PDA

View Full Version : Clicking anything tries to download unwanted things


mmttw
2013-08-28, 05:28
Hello,

I apparently downloaded something nasty by accident. I ran a scan and cleaned some stuff out, but I am still having a problem. Whenever I click on just about anything it loads another tab asking me to download other things. Also, all of my banner ads are asking me to download things. Most of the tabs open with urls that start with gzj.jsopen. Also of interest is that when I was trying to download the programs to get the logs you need here it did something else odd. When I clicked on the links for the programs it just started downloading a program from a url that used getsoftfree.com as the source. I did not install them, but they loaded automatically when I was clicking on the link for ERUNT. I am attaching what I believe it was you were looking for for logs. I will warn you that I am a huge technotard, and you may need to explain things like you were telling to a child for me to get this right the first time. I apologize if I did the logs wrong, but it took me all night to get this far.

Thank you for your help.
mmttw


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660
Run by Mom's at 19:43:20 on 2013-08-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3767.2032 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
C:\Users\Mom's\AppData\Local\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\Users\Mom's\AppData\Local\Google\Update\1.3.21.153\GoogleCrashHandler64.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Windows\system32\igfxext.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Mom's\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mom's\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mom's\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mom's\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mom's\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mom's\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www1.delta-search.com/?babsrc=HP_ss&mntrId=A81CD0DF9A9B7B0B&affID=119557&tsp=4985
uDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: LyricsContainer: {a47fdceb-4d34-49c8-bd51-24c1201d1473} - C:\Program Files (x86)\LyricsContainer\130.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Google Update] "C:\Users\Mom's\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://216.17.38.65:8051/DVROcxEx.cab
TCP: NameServer = 75.75.76.76 75.75.75.75 192.168.1.1
TCP: Interfaces\{44907CC4-7A2A-45F7-986B-97496E7B0377} : DHCPNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
TCP: Interfaces\{44907CC4-7A2A-45F7-986B-97496E7B0377}\34963736F65343134343 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{44907CC4-7A2A-45F7-986B-97496E7B0377}\6596277696E6D4F62696C65602D49664962323030302344333 : DHCPNameServer = 192.168.1.68
TCP: Interfaces\{44907CC4-7A2A-45F7-986B-97496E7B0377}\D4F4D435D20534F5E4564777F627B6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{44907CC4-7A2A-45F7-986B-97496E7B0377}\D4F4D435D20534F5E4564777F627B6F513 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{44907CC4-7A2A-45F7-986B-97496E7B0377}\D6D6474777 : DHCPNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
TCP: Interfaces\{B5840D9F-6020-46EE-B7D3-DFB4DFA7910D} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [ETDWare] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [Acer ePower Management] C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Mom's\AppData\Roaming\Mozilla\Firefox\Profiles\91kusb0y.default\
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
FF - plugin: C:\Users\Mom's\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - a81cacb8000000000000d0df9a9b7b0b
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15942
FF - user.js: extensions.delta.vrsn - 1.8.24.6
FF - user.js: extensions.delta.vrsni - 1.8.24.6
FF - user.js: extensions.delta.vrsnTs - 1.8.24.622:05:33
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta_i.babTrack - affID=119557&tsp=4985
FF - user.js: extensions.delta_i.babExt -
FF - user.js: extensions.delta_i.srcExt - ss
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
FF - user.js: extensions.shownSelectionUI - true
.
.
.
.
.
============= SERVICES / DRIVERS ===============
.
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2012-10-7 135272]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-8-26 321104]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2011-10-18 867712]
R2 GREGService;GREGService;C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe [2011-5-29 36456]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-8-26 13336]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2011-8-26 244624]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-6-28 255744]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-12-4 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-8-26 2320920]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2011-8-26 135560]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2011-8-26 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-8-26 158976]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-8-26 287232]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2010-5-15 384040]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-8-26 243712]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-4 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-08-26 02:55:12 -------- d-----w- C:\Program Files (x86)\LyricsContainer
2013-08-25 03:12:04 -------- d-----w- C:\Users\Mom's\AppData\Local\avgchrome
2013-08-25 03:11:34 -------- d-----w- C:\Users\Mom's\AppData\Local\SwvUpdater
2013-08-25 03:05:06 -------- d-----w- C:\Program Files (x86)\BrowseFox
2013-08-18 02:04:50 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-18 02:04:50 -------- d-----w- C:\Program Files\iTunes
2013-08-18 02:04:50 -------- d-----w- C:\Program Files\iPod
2013-08-18 02:04:50 -------- d-----w- C:\Program Files (x86)\iTunes
2013-08-18 02:02:21 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2013-08-18 02:02:21 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2013-08-18 02:02:21 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2013-08-18 02:02:21 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2013-08-18 02:02:21 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2013-08-17 22:41:30 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1F950FE1-9F36-4DC8-A97A-A44595C3CA7A}\offreg.dll
2013-08-17 02:54:27 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1F950FE1-9F36-4DC8-A97A-A44595C3CA7A}\mpengine.dll
2013-08-16 02:47:10 -------- d-----w- C:\Windows\System32\MRT
.
==================== Find3M ====================
.
2013-08-21 02:55:18 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-21 02:55:18 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-26 05:13:37 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-07-26 05:12:08 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-07-26 05:12:04 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-07-26 05:12:03 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-07-26 03:35:08 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-07-26 03:13:24 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-07-26 03:12:04 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-07-26 03:12:00 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-07-26 03:12:00 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-07-26 02:39:38 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-26 01:59:38 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-09 06:03:30 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-07-09 05:54:22 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-07-09 05:53:12 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-07-09 05:52:52 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 05:03:34 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-07-09 04:53:47 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:33 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-07-09 04:45:07 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-07-09 02:49:42 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-07-09 02:49:41 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-07-09 02:49:39 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-07-09 02:49:38 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-07-06 06:03:53 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-06-15 04:32:16 39936 ----a-w- C:\Windows\System32\drivers\tssecsrv.sys
2013-06-05 03:34:27 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-06-04 06:00:13 624128 ----a-w- C:\Windows\System32\qedit.dll
2013-06-04 04:53:07 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
.
============= FINISH: 19:43:51.97 ===============



aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-27 21:02:45
-----------------------------
21:02:45.894 OS Version: Windows x64 6.1.7601 Service Pack 1
21:02:45.894 Number of processors: 4 586 0x2505
21:02:45.895 ComputerName: MOMS-PC UserName: Mom's
21:02:47.113 Initialize success
21:03:49.509 AVAST engine defs: 13082701
21:04:26.507 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:04:26.512 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
21:04:26.639 Disk 0 MBR read successfully
21:04:26.644 Disk 0 MBR scan
21:04:26.652 Disk 0 Windows 7 default MBR code
21:04:26.657 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15360 MB offset 2048
21:04:26.681 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 31459328
21:04:26.697 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 289783 MB offset 31664128
21:04:26.729 Disk 0 scanning C:\Windows\system32\drivers
21:04:34.571 Service scanning
21:04:59.999 Modules scanning
21:05:00.017 Disk 0 trace - called modules:
21:05:00.036 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:05:00.047 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006fcf060]
21:05:00.056 3 CLASSPNP.SYS[fffff88001b6343f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004f87050]
21:05:01.251 AVAST engine scan C:\Windows
21:05:03.541 AVAST engine scan C:\Windows\system32
21:07:53.267 AVAST engine scan C:\Windows\system32\drivers
21:08:04.755 AVAST engine scan C:\Users\Mom's
21:10:44.104 AVAST engine scan C:\ProgramData
21:11:25.897 Scan finished successfully
21:12:12.705 Disk 0 MBR has been saved successfully to "C:\Users\Mom's\Desktop\MBR.dat"
21:12:12.710 The log file has been saved successfully to "C:\Users\Mom's\Desktop\aswMBR.txt"
shelf life
2013-09-01, 15:59
hi mmttw,

Sorry for the delay. If you still need help simply reply back.
mmttw
2013-09-01, 23:51
hi mmttw,

Sorry for the delay. If you still need help simply reply back.

I thought the reply was on the other page and all I saw was the link for how to prevent issues. Sorry I'm a bit of a dork. That's probably how I ended up in this situation in the first place. Please help.

Thanks,
mmttw
shelf life
2013-09-02, 01:26
ok. We will get two downloads to use. The first is the free version of Malwarebytes which you can keep and use as a anti-malware app. The second download will be adwcleaner.

Malwarebytes:
Please download the free version of Malwarebytes (http://www.malwarebytes.org/products/malwarebytes_free/) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
---------------------------------------------------------------
Adwcleaner:

Please download Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
Right click on AdwCleaner.exe, and select "run as admin"
Click on Search.
A logfile will automatically open after the scan has finished
Close AdwCleaner with the X button. Click OK at the prompt to exit Adwcleaner
Copy and paste the contents of the log in your reply
You can also find the logfile at your root drive--> C:\AdwCleaner[R1].txt as well
mmttw
2013-09-02, 02:43
ok. We will get two downloads to use. The first is the free version of Malwarebytes which you can keep and use as a anti-malware app. The second download will be adwcleaner.

