-
Something else that might be a problem. I was in my AOL software and went into internet options. In the manage add ons section there are a bunch of add ons under Microsoft Corporation:
XML Dom Doc, HTML DLG Safe Helper Class, Windows Media Player, XML HTTP 6.0 and a few others. In a box where you want to add websites to run it was a *. I removed it. I've never seen these files in add ons before. I went into my IE 10 directly and they are not there. Still getting pop ups when I enter e-mail. Not sure what the heck is going on. I've disabled everything that was listed in add ons under Microsoft heading. Not sure where to go from here.
-
Not a fan of anything AOL, if you can live without it go ahead in Programs and Features in the control panel and uninstall it all, in this day and age there is no need for anything AOL
Running AdwCleaner and Junkware Removal and then Malwarebytes should remove those pop ups
Here they are again in case you need them, run them all even if you have already, when your done with them all go ahead and run a new scan with FRST, checkmark Additions and post both logs
-AdwCleaner-by Xplode
Click on this link to download : ADWCleaner
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.
Do not click on any links in the top Advertisment.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next reply.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
===============================================================================
Please download Junkware Removal Tool to your desktop.
- Shut down your protection software now to avoid potential conflicts.
- Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
- The tool will open and start scanning your system.
- Please be patient as this can take a while to complete depending on your system's specifications.
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
- Post the contents of JRT.txt into your next message.
===============================================================================
Download Malwarebytes' Anti-Malware to your desktop.
- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
- On the Dashboard click on Update Now
- Go to the Setting Tab
- Under Setting go to Detection and Protection
- Under PUP and PUM make sure both are set to show Treat Detections as Malware
- Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
- Then on the Dashboard click on Scan
- Make sure to select THREAT SCAN
- Then click on Scan
- When the scan is finished and the log pops up...select Copy to Clipboard
- Please paste the log back into this thread for review
- Exit Malwarebytes
-
Cannot do without AOL but I did do a quick restore on it. I will rerun all that stuff you suggested and will get back to you with logs in a little while.
-
Following are the logs: They found nothing but I'm still getting adnxs pop ups.
# AdwCleaner v4.002 - Report created 29/10/2014 at 10:42:47
# DB v2014-10-26.6
# Updated 27/10/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Gateway - GATEWAY-PC
# Running from : C:\Users\Gateway\Desktop\adwcleaner_4.002.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
***** [ Browsers ] *****
-\\ Internet Explorer v10.0.9200.17116
*************************
AdwCleaner[R0].txt - [712 octets] - [29/10/2014 10:39:08]
AdwCleaner[S0].txt - [627 octets] - [29/10/2014 10:42:47]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [686 octets] ##########
JRT log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Home Premium x64
Ran by Gateway on Wed 10/29/2014 at 10:57:02.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 10/29/2014 at 10:59:31.81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MBAM log:
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 10/29/2014
Scan Time: 11:01:11 AM
Logfile: mbam log.txt
Administrator: Yes
Version: 2.00.3.1025
Malware Database: v2014.10.29.05
Rootkit Database: v2014.10.22.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Gateway
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316784
Time Elapsed: 16 min, 6 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
I will be back on later. Have some stuff to do.
-
What I would do is go into your AOL mail and delete anything with an attachment or even mail that you deem safe but no longer need, even in your send folder then empty the trash, just guessing you may have an infected email
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
-
<<What I would do is go into your AOL mail and delete anything with an attachment or even mail that you deem safe but no longer need, even in your send folder then empty the trash, just guessing you may have an infected email>>
E-mail in AOL is not stored on the computer so that you can access it anywhere. But I did go ahead and permanetly delete the deleted e-mails and anything else I didn't think I would need.
Here's the combofix log:
ComboFix 14-10-29.01 - Gateway 10/29/2014 13:30:50.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3764.2645 [GMT -5:00]
Running from: c:\users\Gateway\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-09-28 to 2014-10-29 )))))))))))))))))))))))))))))))
.
.
