dll

2013-01-13 19:54:01 604160 ----a-w- C:\Windows\SysWow64\d3d10level9.dll

2013-01-13 19:53:58 207872 ----a-w- C:\Windows\SysWow64\WindowsCodecsExt.dll

2013-01-13 19:53:14 187392 ----a-w- C:\Windows\SysWow64\UIAnimation.dll

2013-01-13 19:51:30 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll

2013-01-13 19:49:17 363008 ----a-w- C:\Windows\System32\dxgi.dll

2013-01-13 19:48:47 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll

2013-01-13 19:46:25 1080832 ----a-w- C:\Windows\SysWow64\d3d10.dll

2013-01-13 19:43:21 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll

2013-01-13 19:38:39 333312 ----a-w- C:\Windows\System32\d3d10_1core.dll

2013-01-13 19:38:32 1887232 ----a-w- C:\Windows\System32\d3d11.dll

2013-01-13 19:38:21 296960 ----a-w- C:\Windows\System32\d3d10core.dll

2013-01-13 19:37:57 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll

2013-01-13 19:25:04 245248 ----a-w- C:\Windows\System32\WindowsCodecsExt.dll

2013-01-13 19:24:33 648192 ----a-w- C:\Windows\System32\d3d10level9.dll

2013-01-13 19:24:30 221184 ----a-w- C:\Windows\System32\UIAnimation.dll

2013-01-13 19:20:42 194560 ----a-w- C:\Windows\System32\d3d10_1.dll

2013-01-13 19:20:04 1238528 ----a-w- C:\Windows\System32\d3d10.dll

2013-01-13 19:15:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll

2013-01-13 19:10:36 3928064 ----a-w- C:\Windows\System32\d2d1.dll

2013-01-13 19:02:06 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll

2013-01-13 18:34:58 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll

2013-01-13 18:32:43 465920 ----a-w- C:\Windows\System32\WMPhoto.dll

2013-01-13 18:09:52 522752 ----a-w- C:\Windows\System32\XpsGdiConverter.dll

2013-01-13 17:26:42 1158144 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2013-01-13 17:05:09 1682432 ----a-w- C:\Windows\System32\XpsPrint.dll

2013-01-05 05:53:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-01-05 05:00:15 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-01-05 05:00:11 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-01-04 06:11:21 2284544 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll

2013-01-04 06:11:13 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll

2013-01-04 05:46:09 215040 ----a-w- C:\Windows\System32\winsrv.dll

2013-01-04 04:51:16 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2013-01-04 03:26:48 3153408 ----a-w- C:\Windows\System32\win32k.sys

2013-01-04 02:47:35 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2013-01-04 02:47:34 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2013-01-04 02:47:34 2048 ----a-w- C:\Windows\SysWow64\user.exe

2013-01-04 02:47:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2013-01-03 06:00:54 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2013-01-03 06:00:42 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-12-20 13:59:36 1188864 ----a-w- C:\Windows\System32\wininet.dll

2012-12-20 12:53:51 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-12-20 12:02:26 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2012-12-20 11:20:29 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-14 23:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

.

============= FINISH: 11:25:20.65 ===============

attach.txt

Share this post


Link to post
Share on other sites

Your host file is till hijacked:

Hosts: 95.211.0.119 www.google-analytics.com.

Hosts: 95.211.0.119 ad-emea.doubleclick.net.

Hosts: 95.211.0.119 www.statcounter.com.

Hosts: 93.115.241.27 www.google-analytics.com.

Hosts: 93.115.241.27 ad-emea.doubleclick.net.

Run another scan with RogueKiller and post the new log.

MrC

Share this post


Link to post
Share on other sites

Here is the RogueKiller Log:

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Philip Wooten [Admin rights]

Mode : HOSTSFix -- Date : 03/07/2013 12:10:04

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

95.211.0.119 www.google-analytics.com.

95.211.0.119 ad-emea.doubleclick.net.

95.211.0.119 www.statcounter.com.

93.115.241.27 www.google-analytics.com.

93.115.241.27 ad-emea.doubleclick.net.

93.115.241.27 www.statcounter.com.