Malwarebytes:
Please download the free version of Malwarebytes (http://www.malwarebytes.org/products/malwarebytes_free/) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
---------------------------------------------------------------
Adwcleaner:

Please download Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
Right click on AdwCleaner.exe, and select "run as admin"
Click on Search.
A logfile will automatically open after the scan has finished
Close AdwCleaner with the X button. Click OK at the prompt to exit Adwcleaner
Copy and paste the contents of the log in your reply
You can also find the logfile at your root drive--> C:\AdwCleaner[R1].txt as well

Thank you so much. Here are the logs you requested:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.01.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Mom's :: MOMS-PC [administrator]

Protection: Enabled

9/1/2013 5:48:07 PM
mbam-log-2013-09-01 (17-48-07).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 327785
Time elapsed: 34 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKCR\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a86a606b-5364-416e-bd51-8e39eac54906} (PUP.Optional.LyricsAd) -> Quarantined and deleted successfully.
HKCR\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476} (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
HKCR\CLSID\{a47fdceb-4d34-49c8-bd51-24c1201d1473} (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A47FDCEB-4D34-49C8-BD51-24C1201D1473} (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{7da7bca1-6f71-4523-b121-bc44bdf92e2b} (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
HKCR\Interface\{97a62d7c-a568-4811-a778-eea678d3f51f} (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.StartPage) -> Bad: (http://www1.delta-search.com/?babsrc=HP_ss&mntrId=A81CD0DF9A9B7B0B&affID=119557&tsp=4985) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Program Files (x86)\LyricsContainer (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.

Files Detected: 33
C:\Program Files (x86)\LyricsContainer\LrcsCtrUpdr.exe (PUP.Optional.AdLyrics) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\Uninstall.exe (PUP.Optional.LyricsAd) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0OVSA9I3\wajam_install[1].exe (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IG3JYXKL\pack[1].7z (PUP.Optional.BrowserProtect.A) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U3JTCXUW\Setup[1].exe (PUP.Optional.BrowseFox.A) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYM68O1E\LyricsContainer_1060-8001_v122[1] (PUP.Optional.LyricsAd) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\SwvUpdater\Updater.exe (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\Temp\air8476.exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\Temp\setup.exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.
C:\Users\Mom's\AppData\Local\Temp\nsc79D1.tmp\SimpleInstaller.exe (Adware.Linkular) -> Quarantined and deleted successfully.
C:\Users\Mom's\Downloads\Setup (1).exe (PUP.Optional.Solimba.mr) -> Quarantined and deleted successfully.
C:\Users\Mom's\Downloads\Setup (2).exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.
C:\Users\Mom's\Downloads\Setup (3).exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.
C:\Users\Mom's\Downloads\Setup (4).exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.
C:\Users\Mom's\Downloads\setup (5).exe (Adware.Linkular) -> Quarantined and deleted successfully.
C:\Users\Mom's\Downloads\Setup.exe (PUP.Optional.Solimba.mr) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\sqlite3.dll (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\00.crx (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\00.xpi (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\01.crx (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\01.xpi (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\02.crx (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\02.xpi (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\130.crx (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\130.dat (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\130.dll (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\130.xpi (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\chrome.manifest (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\crx.dat (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\crx.db (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\xpi.dat (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LyricsContainer\xpi.db (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.
C:\Windows\Tasks\LyricsContainer Update.job (PUP.Optional.LyricsContainer.A) -> Quarantined and deleted successfully.

(end)


# AdwCleaner v3.002 - Report created 01/09/2013 at 18:39:11
# Updated 01/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Mom's - MOMS-PC
# Running from : C:\Users\Mom's\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\BrowseFox
Folder Deleted : C:\Users\Mom's\AppData\Local\PackageAware
Folder Deleted : C:\Users\Mom's\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\Mom's\AppData\Local\Temp\AirInstaller
File Deleted : C:\Users\Mom's\AppData\Roaming\Mozilla\Firefox\Profiles\91kusb0y.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\abfmigjiaapipflmopkaaooigcjjdojh
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\aedf8ae56fbe49
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKCU\Software\Delta
Key Deleted : HKCU\Software\powerpack
Key Deleted : HKCU\Software\AppDataLow\Software\LyricsContainer

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16660


-\\ Mozilla Firefox v13.0.1 (en-US)

[ File : C:\Users\Mom's\AppData\Roaming\Mozilla\Firefox\Profiles\91kusb0y.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\Mom's\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2066 octets] - [01/09/2013 18:34:27]
AdwCleaner[R1].txt - [2126 octets] - [01/09/2013 18:36:09]
AdwCleaner[S0].txt - [2005 octets] - [01/09/2013 18:39:11]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2065 octets] ##########
shelf life
2013-09-02, 05:42
Looks like adware/spyware stuff. If you look at the log a PUP is a potentially unwanted program. The majority of this type of install can be easily avoided. Hows the original problem you described now: better, somewhat better or unchanged?
mmttw
2013-09-02, 05:58
Looks like adware/spyware stuff. If you look at the log a PUP is a potentially unwanted program. The majority of this type of install can be easily avoided. Hows the original problem you described now: better, somewhat better or unchanged?