2014-10-29 18:38 . 2014-10-29 18:38 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-10-29 18:38 . 2014-10-29 18:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-29 18:33 . 2014-10-29 18:33 -------- d-----w- c:\users\Gateway\AppData\Local\CrashDumps
2014-10-29 16:29 . 2014-10-29 16:29 111080 ----a-w- c:\windows\system32\drivers\eKdgjNlY.sys
2014-10-29 16:28 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5D769973-A26B-4408-B1CB-B88CB8F20A13}\mpengine.dll
2014-10-29 16:00 . 2014-10-29 16:31 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-29 16:00 . 2014-10-01 16:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-29 16:00 . 2014-10-01 16:11 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-29 16:00 . 2014-10-01 16:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-10-29 16:00 . 2014-10-29 16:00 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-10-29 15:53 . 2014-10-29 15:53 111080 ----a-w- c:\windows\system32\drivers\AVoXsrYx.sys
2014-10-29 15:43 . 2014-10-29 15:43 111080 ----a-w- c:\windows\system32\drivers\HxQQQsyo.sys
2014-10-29 15:39 . 2014-10-29 15:42 -------- d-----w- C:\AdwCleaner
2014-10-29 15:17 . 2014-10-29 15:17 111080 ----a-w- c:\windows\system32\drivers\MxlQYWlT.sys
2014-10-29 12:48 . 2014-10-29 12:48 111080 ----a-w- c:\windows\system32\drivers\PwOKWLIh.sys
2014-10-29 11:09 . 2014-10-29 11:09 111080 ----a-w- c:\windows\system32\drivers\UBrLFeHr.sys
2014-10-29 10:48 . 2014-10-29 10:48 111080 ----a-w- c:\windows\system32\drivers\opRcMSkk.sys
2014-10-28 18:39 . 2014-10-28 18:39 -------- d-----w- c:\programdata\Malwarebytes
2014-10-28 18:35 . 2014-10-28 18:35 111080 ----a-w- c:\windows\system32\drivers\iAncQEAl.sys
2014-10-28 15:20 . 2014-10-29 12:47 -------- d-----w- C:\FRST
2014-10-28 08:20 . 2014-10-28 08:20 111080 ----a-w- c:\windows\system32\drivers\jnsAdKtw.sys
2014-10-28 07:35 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-27 16:58 . 2014-10-27 16:58 -------- d-----w- c:\users\Gateway\AppData\Local\Apps
2014-10-27 14:54 . 2014-10-27 14:54 111080 ----a-w- c:\windows\system32\drivers\pDKYbgdo.sys
2014-10-27 14:39 . 2014-10-27 14:39 111080 ----a-w- c:\windows\system32\drivers\JmOVyYpY.sys
2014-10-27 12:40 . 2014-10-27 12:40 -------- d-----w- c:\programdata\boost_interprocess
2014-10-27 12:29 . 2014-10-27 12:29 111080 ----a-w- c:\windows\system32\drivers\atYthjoV.sys
2014-10-27 12:25 . 2014-10-27 12:25 111080 ----a-w- c:\windows\system32\drivers\IXtkPayO.sys
2014-10-27 12:19 . 2014-10-27 12:19 111080 ----a-w- c:\windows\system32\drivers\YVTTuumS.sys
2014-10-27 12:10 . 2014-10-27 12:10 111080 ----a-w- c:\windows\system32\drivers\gSuQpyHA.sys
2014-10-27 12:06 . 2014-10-27 12:06 111080 ----a-w- c:\windows\system32\drivers\PGBxTkEF.sys
2014-10-27 00:43 . 2014-10-27 00:43 111080 ----a-w- c:\windows\system32\drivers\ufimfweO.sys
2014-10-26 23:25 . 2014-10-26 23:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
2014-10-26 12:46 . 2014-10-26 12:46 111080 ----a-w- c:\windows\system32\drivers\SaBACdhX.sys
2014-10-25 18:42 . 2014-10-25 18:42 111080 ----a-w- c:\windows\system32\drivers\qkkcNgcg.sys
2014-10-24 22:36 . 2014-10-24 22:36 111080 ----a-w- c:\windows\system32\drivers\sBDzxsjA.sys
2014-10-22 15:01 . 2014-10-22 15:01 111080 ----a-w- c:\windows\system32\drivers\iOwjfFdq.sys