¤¤¤ Reset HOSTS: ¤¤¤

Finished : << RKreport[1]_H_03072013_02d1210.txt >>

RKreport[1]_H_03072013_02d1210.txt

Share this post


Link to post
Share on other sites

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

MrC

Share this post


Link to post
Share on other sites

Here is the adwcleaner log:

# AdwCleaner v2.114 - Logfile created 03/07/2013 at 12:20:37

# Updated 05/03/2013 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (64 bits)

# User : Philip Wooten - PC1

# Boot Mode : Normal

# Running from : C:\Users\Philip Wooten\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v10.0.1 (en-US)

File : C:\Users\Philip Wooten\AppData\Roaming\Mozilla\Firefox\Profiles\9s7x9fie.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.152

File : C:\Users\Philip Wooten\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5262 octets] - [06/03/2013 13:51:23]

AdwCleaner[R2].txt - [898 octets] - [07/03/2013 12:20:37]

AdwCleaner[s1].txt - [5379 octets] - [06/03/2013 13:51:53]

########## EOF - C:\AdwCleaner[R2].txt - [1017 octets] ##########

Share this post


Link to post
Share on other sites

Looks like you already ran that.

Please do this:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassociates.com/OT-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Share this post


Link to post
Share on other sites

While I look over the logs......

For kicks......

Go to the link below and at the bottom right corner > click Click Here > on the next page it should give you an option to opt-out.

http://chitika.com/

See if it's there. MrC

Share this post


Link to post
Share on other sites

Do you recognize this:

PRC - [2012/12/08 03:04:58 | 000,041,984 | ---- | M] () -- C:\ProgramData\Bomgar-SCC-000000004F3EFD01\nstvstub.exe

MrC

Share this post


Link to post
Share on other sites

OK, what about this one:

MOD - [2012/12/08 03:04:58 | 000,007,168 | ---- | M] () -- C:\ProgramData\Z@S!-3612210d-051f-4166-b349-e157df032baa.tmp

MrC

Share this post


Link to post
Share on other sites

I don't recognize that one buy the Bomgar forum article mentions a similarly named file.

Share this post


Link to post
Share on other sites

See if you can delete this:

C:\USERS\PHILIPWOOTEN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\9S7X9FIE.DEFAULT\EXTENSIONS\TIDYNETWORK@TIDYNETWORK

You may have to enable hidden files to see them:

http://www.howtogeek...-windows-vista/

Let me know.....MrC

Share this post


Link to post
Share on other sites

The Extensions folder in that path is empy (even when vieweing hidden and system files).

Share this post


Link to post
Share on other sites

Did you do this:

http://forums.malwar...ndpost&p=654542

--------------------------------------

If you didn't already run this...please do:

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

MrC

Share this post


Link to post
Share on other sites

I did opt out of the chitika site, but it didnt stop the pop ups. I am running the Junkware Removal Tool now and will post logs soon.

Share this post


Link to post
Share on other sites

Here is the log from JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.6.9 (03.06.2013:1)

OS: Windows 7 Professional x64

Ran by Philip Wooten on Thu 03/07/2013 at 14:35:37.14

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\speedypc software"

Successfully deleted: [Folder] "C:\ProgramData\strongvault online backup"