Thank you so much. That was ugly. I almost never load anything on my computer. I got this by saying yes to updating my Java. I will be much more careful in the future. Is there anything else I need to do?

Thank you,
mmttw
mmttw
2013-09-02, 06:19
Thank you so much. That was ugly. I almost never load anything on my computer. I got this by saying yes to updating my Java. I will be much more careful in the future. Is there anything else I need to do?

Thank you,
mmttw

It does not appear to be totally gone, but not nearly as bad. I can't imagine there is much left on my computer that could be bad, but I am thinking this thing adds other issues as we go. It isn't currently loading pages, but I am still getting the ad to load stuff on the pages I do want.
shelf life
2013-09-02, 16:40
What browser are you seeing the ads in? I dont see a AV app in your log, do you have antivirus installed and updated? Spybot and Malwarebytes aren't antivirus.


I got this by saying yes to updating my Java
Only if you got it from a bogus site/install. Java install/updates now push (http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/) the ask toolbar, unless you uncheck it.
Not only does Oracle push out foistware its has a horrendous security record with its vulnerable software. But you can avoid both these if you want. (http://disablejava.com/)

One more download to try:

Please download Junkware (http://thisisudax.org/downloads/JRT.exe) Removal Tool to your desktop.


Shutdown your antivirus to avoid any conflicts.
Right-mouse click JRT.exe and select "Run as admin"
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your reply
mmttw
2013-09-03, 02:58
What browser are you seeing the ads in? I dont see a AV app in your log, do you have antivirus installed and updated? Spybot and Malwarebytes aren't antivirus.


Only if you got it from a bogus site/install. Java install/updates now push (http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/) the ask toolbar, unless you uncheck it.
Not only does Oracle push out foistware its has a horrendous security record with its vulnerable software. But you can avoid both these if you want. (http://disablejava.com/)

One more download to try:

Please download Junkware (http://thisisudax.org/downloads/JRT.exe) Removal Tool to your desktop.


Shutdown your antivirus to avoid any conflicts.
Right-mouse click JRT.exe and select "Run as admin"
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your reply


O.k., I ran that. I can't imagine there is much of anything left on my computer. Oddly, I went to disable Java and it didn't even appear as one of the plug-ins on my computer. Is it hidden somewhere? Or do I really not have it, and somehow got the notice to update it straight from a hacker? Here is the log from the last program.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.7 (09.01.2013:1)
OS: Windows 7 Home Premium x64
Ran by Mom's on Mon 09/02/2013 at 18:44:27.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3944868438-1401671066-809823832-1001\Software\SweetIM
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{180780f0-b348-4b44-8210-94a8f3ee15b2}



~~~ Files

Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Mom's\appdata\local\best buy pc app"
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{0EA3E919-14FA-43BF-9300-A6C6FF717355}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{2277E41D-7C9B-4357-85F4-4EB0FC49D311}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{49E3F08A-0640-4C0C-A2A1-18B1F0711727}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{4D843473-BE79-4178-BE1E-A9D2B1884010}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{5A84D149-46BE-4D7C-8720-453B0D5EBDAA}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{5F4FFE59-ACA5-4E9A-9957-72DBE98D8BEC}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{624DAA82-3F17-4F37-A9C8-1BA3AF0F292F}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{7483312A-714D-448B-82C6-FA23CDC202E2}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{764A9A60-F488-4609-8ADB-94540DC24509}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{7EDB42D8-8B32-4861-B022-52584DC6F506}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{9D625B2D-BBBA-44CD-926C-3BA7C811C805}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{AE398E48-73F0-4A41-B304-188FCC94D129}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{AEC962C4-116D-4EA1-A033-28ECFB4F4190}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{BFFE6771-4269-42A8-B3FB-3731B55DF7E6}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{DAFE0501-88B2-410B-9178-43DE754F883D}
Successfully deleted: [Empty Folder] C:\Users\Mom's\appdata\local\{F1629B40-66C3-4B52-A987-B923273F7D75}



~~~ FireFox

Emptied folder: C:\Users\Mom's\AppData\Roaming\mozilla\firefox\profiles\91kusb0y.default\minidumps [2 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/02/2013 at 18:52:09.54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
shelf life
2013-09-03, 05:04
You can check to see if Java is installed here. (https://www.java.com/en/download/installed.jsp) You probably got a popup to "update or install" "Java" (malware) from a malicious webpage.

Do you have updated antivirus installed on the machine? If not there are several free versions to chose from. If your still experiencing the same problem, does it happen only in one browser or all of them?