2014-10-22 11:23 . 2014-10-22 11:23 111080 ----a-w- c:\windows\system32\drivers\sNmtkkiz.sys
2014-10-22 11:05 . 2014-10-22 11:05 111080 ----a-w- c:\windows\system32\drivers\PHrqeLVS.sys
2014-10-22 10:54 . 2014-10-22 10:54 111080 ----a-w- c:\windows\system32\drivers\KnLHwfQW.sys
2014-10-21 19:34 . 2014-10-21 19:34 111080 ----a-w- c:\windows\system32\drivers\BlFSMOwS.sys
2014-10-21 13:00 . 2014-10-21 13:00 111080 ----a-w- c:\windows\system32\drivers\ipEyTLGa.sys
2014-10-21 12:49 . 2014-06-18 22:23 1943696 ----a-w- c:\windows\system32\dfshim.dll
2014-10-21 12:49 . 2014-06-18 22:23 156312 ----a-w- c:\windows\system32\mscorier.dll
2014-10-21 12:49 . 2014-06-18 22:23 156824 ----a-w- c:\windows\SysWow64\mscorier.dll
2014-10-21 12:49 . 2014-06-18 22:23 1131664 ----a-w- c:\windows\SysWow64\dfshim.dll
2014-10-21 12:49 . 2014-06-18 22:23 73880 ----a-w- c:\windows\system32\mscories.dll
2014-10-21 12:49 . 2014-06-18 22:23 81560 ----a-w- c:\windows\SysWow64\mscories.dll
2014-10-21 12:40 . 2014-10-21 12:40 111080 ----a-w- c:\windows\system32\drivers\tICbFABY.sys
2014-10-21 12:37 . 2014-10-21 12:37 111080 ----a-w- c:\windows\system32\drivers\uOqCtCGV.sys
2014-10-21 12:32 . 2014-08-29 02:07 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2014-10-21 12:32 . 2014-09-04 05:23 424448 ----a-w- c:\windows\system32\rastls.dll
2014-10-21 12:32 . 2014-09-04 05:04 372736 ----a-w- c:\windows\SysWow64\rastls.dll
2014-10-21 12:32 . 2014-09-29 00:58 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-10-21 12:32 . 2014-09-05 02:11 6584320 ----a-w- c:\windows\system32\mstscax.dll
2014-10-21 12:32 . 2014-09-05 01:52 5703168 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-10-21 12:31 . 2014-09-13 01:58 77312 ----a-w- c:\windows\system32\packager.dll
2014-10-21 12:31 . 2014-09-13 01:40 67072 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-21 12:17 . 2014-10-21 12:17 111080 ----a-w- c:\windows\system32\drivers\TejdXozT.sys
2014-10-20 07:29 . 2014-10-20 07:29 111080 ----a-w- c:\windows\system32\drivers\VaIZBLul.sys
2014-10-09 16:42 . 2014-10-09 16:42 111080 ----a-w- c:\windows\system32\drivers\pkUPoewm.sys
2014-10-08 09:40 . 2014-10-08 09:40 111080 ----a-w- c:\windows\system32\drivers\PvmDPGpu.sys
2014-10-08 09:14 . 2014-10-08 09:14 111080 ----a-w- c:\windows\system32\drivers\qCEOYKVu.sys
2014-10-06 11:42 . 2014-10-06 11:42 111080 ----a-w- c:\windows\system32\drivers\FKACWuEl.sys
2014-10-03 23:34 . 2014-10-03 23:34 111080 ----a-w- c:\windows\system32\drivers\kCpsrgpo.sys
2014-10-02 13:31 . 2014-10-22 15:15 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-10-02 13:31 . 2014-10-02 13:31 -------- d-----w- c:\programdata\RogueKiller
2014-10-01 10:17 . 2014-09-17 11:05 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{78B986AF-7794-4504-8620-03B8D602F3A3}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-29 17:31 . 2014-09-29 17:31 111080 ----a-w- c:\windows\system32\drivers\exTZeEAA.sys
2014-09-29 12:58 . 2014-09-29 12:58 111080 ----a-w- c:\windows\system32\drivers\Cllvxtmc.sys
2014-09-29 12:40 . 2014-09-29 12:40 111080 ----a-w- c:\windows\system32\drivers\dubezlMy.sys
2014-09-28 23:59 . 2014-09-28 23:59 111080 ----a-w- c:\windows\system32\drivers\OyPexOOc.sys
2014-09-28 19:58 . 2014-09-28 19:58 111080 ----a-w- c:\windows\system32\drivers\yMxFRDLr.sys