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"

~~~ FireFox

Emptied folder: C:\Users\Philip Wooten\AppData\Roaming\mozilla\firefox\profiles\9s7x9fie.default\minidumps [1 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Thu 03/07/2013 at 14:40:32.62

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Share this post


Link to post
Share on other sites

Please do this:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in bold:

:OTL

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O4 - HKLM..\Run: [] File not found

O4 - HKU\S-1-5-21-2038607408-2014536849-66605718-1003..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found

O13 - gopher Prefix: missing

O18:64bit: - Protocol\Handler\intu-help-qb5 - No CLSID value found

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\qbwc - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O18:64bit: - Protocol\Handler\wlpg - No CLSID value found

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

:Commands

[EMPTYJAVA]

[resethosts]

[emptytemp]

[EMPTYFLASH]

[*]Then click the Run Fix button at the top

[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"

[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Share this post


Link to post
Share on other sites

Here is the OTL log after the reboot:

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Registry value HKEY_USERS\S-1-5-21-2038607408-2014536849-66605718-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\intu-help-qb5\ deleted successfully.

File Protocol\Handler\intu-help-qb5 - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.

File Protocol\Handler\livecall - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.

File Protocol\Handler\ms-help - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.

File Protocol\Handler\msnim - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\qbwc\ deleted successfully.

File Protocol\Handler\qbwc - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.

File Protocol\Handler\wlmailhtml - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ deleted successfully.

File Protocol\Handler\wlpg - No CLSID value found not found.

64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

File delete failed. C:\ProgramData\Z@!-0b60825b-7b0a-4470-a4e0-211078a15d62.tmp scheduled to be deleted on reboot.

File delete failed. C:\ProgramData\Z@S!-4192b036-d3ae-4314-8ee6-09510ad3f3fa.tmp scheduled to be deleted on reboot.

File delete failed. C:\ProgramData\Z@!-0b60825b-7b0a-4470-a4e0-211078a15d62.tmp scheduled to be deleted on reboot.

File delete failed. C:\ProgramData\Z@S!-4192b036-d3ae-4314-8ee6-09510ad3f3fa.tmp scheduled to be deleted on reboot.

C:\Windows\invcol.tmp deleted successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Philip Wooten

->Java cache emptied: 0 bytes

User: Public

User: QBDataServiceUser22

Total Java Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 57616 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Philip Wooten

->Temp folder emptied: 1239628 bytes

->Temporary Internet Files folder emptied: 251279184 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 11393412 bytes

->Google Chrome cache emptied: 73542476 bytes

->Flash cache emptied: 71961 bytes

User: Public

->Temp folder emptied: 0 bytes

User: QBDataServiceUser22

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 18336 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50467 bytes

RecycleBin emptied: 558822 bytes

Total Files Cleaned = 323.00 mb

[EMPTYFLASH]

User: All Users

User: Default

->Flash cache emptied: 0 bytes

User: Default User

->Flash cache emptied: 0 bytes

User: Philip Wooten

->Flash cache emptied: 0 bytes

User: Public

User: QBDataServiceUser22

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 03082013_104621

Files\Folders moved on Reboot...

File\Folder C:\ProgramData\Z@!-0b60825b-7b0a-4470-a4e0-211078a15d62.tmp not found!

File\Folder C:\ProgramData\Z@S!-4192b036-d3ae-4314-8ee6-09510ad3f3fa.tmp not found!

C:\Users\Philip Wooten\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

File\Folder C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{065B060F-B29A-4E8B-AB98-D7179F148F8E}.tmp not found!

File\Folder C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{28918E95-BEA3-4CCD-9D18-351F30D041D7}.tmp not found!

File\Folder C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58746613-8AA2-4143-AAF1-649E82CD8251}.tmp not found!

File\Folder C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9FE2FE5C-5121-47E0-9564-E8A50FD70370}.tmp not found!

File\Folder C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ADD8C01D-F490-4810-9D2E-BC8C0906E1C3}.tmp not found!

File\Folder C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F3E6BF4C-82A3-49B1-BB88-9CCED5F2318F}.tmp not found!

File\Folder C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F3FA5C60-0894-4CD4-9C95-EF581AA5C72C}.tmp not found!

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YRX9ADF5\emily[2].html moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YRX9ADF5\iframe[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YRX9ADF5\if[2].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WWJZX71E\300x250-topbox[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WWJZX71E\push[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VLKXEZD7\fastbutton[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VLKXEZD7\fastbutton[2].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VLKXEZD7\like[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VLKXEZD7\placement_cookie[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VD81BOMB\emily[1].html moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VD81BOMB\ext[1].html moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RY5X7VET\xd_arbiter[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RY5X7VET\xd_arbiter[2].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOIMLCLE\728x90-topleader[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOIMLCLE\ads[4].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOIMLCLE\bv[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOIMLCLE\google[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBXQU13W\likebox[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBXQU13W\worldofsolitaire_com[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTFE4A4X\aclk[3].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTFE4A4X\iframe[2].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTFE4A4X\tweet_button.1362636220[2].html moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B78INHA0\emily[1].html moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B78INHA0\like[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B78INHA0\push[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B78INHA0\zrt_lookup[1].html moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4HIUFJFK\fastbutton[1].htm moved successfully.

C:\Users\Philip Wooten\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

OK, just run another RogueKiller scan to see if the host file is OK now.

Is there any improvement?? MrC

Share this post


Link to post
Share on other sites

It looks like the OTL fix did the trick, there have not been any popups as of yet. I will continue to monitor it, the host file looks ok. Thank you so much for your help!

Share this post


Link to post
Share on other sites

OK, let me know.

I would like to check your security and we also have some clean-up to do:

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.