2014-09-28 19:36 . 2014-09-28 19:36 111080 ----a-w- c:\windows\system32\drivers\UzVfwxBv.sys
2014-09-28 14:17 . 2014-09-28 14:17 111080 ----a-w- c:\windows\system32\drivers\VbdJPgnZ.sys
2014-09-28 13:59 . 2014-09-28 13:59 111080 ----a-w- c:\windows\system32\drivers\bUvERcaW.sys
2014-09-28 11:53 . 2014-09-28 11:53 111080 ----a-w- c:\windows\system32\drivers\ICPieGzC.sys
2014-09-27 21:41 . 2014-09-27 21:41 111080 ----a-w- c:\windows\system32\drivers\UgqyfSyY.sys
2014-09-27 21:22 . 2014-09-27 21:22 111080 ----a-w- c:\windows\system32\drivers\dFcHOCdB.sys
2014-09-27 21:13 . 2014-09-27 21:13 111080 ----a-w- c:\windows\system32\drivers\KxCEIaxm.sys
2014-09-27 21:07 . 2014-09-27 21:07 111080 ----a-w- c:\windows\system32\drivers\yspnfyZk.sys
2014-09-25 13:11 . 2014-09-25 13:11 111080 ----a-w- c:\windows\system32\drivers\OVeQxxot.sys
2014-09-25 13:01 . 2014-09-25 13:01 111080 ----a-w- c:\windows\system32\drivers\NsnVqhYY.sys
2014-09-24 16:07 . 2014-09-24 16:07 111080 ----a-w- c:\windows\system32\drivers\gRQyHaVv.sys
2014-09-24 12:14 . 2014-09-24 12:14 111080 ----a-w- c:\windows\system32\drivers\cqVRFPRT.sys
2014-09-22 06:42 . 2011-10-27 20:21 278152 ------w- c:\windows\system32\MpSigStub.exe
2014-09-20 22:52 . 2014-09-20 22:52 111080 ----a-w- c:\windows\system32\drivers\orzShdkG.sys
2014-09-20 22:40 . 2014-09-20 22:40 111080 ----a-w- c:\windows\system32\drivers\lNmKKXXK.sys
2014-09-20 22:13 . 2014-09-20 22:13 111080 ----a-w- c:\windows\system32\drivers\ILtPGRZV.sys
2014-09-20 22:11 . 2014-09-20 22:11 111080 ----a-w- c:\windows\system32\drivers\NBCkzyDb.sys
2014-09-20 21:46 . 2014-09-20 21:46 111080 ----a-w- c:\windows\system32\drivers\SsgbkfyY.sys
2014-09-20 13:10 . 2013-06-26 14:27 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-20 13:10 . 2013-06-26 14:27 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-17 11:05 . 2012-02-10 12:24 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-16 10:51 . 2014-09-16 10:51 111080 ----a-w- c:\windows\system32\drivers\aWWCvThI.sys
2014-09-09 22:11 . 2014-09-29 17:23 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-29 17:23 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-03 19:47 . 2010-06-24 18:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-09-03 19:46 . 2014-09-03 19:46 111080 ----a-w- c:\windows\system32\drivers\iVIgRJke.sys
2014-09-03 19:44 . 2014-09-03 19:44 111080 ----a-w- c:\windows\system32\drivers\LixWLhJB.sys
2014-08-31 17:20 . 2014-08-31 17:20 111080 ----a-w- c:\windows\system32\drivers\HwhACASq.sys
2014-08-28 21:09 . 2014-08-28 21:09 111080 ----a-w- c:\windows\system32\drivers\ajOQjQhU.sys
2014-08-27 14:47 . 2014-08-27 14:47 111080 ----a-w- c:\windows\system32\drivers\txAthFaK.sys
2014-08-27 14:46 . 2014-08-27 14:46 111080 ----a-w- c:\windows\system32\drivers\JKzFHMwg.sys
2014-08-23 02:07 . 2014-09-20 21:59 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-09-20 21:59 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-23 00:34 . 2014-08-23 00:34 111080 ----a-w- c:\windows\system32\drivers\vCKYeTXc.sys
2014-08-21 13:56 . 2014-08-21 13:56 111080 ----a-w- c:\windows\system32\drivers\SXkkfHGk.sys
2014-08-19 15:44 . 2014-08-19 15:44 111080 ----a-w- c:\windows\system32\drivers\lFDmxCus.sys
2014-08-10 22:23 . 2014-08-10 22:22 111080 ----a-w- c:\windows\system32\drivers\ObnXGiKQ.sys
2014-08-02 18:38 . 2014-08-02 18:38 111080 ----a-w- c:\windows\system32\drivers\OBYIpiCc.sys
2014-08-01 11:53 . 2014-09-20 22:01 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-08-01 11:35 . 2014-09-20 22:01 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files (x86)\AOL Desktop 9.6\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-08-11 975952]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2013-06-20 73832]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2012-01-16 647120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCDSRVC{FCB8192B-6C0E95E9-06020101}_0;PCDSRVC{FCB8192B-6C0E95E9-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms;c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-07 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-07 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-07 413208]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-29 11101800]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-06-10 324608]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2010-06-11 861216]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.aol.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{FCB8192B-6C0E95E9-06020101}_0]
"ImagePath"="\??\c:\users\gateway\appdata\local\temp\i1amxcawrfo3\pcdrdiag\bin\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
@DACL=(02 0000)
@="Bing"
"URL"="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
"DisplayName"="@ieframe.dll,-12512"
"FaviconURL"="http://www.bing.com/favicon.ico"
"SuggestionsURL"="http://api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source?}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-29 13:46:48
ComboFix-quarantined-files.txt 2014-10-29 18:46
.
Pre-Run: 567,220,666,368 bytes free
Post-Run: 566,681,833,472 bytes free
.
- - End Of File - - E7318077D953FCAB3C349E51402095F3
-
Oh forgot to mention as I was running combo fix. It's said Webroot Secure anywhere was still active even though I had it disabled. It comes up when I reboot and I disable it because I don't like it except for clearing temp files. So for the most part it's disabled. Also about like 8 or 9 in the combofix process a notification came up that PEV.exe stopped working and required me to close the program to continue. Not sure if that's part of combo fix or something else.
-
Combofix is showing a ton of drivers that wont Google, when I cant find any info on them there most times bad, I want you to check two of them before we remove them all
You need to enable windows to show all files and folders, instructions Here
Go to VirusTotal and submit these files for analysis, just use CHOOSE FILE and then Scan It, if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.
c:\windows\system32\drivers\eKdgjNlY.sys
c:\windows\system32\drivers\AVoXsrYx.sys
If the site is busy you can try this one
http://virusscan.jotti.org/en
-
When I go to Virus Total I cannot find either of these drivers. When I search for then in the C: drive the properties says it's part of Webroot Secure Anywhere. I've had this come up before. I don't know why those won't show except for maybe they are part of security software?
-
Did some asking around and they may be part of webroot, never been a big fan of webroot, its up to you but try uninstalling it and see if things get better
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules