Edit http://forums.spybot.info/showthread.php?70257-Father-s-computer-with-virus-Chrome-is-down
------------------------------------
My mother's computer has been infected with something called snapdo. it has gotten very slow and chrome is practically unuseable.

It is a new computer. It had windows 8 first, but they hated W8, and it got the viruses on it too. They reformatted and instlaled windows 7 (should be a fresh copy of windows), and the viruses got there soon after.


The symptoms are as follows:

-- booting up is very slow.
-- Exiting sleep mode takes a long time, and when it exits I get the error message Photo Screensaver stopped working



MalwareBhytes keeps blocking stuff, seems to be associated with snapdo showing up in new tabs. Looking through the malwarebyte logs, it keeps on picking up on a few things, the IP addres
It keeps on seen srptm.exe (associated with chome)
IP address swithces between IP - block 162.210.192.22 and 192.26
with port 63096, 63097, 63163, 63164, 63257, 63258
and also logged sndappv2.exe with ip, with similar ports and ip addresses. I can retrieve the logs for you.

For Chrome, Chrome runs as slow as the century bulb when picking up a new page or starting a new tab.
The new tab and search engine defaults to search.snapdo.com
It has some exentions that can't be killed: Highlightly and Tube Dimmer
the startup pages have been canged to search.conduit.com and feed.snapdo.com

Internet explorer is as slow as the grand pitch drop experiment when starting a new tab and now because of the virus it has popups too.
It now has the snapdo bar, which reloads on every page. the home page and new tab page default to snapdo.

IE also reports a few IE extensions:

tubeDimmer
highlightly
findwide
mywordtool
helpAPI
tidynetwork
snap.do
smartbarInternetExplorerBHOEngine
Yahoo! Toolbar (maybe not a virus, but can we remove it anyway?)
Yahoo tollbarhelper
singleInstanceClass by YHahoo! Inc




I went looking through the Add/remove programs in control panel, and picked out some that look bad (i haven't done anythign yet)

albrechto
findewide.com
helperapps
highlightly
microsoftsecurityessentials (it doesn't look like the official i think)
mywordtool
snap.do
snap.do.engine
tubedimmer
tubedimmer updater
yahoo toolbar


snapdo also put popups into IE that play sound. they take over the window and run very slow. It blocks access to the settings menu while it is loading. once the popup loads fully, control is returned and you can close the popup.

I had to reboot during this process, it got hit with a waiting for "" programs to close (its an empty string) error message
took a long time to wake up after that.

As it started, I got a message from the UserAccount Control

the usual a program is trying to access your computer type of message
setup.exe
publisher: unknown
origine: harddrive
location: "c:\users\becker\appdata\local\temp\s3mk\setup.exe" /s

I told it not to do anything

The Microsoft Security Client User Interface popped up from the notification center. I don't recognize it as a real microsoft product, but i haven't used them in a while.
before I rebooted it had mentioned that I was in need of protection. now it said I was protected. but nothing was changed by me. it seems fishy.





SPYBOT LOGS
11319
I ran SPybot, and hit a paradox. Spybot first said it was out of date. then when I tried to update it, it said it was already up to date. Look at the jpg picture attached in the zip to see what it looks like. I poked around in the update log, and it seems like it couldn't reach the spybot website to get the download. I then ran a scan, but I was having trouble editing the logfile like you guys like, so I ahve the whole thing in the zip.



DDS LOGS
11320

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16518 BrowserJavaVersion: 10.51.2
Run by Becker at 18:54:57 on 2014-03-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3968.2409 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exe
C:\ProgramData\Updater\updater.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Highlightly\Service\hlsvc.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\LPT\srpts.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Users\Becker\AppData\Local\Smartbar\Application\SnapDo.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Users\Becker\AppData\Local\LPT\srptm.exe
C:\Program Files (x86)\Sendori\sndappv2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files (x86)\albrechto\updatealbrechto.exe
C:\Users\Becker\AppData\Local\Smartbar\Application\Lrcnta.exe
C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\albrechto\bin\utilalbrechto.exe
C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Sendori\Sendori.Service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Sendori\SendoriSvc.exe
C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k HPService
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicator.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH47wqF9LzMF7h-ut22GnIEZWP3gGGjbBLyGwL2-xlD2-e0vOs73owtEVWLW7LqEsA,,
uSearch Bar = hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}
uSearch Page = hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}
uDefault_Page_URL = hxxp://search.findwide.com/?guid={E4A8993E-209C-4F1D-9819-F5C172BAE9DB}&serpv=22
uProxyServer =
uSearchAssistant = hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}
mWinlogon: Userinit = userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: SmartbarInternetExplorerBHOEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} -
BHO: Tube Dimmer: {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\ProgramData\TubeDimmer\IE\common.dll
BHO: MyWordTool: {45470599-8237-486D-87B5-E89CD6AED154} - C:\Users\Becker\AppData\Roaming\MyWordTool\temp.dat
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Highlightly: {83F2328D-0D6A-42B4-B0C4-02A929EDD4BE} - C:\Program Files (x86)\Highlightly\IE\HighlightlyClientIE.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HelperApps: {F36C4DA0-8FBA-3F8B-C92B-A66ED4B7B0EA} - C:\Program Files (x86)\HelperApps\petn.dll
BHO: TidyNetwork: {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: FindWide Toolbar: {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} -
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
TB: FindWide Toolbar: {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} -
TB: Snap.Do: {ae07101b-46d4-4a98-af68-0333ea26e113} -
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [HP Photosmart 6520 series (NET)] "C:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN2BD352RK05XP:NW" -scfn "HP Photosmart 6520 series (NET)" -AutoStart 1
uRun: C:\ProgramData\Updater\updater.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
uRun: C:\Users\Becker\AppData\Local\Smartbar\Application\SnapDo.exe startup
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [Updater] C:\ProgramData\Updater\Updater.exe
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
dRunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: C:\Windows\System32\Sendori.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.15.0.cab
TCP: Interfaces\{522A3844-5AD8-44BA-A5A4-41A0E32E5438} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D9048890-0845-4039-B7C2-DCDC2B6D48AF} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs= C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: SmartbarInternetExplorerBHOEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} -
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Highlightly: {83F2328D-0D6A-42B4-B0C4-02A929EDD4BE} - C:\Program Files\Highlightly\IE\HighlightlyClientIE.dll
x64-BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: HelperApps: {F36C4DA0-8FBA-3F8B-C92B-A66ED4B7B0EA} - C:\Program Files (x86)\HelperApps\petn64.dll
x64-BHO: TidyNetwork: {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn64.dll
x64-TB: FindWide Toolbar: {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} -
x64-TB: Snap.Do: {ae07101b-46d4-4a98-af68-0333ea26e113} -
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-12-30 55024]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-12-31 28600]
R1 hlnfd;hlnfd;C:\Windows\System32\drivers\hlnfd.sys [2013-12-4 58256]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2013-12-31 440400]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2013-12-31 440400]
R2 Application Sendori;Application Sendori;C:\Program Files (x86)\Sendori\SendoriSvc.exe [2013-10-7 120096]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-12-31 108440]
R2 CltMngSvc;Search Protect by Conduit Service;C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe [2014-2-6 2360608]
R2 hlsvc;Highlightly Client Service;C:\Program Files (x86)\Highlightly\Service\hlsvc.exe [2013-12-4 273000]
R2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [2013-12-17 46904]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-8 607456]
R2 Intel(R) ME Service;Intel(R) ME Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2013-12-26 128280]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2013-12-26 161560]
R2 LPTSystemUpdater;LPT System Updater Service;C:\Program Files (x86)\LPT\srpts.exe [2014-2-6 32288]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-12-26 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-12-26 701512]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R2 RtkAudioService;Realtek Audio Service;C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [2013-8-1 246488]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-1-20 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-1-20 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-1-20 171416]
R2 Service Sendori;Service Sendori;C:\Program Files (x86)\Sendori\Sendori.Service.exe [2013-10-7 22304]
R2 sndappv2;sndappv2;C:\Program Files (x86)\Sendori\sndappv2.exe [2013-10-7 3623200]
R2 TeamViewer9;TeamViewer 9;C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [2013-12-26 5341536]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-12-26 363800]
R2 Update albrechto;Update albrechto;C:\Program Files (x86)\albrechto\updatealbrechto.exe [2013-12-6 111904]
R2 Util albrechto;Util albrechto;C:\Program Files (x86)\albrechto\bin\utilalbrechto.exe [2014-1-1 111904]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-12-26 25928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-1-21 805088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2014-1-22 108800]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-2-13 111616]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2013-5-23 77592]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2013-5-23 13080]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-12-26 19456]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2014-1-22 206080]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-12-26 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-12-26 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-12-26 1255736]
.
=============== Created Last 30 ================
.
2014-03-04 12:17:21 -------- d-----w- C:\Windows\Hewlett-Packard
2014-03-04 08:45:19 10536864 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{87ECD907-A281-4DEF-A01E-669B386D9E7A}\mpengine.dll
2014-03-03 08:45:54 10536864 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-02-28 19:27:51 -------- d-----w- C:\Program Files (x86)\LPT
2014-02-28 19:26:39 -------- d-----w- C:\Users\Becker\AppData\Local\LPT
2014-02-28 19:26:38 -------- d-----w- C:\Users\Becker\AppData\Local\Smartbar
2014-02-28 19:25:49 -------- d-----w- C:\Program Files (x86)\HiDefMedia
2014-02-28 15:28:01 -------- d-----w- C:\Windows\pss
2014-02-28 08:45:24 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F1524E68-8676-4223-B215-5C0CC13FEBD9}\gapaengine.dll
2014-02-20 22:41:08 8835464 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2014-02-13 08:03:23 548864 ----a-w- C:\Windows\System32\vbscript.dll
2014-02-13 08:03:23 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-02-12 11:45:16 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2014-02-12 11:45:15 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2014-02-12 11:45:15 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-02-12 11:45:15 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-02-12 11:43:59 3928064 ----a-w- C:\Windows\System32\d2d1.dll
2014-02-12 11:43:59 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll
.
==================== Find3M ====================
.
2014-03-13 22:38:17 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2014-02-20 22:41:28 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-20 22:41:28 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-06 11:30:46 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-02-06 11:30:12 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-02-06 11:07:39 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-02-06 11:06:47 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-02-06 10:49:03 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-02-06 10:48:45 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-02-06 10:48:11 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-02-06 10:20:26 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-02-06 10:11:37 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-02-06 10:01:36 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-02-06 10:00:46 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-02-06 09:50:32 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-02-06 09:47:22 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-02-06 09:46:27 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-02-06 09:25:36 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-02-06 09:24:52 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-02-06 09:09:30 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-02-06 08:41:35 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-01-22 13:52:10 206080 ----a-w- C:\Windows\System32\drivers\ssudmdm.sys
2014-01-22 13:52:10 108800 ----a-w- C:\Windows\System32\drivers\ssudbus.sys
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-01 01:11:52 84720 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2014-01-01 01:11:52 28600 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2014-01-01 01:11:52 108440 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2013-12-24 23:09:41 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2013-12-19 02:09:39 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
============= FINISH: 18:55:40.65 ===============




[B][U]aswMBR.txt

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-03-13 18:56:04
-----------------------------
18:56:04.912 OS Version: Windows x64 6.1.7601 Service Pack 1
18:56:04.912 Number of processors: 2 586 0x3A09
18:56:04.912 ComputerName: BECKER-PC UserName: Becker
18:56:06.425 Initialize success
18:58:59.601 AVAST engine defs: 14031301
19:01:48.331 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:01:48.331 Disk 0 Vendor: ST500DM002-1BD142 HP73 Size: 476940MB BusType: 11
19:01:48.502 Disk 0 MBR read successfully
19:01:48.502 Disk 0 MBR scan
19:01:48.534 Disk 0 Windows 7 default MBR code
19:01:48.565 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
19:01:48.612 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
19:01:48.814 Disk 0 scanning C:\Windows\system32\drivers
19:02:01.965 Service scanning
19:02:39.920 Modules scanning
19:02:39.920 Disk 0 trace - called modules:
19:02:39.936 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
19:02:39.936 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80046c1410]
19:02:39.936 3 CLASSPNP.SYS[fffff8800196843f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800425d430]
19:02:41.464 AVAST engine scan C:\Windows
19:02:43.898 AVAST engine scan C:\Windows\system32
19:11:15.985 AVAST engine scan C:\Windows\system32\drivers
19:11:42.754 AVAST engine scan C:\Users\Becker
19:26:07.885 AVAST engine scan C:\ProgramData
19:29:41.075 Scan finished successfully
20:07:27.556 Disk 0 MBR has been saved successfully to "C:\Users\Becker\Desktop\MBR.dat"
20:07:27.587 The log file has been saved successfully to "C:\Users\Becker\Desktop\aswMBR.txt"

wowssa!

I know up front that all of this will not come off in one swoop.

Let's try to make a dent in it each time we run something.

Let's keep our fingers crossed. :)


The Microsoft Security Client User Interface popped up from the notification center. I don't recognize it as a real microsoft product, but i haven't used them in a while.
before I rebooted it had mentioned that I was in need of protection. now it said I was protected. but nothing was changed by me. it seems fishy.
As far as I can tell your current version of Microsoft Security Essentials is correct but, you've installed Avira\AntiVir Desktop too?
Would like to see only 1 antivirus on the computer.

For MSE let's do this:
This may be caused by MSE v2 changing the tray icon to “notification only. To make the icon visible, right click on the task bar and select properties. On the task bar tab, select “notification area” and customize. Look for the Microsoft Security Client user interface and change the setting to “Show Icon and Notification”.
You should find in All Programs list on the Start Menu, MSE, or you will find it in this location C:\Program Files\Microsoft Security Client and double click msseces and MSE will open, then on the main page it should have a TV screen with a green tick on it if its currently active and upto date.


Try to remove these items out of uninstall programs list
albrechto
findewide.com
Highlightly
Smartbar
SearchProtect
snap.do
snap.do.engine
tubedimmer
tubedimmer updater

If one resists simply go to the next.

~~~~~~~~~~~~~~~~~~~~~~
c:\users\becker\appdata\local\temp
Please locate the above folder and delete the contents inside, don't delete the folder, just whats inside ....IF it will allow it.

~~~~~~~~~~~~~~~~~~~

Please download and run RogueKiller 32 Bit (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) to your desktop.

RogueKiller 64 Bit (http://tigzy.geekstogo.com/Tools/RogueKillerX64.exe) <---use this one for 64 bit systems

Which system am I using? (http://support.microsoft.com/kb/827218)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Post back the report which should be located on your desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-AdwCleaner-by Xplode

Click on this link to download : ADWCleaner (http://www.bleepingcomputer.com/download/adwcleaner/)
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.




Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean" <-- look over the list of folder, if you see anything that should not be deleted, please uncheck for this item.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.
Shut down your protection software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message.

I need to see logs for
RogueKiller
RKill
C:\AdwCleaner[S1].txt
JRT.txt

some notes
1) windows had to update first
2) your link for roguekiller64 is dead, but the other link worked fine

tried deleting everything:

albrechto - asked to reboot later
findwide - didn't fight back
highlightly - setup failed
search protect - was a no show, it disappeared
Snap do fought back (see attached)
snapdo engine - error : it has already been uninstalled
tubedimmer - gave a popup (see the snapdo report)
TD engine - didn't fight back


11338

emptied the temp folder (it doesn't show up automatically)
1 file can't be killed: FXSAPIDebugLogFile

The scanners and their logs

Rogue Killer Log: 11336
RKill log -- note, avira popped up with a securyt alert (I removed the issue, it is zipped into the snapdo fights back zip) 11335
ADWCleaner -- trying to download it (with the second link) redirects to getsoftfree.com. chrome still redirects to other sites when i try to maneuver back. went again and got it from the first blue arrow link.
ADWCleaner found some items, cleaned it, and rebooted. 11337
JRT ran fine, here is the report 11334



Looking over the computer now:
chrome looks better, no exensions causing trouble. but snapdo is still a default search or new tab.
IE: has some remnants in the extensions, but they might just be titles. They are all in 'Not Available'

Highlightly remains in the add/remove programs, but I can't remove it, it says it may be uninstalled already.

Good work
Some items were partially removed, we'll attempt to remove the rest.

Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)

(use correct version for your system.....Which system am I using? (http://support.microsoft.com/kb/827218))
and Tutorial http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/



Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

so far so good.

once we are done though, I want to get things set up to protect the computer for them. I've used the hosts file before to block ads and bad sites, and that seems to work for them.

Additon.Txt
11355

it was all too long for this post, so I attached it.

FRST.TXT

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Becker (administrator) on BECKER-PC on 18-03-2014 08:09:11
Running from C:\Users\Becker\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(sendori) C:\Program Files (x86)\Sendori\Sendori.Service.exe
(Sendori, Inc.) C:\Program Files (x86)\Sendori\SendoriSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Avira Operations GmbH & Co. KG) C:\program files (x86)\avira\antivir desktop\ipmGui.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicator.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [3091224 2013-07-31] (Logitech, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SDTray] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\.DEFAULT\...\RunOnce: [SpUninstallDeleteDir] - rmdir /s /q "\SearchProtect"
HKU\S-1-5-21-90707034-2536013608-1354686508-1000\...\Run: [HP Photosmart 6520 series (NET)] - C:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-90707034-2536013608-1354686508-1000\...\Run: [Spybot-S&D Cleaning] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [3666224 2013-09-20] (Safer-Networking Ltd.)
HKU\S-1-5-21-90707034-2536013608-1354686508-1000\...\MountPoints2: F - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-90707034-2536013608-1354686508-1000\...\MountPoints2: {09ce5ddc-85de-11e3-aa80-7c0507891520} - F:\VZW_Software_upgrade_assistant.exe
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found

==================== Internet (Whitelisted) ====================

ProxyServer:

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x0A07C5197102CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll (Logitech, Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: TidyNetwork - {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn64.dll No File
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll (Logitech, Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: TidyNetwork - {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn.dll No File
BHO-x32: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport64.dll No File
Toolbar: HKLM-x32 - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport.dll No File
Toolbar: HKCU - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport64.dll No File
DPF: HKLM-x32 {6A060448-60F9-11D5-A6CD-0002B31F7455}
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com/bin/srldetect_intel_4.5.15.0.cab
Winsock: Catalog9 01 C:\Windows\SysWOW64\Sendori.dll [325920] (Sendori)
Winsock: Catalog9 02 C:\Windows\SysWOW64\Sendori.dll [325920] (Sendori)
Winsock: Catalog9 03 C:\Windows\SysWOW64\Sendori.dll [325920] (Sendori)
Winsock: Catalog9 04 C:\Windows\SysWOW64\Sendori.dll [325920] (Sendori)
Winsock: Catalog9 15 C:\Windows\SysWOW64\Sendori.dll [325920] (Sendori)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Chrome:
=======
CHR DefaultSearchKeyword: search.snapdo.com
CHR DefaultSearchProvider: Web
CHR DefaultSearchURL: http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIaag,,&q={searchTerms}
CHR DefaultNewTabURL:
CHR Extension: (Google Wallet) - C:\Users\Becker\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-26]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG)
R2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [120096 2013-10-07] (Sendori, Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [46904 2013-12-17] (Hewlett-Packard Company)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-16] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-08-01] (Realtek Semiconductor)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-10-07] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-10-07] (Sendori)

==================== Drivers (Whitelisted) ====================

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-31] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-31] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-31] (Avira Operations GmbH & Co. KG)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-18 08:09 - 2014-03-18 08:09 - 00013581 _____ () C:\Users\Becker\Desktop\FRST.txt
2014-03-18 08:09 - 2014-03-18 08:09 - 00000000 ____D () C:\FRST
2014-03-18 07:40 - 2014-03-18 07:35 - 02157056 _____ (Farbar) C:\Users\Becker\Desktop\FRST64.exe
2014-03-15 20:17 - 2014-03-15 20:17 - 00001338 _____ () C:\Users\Becker\Desktop\JRT.txt
2014-03-15 20:13 - 2014-03-15 20:13 - 00000000 ____D () C:\Windows\ERUNT
2014-03-15 20:07 - 2014-03-15 19:13 - 00007623 _____ () C:\Users\Becker\Desktop\AdwCleaner[S0].txt
2014-03-15 18:58 - 2014-03-15 19:13 - 00000000 ____D () C:\AdwCleaner
2014-03-15 18:56 - 2014-03-15 18:57 - 01950720 _____ () C:\Users\Becker\Desktop\AdwCleaner.exe
2014-03-15 18:43 - 2014-03-15 18:43 - 00002324 _____ () C:\Users\Becker\Desktop\Rkill.txt
2014-03-15 17:29 - 2014-03-15 17:29 - 00001927 _____ () C:\Users\Becker\Desktop\RKreport[0]_S_03152014_172928.txt
2014-03-15 17:26 - 2014-03-15 18:42 - 00000000 ____D () C:\Users\Becker\Desktop\RK_Quarantine
2014-03-15 17:25 - 2014-03-13 17:36 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Becker\Desktop\rkill.exe
2014-03-15 17:25 - 2014-03-13 17:35 - 01037734 _____ (Thisisu) C:\Users\Becker\Desktop\JRT.exe
2014-03-15 17:24 - 2014-03-14 22:36 - 03901952 _____ () C:\Users\Becker\Desktop\RogueKiller.exe
2014-03-13 21:36 - 2014-03-13 21:36 - 00053281 _____ () C:\Users\Becker\Desktop\spybotlogs.rar
2014-03-13 21:36 - 2014-03-13 21:36 - 00003137 _____ () C:\Users\Becker\Desktop\attach.rar
2014-03-13 21:33 - 2014-03-13 21:33 - 00650249 _____ () C:\Users\Becker\Desktop\spybotreport 031314.txt
2014-03-13 20:07 - 2014-03-13 20:07 - 00001843 _____ () C:\Users\Becker\Desktop\aswMBR.txt
2014-03-13 20:07 - 2014-03-13 20:07 - 00000512 _____ () C:\Users\Becker\Desktop\MBR.dat
2014-03-13 19:01 - 2014-03-01 01:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-13 19:01 - 2014-03-01 01:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-13 19:01 - 2014-03-01 00:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-13 19:01 - 2014-03-01 00:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-13 19:01 - 2014-03-01 00:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-13 19:01 - 2014-03-01 00:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-13 19:01 - 2014-03-01 00:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-13 19:01 - 2014-03-01 00:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-13 19:01 - 2014-03-01 00:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-13 19:01 - 2014-03-01 00:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-13 19:01 - 2014-03-01 00:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-13 19:01 - 2014-03-01 00:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-13 19:01 - 2014-03-01 00:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-13 19:01 - 2014-03-01 00:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-13 19:01 - 2014-02-28 23:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-13 19:01 - 2014-02-28 23:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-13 19:01 - 2014-02-28 23:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-13 19:01 - 2014-02-28 23:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-13 19:01 - 2014-02-28 23:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-13 19:01 - 2014-02-28 23:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-13 19:01 - 2014-02-28 23:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-13 19:01 - 2014-02-28 23:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-13 19:01 - 2014-02-28 23:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-13 19:01 - 2014-02-28 23:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-13 19:01 - 2014-02-28 23:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-13 19:01 - 2014-02-28 23:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-13 19:01 - 2014-02-28 23:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-13 19:01 - 2014-02-28 23:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-13 19:01 - 2014-02-28 23:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-13 19:01 - 2014-02-28 23:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-13 19:01 - 2014-02-28 23:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-13 19:01 - 2014-02-28 22:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-13 19:01 - 2014-02-28 22:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-13 19:01 - 2014-02-28 22:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-13 19:01 - 2014-02-28 22:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-13 19:01 - 2014-02-28 22:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-13 19:01 - 2014-02-28 22:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-13 19:01 - 2014-02-06 21:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-13 19:01 - 2014-01-28 22:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-13 19:01 - 2014-01-28 22:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-13 19:01 - 2014-01-27 22:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-13 19:00 - 2014-03-01 02:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-13 19:00 - 2014-03-01 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-13 19:00 - 2014-03-01 00:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-13 19:00 - 2014-02-03 22:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-13 19:00 - 2014-02-03 22:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-13 19:00 - 2014-02-03 22:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-13 19:00 - 2014-02-03 22:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-13 18:55 - 2014-03-13 18:55 - 00023882 _____ () C:\Users\Becker\Desktop\dds.txt
2014-03-13 18:55 - 2014-03-13 18:55 - 00012906 _____ () C:\Users\Becker\Desktop\attach.txt
2014-03-13 18:54 - 2014-03-13 17:42 - 04745728 _____ (AVAST Software) C:\Users\Becker\Desktop\aswMBR.exe
2014-03-13 18:54 - 2014-03-13 17:42 - 00688992 ____R (Swearware) C:\Users\Becker\Desktop\dds.scr
2014-03-04 10:45 - 2014-03-04 10:45 - 00000000 ____D () C:\Users\Becker\AppData\Roaming\vlc
2014-03-04 10:32 - 2014-03-04 10:32 - 00007605 _____ () C:\Users\Becker\AppData\Local\Resmon.ResmonCfg
2014-03-04 08:17 - 2014-03-04 08:17 - 00000000 ____D () C:\Windows\Hewlett-Packard
2014-02-28 15:27 - 2014-02-28 15:28 - 00862120 _____ (Download Manager Cert ) C:\Users\Becker\Downloads\Setup (2).exe
2014-02-28 15:26 - 2014-02-28 15:26 - 00001176 _____ () C:\Users\Public\Desktop\HiDef Media Player.lnk
2014-02-28 15:23 - 2014-02-28 15:23 - 00862120 _____ (Download Manager Cert ) C:\Users\Becker\Downloads\Setup.exe
2014-02-28 11:28 - 2014-02-28 11:28 - 00000000 ____D () C:\Windows\pss
2014-02-27 18:20 - 2014-02-27 18:20 - 00002255 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-02-20 18:41 - 2014-03-13 19:41 - 05128584 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

==================== One Month Modified Files and Folders =======

2014-03-18 08:09 - 2014-03-18 08:09 - 00013581 _____ () C:\Users\Becker\Desktop\FRST.txt
2014-03-18 08:09 - 2014-03-18 08:09 - 00000000 ____D () C:\FRST
2014-03-18 08:05 - 2013-12-26 15:48 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-18 07:41 - 2013-12-26 15:48 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-18 07:35 - 2014-03-18 07:40 - 02157056 _____ (Farbar) C:\Users\Becker\Desktop\FRST64.exe
2014-03-18 07:04 - 2013-12-26 15:20 - 01729668 _____ () C:\Windows\WindowsUpdate.log
2014-03-18 00:05 - 2013-12-26 15:48 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-15 20:17 - 2014-03-15 20:17 - 00001338 _____ () C:\Users\Becker\Desktop\JRT.txt
2014-03-15 20:13 - 2014-03-15 20:13 - 00000000 ____D () C:\Windows\ERUNT
2014-03-15 19:22 - 2009-07-14 01:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-15 19:22 - 2009-07-14 00:45 - 00022224 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-15 19:22 - 2009-07-14 00:45 - 00022224 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-15 19:14 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-15 19:14 - 2009-07-14 00:51 - 00036386 _____ () C:\Windows\setupact.log
2014-03-15 19:13 - 2014-03-15 20:07 - 00007623 _____ () C:\Users\Becker\Desktop\AdwCleaner[S0].txt
2014-03-15 19:13 - 2014-03-15 18:58 - 00000000 ____D () C:\AdwCleaner
2014-03-15 19:13 - 2010-11-20 23:47 - 00067770 _____ () C:\Windows\PFRO.log
2014-03-15 19:12 - 2013-12-30 22:36 - 00001782 _____ () C:\Windows\LkmdfCoInst.log
2014-03-15 18:57 - 2014-03-15 18:56 - 01950720 _____ () C:\Users\Becker\Desktop\AdwCleaner.exe
2014-03-15 18:43 - 2014-03-15 18:43 - 00002324 _____ () C:\Users\Becker\Desktop\Rkill.txt
2014-03-15 18:42 - 2014-03-15 17:26 - 00000000 ____D () C:\Users\Becker\Desktop\RK_Quarantine
2014-03-15 18:07 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-03-15 17:29 - 2014-03-15 17:29 - 00001927 _____ () C:\Users\Becker\Desktop\RKreport[0]_S_03152014_172928.txt
2014-03-14 22:42 - 2013-12-30 22:36 - 00018960 _____ (Logitech, Inc.) C:\Windows\system32\Drivers\LNonPnP.sys
2014-03-14 22:36 - 2014-03-15 17:24 - 03901952 _____ () C:\Users\Becker\Desktop\RogueKiller.exe
2014-03-14 22:35 - 2009-07-14 00:45 - 00502808 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-14 22:34 - 2013-12-26 15:46 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-14 22:34 - 2013-12-26 15:46 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-13 21:50 - 2013-12-26 16:54 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-13 21:36 - 2014-03-13 21:36 - 00053281 _____ () C:\Users\Becker\Desktop\spybotlogs.rar
2014-03-13 21:36 - 2014-03-13 21:36 - 00003137 _____ () C:\Users\Becker\Desktop\attach.rar
2014-03-13 21:33 - 2014-03-13 21:33 - 00650249 _____ () C:\Users\Becker\Desktop\spybotreport 031314.txt
2014-03-13 21:33 - 2014-01-20 20:08 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-03-13 20:07 - 2014-03-13 20:07 - 00001843 _____ () C:\Users\Becker\Desktop\aswMBR.txt
2014-03-13 20:07 - 2014-03-13 20:07 - 00000512 _____ () C:\Users\Becker\Desktop\MBR.dat
2014-03-13 19:41 - 2014-02-20 18:41 - 05128584 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-03-13 19:41 - 2013-12-26 15:48 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-13 19:41 - 2013-12-26 15:48 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-13 19:41 - 2013-12-26 15:48 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-13 18:55 - 2014-03-13 18:55 - 00023882 _____ () C:\Users\Becker\Desktop\dds.txt
2014-03-13 18:55 - 2014-03-13 18:55 - 00012906 _____ () C:\Users\Becker\Desktop\attach.txt
2014-03-13 17:42 - 2014-03-13 18:54 - 04745728 _____ (AVAST Software) C:\Users\Becker\Desktop\aswMBR.exe
2014-03-13 17:42 - 2014-03-13 18:54 - 00688992 ____R (Swearware) C:\Users\Becker\Desktop\dds.scr
2014-03-13 17:36 - 2014-03-15 17:25 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Becker\Desktop\rkill.exe
2014-03-13 17:35 - 2014-03-15 17:25 - 01037734 _____ (Thisisu) C:\Users\Becker\Desktop\JRT.exe
2014-03-04 10:45 - 2014-03-04 10:45 - 00000000 ____D () C:\Users\Becker\AppData\Roaming\vlc
2014-03-04 10:32 - 2014-03-04 10:32 - 00007605 _____ () C:\Users\Becker\AppData\Local\Resmon.ResmonCfg
2014-03-04 09:57 - 2013-12-30 21:53 - 00000000 ____D () C:\Users\Becker\AppData\Roaming\HpUpdate
2014-03-04 08:17 - 2014-03-04 08:17 - 00000000 ____D () C:\Windows\Hewlett-Packard
2014-03-01 02:05 - 2014-03-13 19:00 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 01:17 - 2014-03-13 19:01 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 01:16 - 2014-03-13 19:01 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-01 00:58 - 2014-03-13 19:01 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-01 00:52 - 2014-03-13 19:01 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-01 00:51 - 2014-03-13 19:01 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-01 00:42 - 2014-03-13 19:01 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-01 00:40 - 2014-03-13 19:01 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-01 00:37 - 2014-03-13 19:01 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-01 00:33 - 2014-03-13 19:01 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-01 00:33 - 2014-03-13 19:01 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-01 00:32 - 2014-03-13 19:01 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-01 00:30 - 2014-03-13 19:01 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-01 00:23 - 2014-03-13 19:00 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-01 00:17 - 2014-03-13 19:01 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-01 00:11 - 2014-03-13 19:01 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-01 00:02 - 2014-03-13 19:00 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 23:54 - 2014-03-13 19:01 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 23:52 - 2014-03-13 19:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 23:51 - 2014-03-13 19:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 23:47 - 2014-03-13 19:01 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 23:43 - 2014-03-13 19:01 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 23:43 - 2014-03-13 19:01 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 23:42 - 2014-03-13 19:01 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 23:40 - 2014-03-13 19:01 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 23:38 - 2014-03-13 19:01 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 23:37 - 2014-03-13 19:01 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 23:35 - 2014-03-13 19:01 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 23:18 - 2014-03-13 19:01 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 23:16 - 2014-03-13 19:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 23:14 - 2014-03-13 19:01 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 23:10 - 2014-03-13 19:01 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 23:03 - 2014-03-13 19:01 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 23:00 - 2014-03-13 19:01 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 22:57 - 2014-03-13 19:01 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 22:38 - 2014-03-13 19:01 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 22:32 - 2014-03-13 19:01 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 22:27 - 2014-03-13 19:01 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 22:25 - 2014-03-13 19:01 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 22:25 - 2014-03-13 19:01 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-28 15:28 - 2014-02-28 15:27 - 00862120 _____ (Download Manager Cert ) C:\Users\Becker\Downloads\Setup (2).exe
2014-02-28 15:26 - 2014-02-28 15:26 - 00001176 _____ () C:\Users\Public\Desktop\HiDef Media Player.lnk
2014-02-28 15:23 - 2014-02-28 15:23 - 00862120 _____ (Download Manager Cert ) C:\Users\Becker\Downloads\Setup.exe
2014-02-28 11:28 - 2014-02-28 11:28 - 00000000 ____D () C:\Windows\pss
2014-02-28 11:28 - 2013-12-26 15:21 - 00000000 ___RD () C:\Users\Becker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-27 18:20 - 2014-02-27 18:20 - 00002255 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-02-27 18:20 - 2013-12-26 15:48 - 00000000 ____D () C:\Program Files (x86)\Google
2014-02-16 04:03 - 2013-12-26 17:18 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-16 04:00 - 2013-12-26 17:18 - 88567024 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

Some content of TEMP:
====================
C:\Users\Becker\AppData\Local\Temp\avgnt.exe
C:\Users\Becker\AppData\Local\Temp\ntdll_dump.dll


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-15 17:57

==================== End Of Log ============================

I see Avira antivirus and Microsoft Security Essentials?
We need to get this down to just 1 antivirus program on the computer. Some tools will refuse to run with more then one on a computer.

Please go to add/remove programs list, try to uninstall the below items. If you have problems let me know.
Sendori
TidyNetwork

Some reports of this software being installed without user permission and/or being difficult to remove.

***********************
Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to the below item and uncheck the rest: (if found)

[V2][SUSP PATH] TidyNetwork Update : C:\Users\Becker\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUS26 AUTOGUID={FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} [-][x][x] -> FOUND

Now click Delete on the right hand column under Options
Post back the report which should be located on your desktop.


**************************

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)



start
HKLM-x32\...\Run: [] - [X]
HKU\.DEFAULT\...\RunOnce: [SpUninstallDeleteDir] - rmdir /s /q "\SearchProtect"
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: TidyNetwork - {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn64.dll No File
BHO-x32: TidyNetwork - {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn.dll No File
Toolbar: HKLM - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport64.dll No File
Toolbar: HKLM-x32 - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport.dll No File
Toolbar: HKCU - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport64.dll No File
CHR DefaultSearchKeyword: search.snapdo.com
CHR DefaultSearchProvider: Web
CHR DefaultSearchURL: http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIaag,,&q={searchTerms}
CHR DefaultNewTabURL:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Becker\AppData\Local\Temp\avgnt.exe
C:\Users\Becker\AppData\Local\Temp\ntdll_dump.dll
Highlightly (HKLM-x32\...\Highlightly) (Version: 1.9.0.0 - Highlightly) <==== ATTENTION
Java(TM) 6 Update 22 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.220 - Oracle)
TidyNetwork (HKCU\...\TidyNetwork) (Version: - TidyNetwork)
Task: {ACB2DDAD-1212-454C-9BAC-307BB07A4633} - System32\Tasks\TidyNetwork Update => C:\Users\Becker\AppData\Local\TidyNetwork\petnupdate.exe
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
CMD: ipconfig /flushdns
Reboot:
end

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Please post:
Roguekiller txt
Fixlog.txt

Please give me an update on how the computer is at the moment.

The computer is much better now. reboots quickly.
No sign of snapdo in the browsers. IE is completely clean.



I uninstalled Microsoft security essentials.
Sendori protested when I tried to uninstall it. It sent me an internet popup to Survey Monkey. I have the screenshot here:

11358

the site looks like a surveymonkey site. But is it? how can I tell.
I looked into the cookies and there are a lot of them, and they are kinda weird compared to other normal sites like this one.

(note: how can I show screenshots for this forum better?)


Tidy Network uninstalled fine. But I noticed something. the file you had me remove was called "petnupdate" do you have any more information on this? my parents are really into animals and might have downloaded that if it looks like something to do with 'pets'


right now I am running avira and avira desktop for the computer. But malwarebytes is still there. should I remove one of those? does malwarebytes play well with ohters?




the Rogue Killer Logs
11359
11360



The custom script fixlog
11361

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Becker at 2014-03-25 06:02:27 Run:1
Running from C:\Users\Becker\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] - [X]
HKU\.DEFAULT\...\RunOnce: [SpUninstallDeleteDir] - rmdir /s /q "\SearchProtect"
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: TidyNetwork - {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn64.dll No File
BHO-x32: TidyNetwork - {FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} - C:\Program Files (x86)\TidyNetwork\petn.dll No File
Toolbar: HKLM - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport64.dll No File
Toolbar: HKLM-x32 - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport.dll No File
Toolbar: HKCU - FindWide Toolbar - {EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} - C:\Users\Becker\AppData\Local\TNT2\Profiles\10741\passport64.dll No File
CHR DefaultSearchKeyword: search.snapdo.com
CHR DefaultSearchProvider: Web
CHR DefaultSearchURL: http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIaag,,&q={searchTerms}
CHR DefaultNewTabURL:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Becker\AppData\Local\Temp\avgnt.exe
C:\Users\Becker\AppData\Local\Temp\ntdll_dump.dll
Highlightly (HKLM-x32\...\Highlightly) (Version: 1.9.0.0 - Highlightly) <==== ATTENTION
Java(TM) 6 Update 22 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.220 - Oracle)
TidyNetwork (HKCU\...\TidyNetwork) (Version: - TidyNetwork)
Task: {ACB2DDAD-1212-454C-9BAC-307BB07A4633} - System32\Tasks\TidyNetwork Update => C:\Users\Becker\AppData\Local\TidyNetwork\petnupdate.exe
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
CMD: ipconfig /flushdns
Reboot:
end
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpUninstallDeleteDir => Value deleted successfully.
"C:\\PROGRA~2\\SearchProtect\\SearchProtect\\bin\\SPVC64Loader.dll" => Value Data removed successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} => Key deleted successfully.
HKCR\CLSID\{FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} => Value deleted successfully.
HKCR\CLSID\{EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} => Value deleted successfully.
HKCR\Wow6432Node\CLSID\{EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} => Value deleted successfully.
HKCR\CLSID\{EE5BB5A1-8792-4D07-A6A4-CB14A2054F16} => Key not found.
CHR DefaultSearchKeyword: search.snapdo.com ==> The Chrome "Settings" can be used to fix the entry.
CHR DefaultSearchProvider: Web ==> The Chrome "Settings" can be used to fix the entry.
CHR DefaultSearchURL: http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIaag,,&q={searchTerms} ==> The Chrome "Settings" can be used to fix the entry.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
C:\Users\Becker\AppData\Local\Temp\avgnt.exe => Moved successfully.
C:\Users\Becker\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ACB2DDAD-1212-454C-9BAC-307BB07A4633} => Key not found.
C:\Windows\System32\Tasks\TidyNetwork Update not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TidyNetwork Update => Key not found.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog ====

petnupdate has been flagged as malware.

*******************
Run RogueKiller again and click Scan
Now click Delete on the right hand column under Options,
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[V2][SUSP PATH] TidyNetwork Update : C:\Users\Becker\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUS26 AUTOGUID={FA6441BC-9891-38BE-D62A-CD6ED4B7B0EA} [x][x][x] -> FOUND

If it requires a reboot please allow it.

*****************
Please reset Google Chrome browser settings byt following the link below.
Reset browser settings
https://support.google.com/chrome/answer/3296214

**************


But malwarebytes is still there. should I remove one of those? does malwarebytes play well with ohters?
MalwareBytes does play well with other security programs.
What I'd like for you to do now is uninstall/delete the version you have no. I want you to get the latest version available and we'll run a scan.

http://www.malwarebytes.org/forums/style_images/1/bf_new.gif Please download Malwarebytes' Anti-Malware from Here (http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/).
Click on the first blue download button.
Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Please post these to logs for me to see.

Rogue kilelr just deleted stuff when I pressed the button.

should I have chosen something? it deleted 5 items, I think showmygames was in there, but i don't know about petnupdate.exe

I have the logs for you


1136511366

chrome reset with no trouble

I reinstalled, updated, and ran malwarebytes.

during the scan, avira blocked registry access to something... should I have disabled it first?

I couldn't check or change anything, it just quarntined everything, is that normal?

the mbam log:



Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/26/2014
Scan Time: 8:52:21 AM
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.03.26.04
Rootkit Database: v2014.03.25.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Becker

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 249365
Time Elapsed: 9 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 8
PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [17c524e3daa1a2940ab42dd854ae8a76],
PUP.Optional.DynConIE.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [17c524e3daa1a2940ab42dd854ae8a76],
PUP.Optional.Highlightly, HKLM\SOFTWARE\WOW6432NODE\Highlightly, Quarantined, [b02c61a6790247ef6024d6b8b74ca957],
PUP.Optional.MyWordTool.A, HKLM\SOFTWARE\WOW6432NODE\MyWordTool, Quarantined, [ad2f4cbbbebdbe78f19d7e089d66946c],
PUP.Optional.MyWordTool.A, HKU\S-1-5-21-90707034-2536013608-1354686508-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MyWordTool, Delete-on-Reboot, [e3f9ca3dfe7dd363cdc244426b988d73],
PUP.Optional.TidyNetwork.A, HKU\S-1-5-21-90707034-2536013608-1354686508-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\TidyNetwork, Delete-on-Reboot, [617b8b7c611ada5c125a1e3738ca9b65],
PUP.Optional.TidyNetwork.A, HKU\S-1-5-21-90707034-2536013608-1354686508-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\TidyNetwork, Delete-on-Reboot, [726ad7302853231391991f3bac5607f9],
PUP.Optional.TidyNetwork.A, HKU\S-1-5-21-90707034-2536013608-1354686508-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLAPLUGINS\@tnt2ghost.com/Plugin, Delete-on-Reboot, [bc2075925526ef471dede280649ecd33],

Registry Values: 1
PUP.Optional.FindWide, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ABOUTURLS|Tabs, http://search.findwide.com/?guid={E4A8993E-209C-4F1D-9819-F5C172BAE9DB}&serpv=22, Quarantined, [97452cdb7605c1753ca8662355ae2cd4]

Registry Data: 5
PUP.Optional.Snapdo, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH47wqF9LzMF7h-ut22GnIEZWP3gGGjbBLyGwL2-xlD2-e0vOs73owtEVWLW7LqEsA,,, Good: (http://www.google.com), Bad: (http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH47wqF9LzMF7h-ut22GnIEZWP3gGGjbBLyGwL2-xlD2-e0vOs73owtEVWLW7LqEsA,,),Delete-on-Reboot,[5b810ef983f8aa8ccb5334d15aaa5da3]
PUP.Optional.Snapdo, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Bar, http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}, Good: (http://www.google.com), Bad: (http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}),Delete-on-Reboot,[518ba3648ceff6409e7e6f9607fd6f91]
PUP.Optional.Snapdo, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page, http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}, Good: (http://www.google.com), Bad: (http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}),Delete-on-Reboot,[a7351ee94338ae88df3eb74e30d48878]
PUP.Optional.Snapdo, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|Default_Search_URL, http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}, Good: (http://www.google.com), Bad: (http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}),Delete-on-Reboot,[9c40a4639eddad89ae718f769e667c84]
PUP.Optional.Snapdo, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|SearchAssistant, http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}, Good: (http://www.google.com), Bad: (http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}),Delete-on-Reboot,[f2ea37d0df9c2313ea366c99bc480cf4]

Folders: 0
(No malicious items detected)

Files: 21
PUP.DownloadAdmin, C:\$Recycle.Bin\S-1-5-21-90707034-2536013608-1354686508-1000\$R9Z9DSK.exe, Quarantined, [6379e81f5c1fe650116effa6897a4ab6],
PUP.DownloadAdmin, C:\$Recycle.Bin\S-1-5-21-90707034-2536013608-1354686508-1000\$RSMJS23.exe, Quarantined, [bb21a85fd3a8b284b8c724818f74a25e],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-90707034-2536013608-1354686508-1000\$R48IFZB.exe, Quarantined, [a03c23e4047743f3c99af322a55cdd23],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsb3E42.exe, Quarantined, [1fbda067601b57dfde9524fcfa077789],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nscF930.exe, Quarantined, [c319d235c4b762d4d69d011f867b05fb],
PUP.Optional.Conduit.A, C:\Windows\Temp\nsd107C.exe, Quarantined, [6b71699ebcbfce682241cd48bf4235cb],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsd7968.exe, Quarantined, [2fad0ff88bf0f145fc77d24e976ab14f],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsdB02.exe, Quarantined, [ffdd2dda5b2042f4beb51b055ba602fe],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsi6BB8.exe, Quarantined, [08d40cfb611a69cd581b1c0435ccaa56],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsi8FE.exe, Quarantined, [5884c344accf58de9ed572ae4fb28977],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsl8C3C.exe, Quarantined, [d5079a6d2655d1650e658c94996829d7],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsl9872.exe, Quarantined, [47957a8d80fb2115c6ad7da3c140d12f],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsnACE3.exe, Quarantined, [8854c146b7c40b2b7df6bc648879669a],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsnDDA4.exe, Quarantined, [cc1050b7314a171f1b58140c1ee3728e],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsqFB78.exe, Quarantined, [d60667a0a6d53105b4bf160a946d4db3],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsqFBA6.exe, Quarantined, [cf0d56b12457f4427af94ed2ef1233cd],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nssAD02.exe, Quarantined, [cc10ba4d85f6fe383c37c55bd52c47b9],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nssB455.exe, Quarantined, [2cb05fa82853ca6c363dda46936eb848],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nswDE32.exe, Quarantined, [578516f10c6f9b9b492a5cc461a0916f],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsxD99E.exe, Quarantined, [3ca030d7a0dbad89c3b04fd14db46a96],
PUP.Optional.SearchProtect.A, C:\Windows\Temp\nsxF6EF.exe, Quarantined, [9f3d2bdca2d9b6806e0539e7e71a53ad],

Physical Sectors: 0
(No malicious items detected)


(end)

Everything appears OK, how's the computer now?


Please Run TFC by OldTimer to clear temporary files:

Download TFC from here http://oldtimer.geekstogo.com/TFC.exe
and save it to your desktop.

Close any open programs and Internet browsers.
Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
Please be patient as clearing out temp files may take a while.
Once it completes you may be prompted to restart your computer, please do so.
Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

~~~~~~~~~~~~~~~~~~~~~~~~~

This next scanner I'm asking you to run can take quite a while. We will be looking for remnants and small pieces of junk.
Depends on how full the computer is. Don't be alarmed if it finds things because I am expecting this.

Go here (http://go.eset.com/us/online-scanner) to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan completes, press the LIST OF THREATS FOUND button
Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
Include the contents of this report in your next reply.
Press the BACK button.
Press Finish

still need help?

i still need help, i just couldn't use the computer for a bit. i'm working on it now.

During the down time however:

malwarebytes woke up with an alert about a snapdo remnant in the registry (it quarantined it). I'll have a copy of the log for you when I can grab it.

It might have been blocked from updating, as wehn I came back it had like 10 notifications that malware was out of date and to update it.



I ran TFC, it cleared, no reboot.

couldn't open google chrome to get to the link for ESET.
I could click on the icon on the start bar and in the start menu explorer, but no dice.




I then noticed that the windows action center had a notice that avira desktop was turned off. I was trying to turn it on, but nothing would happen. I opened the action center to try seeing what was on, but it wouldn't let me close the window.

I had to reboot.

Rebooting is taking a looong time. Going to hard reboot it.

the reboot is successful, chrome opens, and i'm running ESET now.

here is the ESET scan

11385


and here is the Malwarebytes scan I woke up to: this was before the scans.



Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/30/2014
Scan Time: 11:11:26 AM
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.03.28.02
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Becker

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 250240
Time Elapsed: 55 hr, 55 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 1
PUP.Optional.SnapDo.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-2\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|Default, http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}, Good: (www.google.com), Bad: (http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}),,[c7db0800116ace6867c559a6887b41bf]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Malwarebytes Anti-Malware quarantined that item right?

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)



start
C:\Program Files (x86)\Avira\AntiVir Desktop\offercast_avirav7_.exe
C:\Windows\Installer\MSI43DA.tmp
Reboot:
end


After running this script it should reboot your machine, don't be alarmed.

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


Update me please, what malware issues remain?

should I have certain things disabled or enabled when I run these scripts? should avira be off right now?

MALWARE BYTES FOUND AN ITEM AGAIN
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/1/2014
Scan Time: 5:56:49 PM
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.04.01.09
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Becker

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 250917
Time Elapsed: 8 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 1
PUP.Optional.SnapDo.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|Default, http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}, Good: (www.google.com), Bad: (http://feed.snapdo.com/?p=mKO_AwFzXIpYRaHk7fb-MO5XCXXVn6DMoLXA5bpSRiP8qgt8qU7OgttvXIHGsPLCbSq6DZIk8YcBZ4oFqibJHA57xcLNtmZ3waCu1wdEn92ITbJEZz_-CXeRhBiqQl7trvimvbGDwH43j_ilY78vTWIQtmGRhRoA0ssN42Ev0fg_6I122zXVnBkO2aY5VtgodTFDlZIabQ,,&q={searchTerms}),,[fd30968f7a0174c27dd915f10bf97d83]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)







Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Becker at 2014-04-01 17:42:40 Run:2
Running from C:\Users\Becker\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
C:\Program Files (x86)\Avira\AntiVir Desktop\offercast_avirav7_.exe
C:\Windows\Installer\MSI43DA.tmp
Reboot:
end
*****************

Could not move "C:\Program Files (x86)\Avira\AntiVir Desktop\offercast_avirav7_.exe" => Scheduled to move on reboot.
C:\Windows\Installer\MSI43DA.tmp => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-04-01 17:45:25)<=

"C:\Program Files (x86)\Avira\AntiVir Desktop\offercast_avirav7_.exe" => File could not move.

==== End of Fixlog ====

yes, you can disable avira.

Hate to sound like a broken record but, did MBAM delete that file in question?

How is the computer today?

C:\Program Files (x86)\Avira\AntiVir Desktop\offercast_avirav7_.exe
don't worry about this, when it installed it also installed ASK toolbar....so no biggie.

Set as follows Internet Explorer back:

Open Internet Explorer and go to Tools -> Internet Options.
Click the Advanced tab, under "Internet Explorer Settings Reset" to reset ...
Click in the "Reset Internet Explorer settings" to confirm reset.

Malwarebytes reported a clean sweep.

(previously it was just quarantining, it was deleting anything, so i told malware to delete it manually)

is there anything else I should run to make sure its clean?

if it is good, then what can I do to add protection?


leave malware on?
spybot? with or without teatimer?
avira? with or without desktop?
window's firewall and stuff.

what will interfere with what?

can I install a host's file that blocks all the bad sites? I did that for them on the last computer and it worked much better. where do I get one for windows 7?

what about some useful chrome or IE addon's? do you recomend a popup blocker that is safe?

is there anyway I can educate my parents on safe internet use?

what about some useful chrome or IE addon's? do you recomend a popup blocker that is safe?

is there anyway I can educate my parents on safe internet use?
I'll post information about this in my preventive tips.

Blocking Unwanted Connections with a Hosts File http://winhelp2002.mvps.org/hosts.htm
scroll down to your version of windows


if it is good, then what can I do to add protection?

leave malware on?
spybot? with or without teatimer?
avira? with or without desktop?
window's firewall and stuff.

what will interfere with what?
Leave Malwarebytes Anti-Malware on update regularly.
Keep SpyBot and teatimer, check for updates often
Avira is good (Will provide choices in preventive tips)
I use Windows Firewall and have had no issues but there are people who want other Firewalls, have these in my preventive tips as well.

Let's clean up the tools we used and remove quarantine folders.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.




start
DeleteQuarantine:
end



~~~~~~~~~~~~~~

Download Delfix from here (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
Ensure Remove disinfection tools is ticked
Also tick:
Create registry backup
Purge system restore
http://www.hdrcgb.org.uk/g2g/delfix.jpg

Click Run

Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc.

***************

Your good to go, good job!

Please take the time to read over a few of my preventive tips.

Computer Security
http://malwareremoval.com/forum/viewtopic.php?p=557960#p557960
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know (http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/#)

CryptoLocker Ransomware Information Guide and FAQ (http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information)

to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.


Firefox 3 (http://www.mozilla.com/en-US/firefox/)
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript (http://www.noscript.net) - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

AdblockPlus

AdblockPlus, Surf the web without annoying ads!
Blocks banners, pop-ups and video ads - even on Facebook and YouTube
Protects your online privacy
Two-click installation, It's free!
click the icon that corresponds to your browser and download.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOT (http://www.mywot.com/) Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

Green should be good to go
Yellow for caution
Red to stop
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)


WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/
and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ (null)))


Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter (http://www.fbi.gov/cyberinvest/cyberedletter.htm)
USAToday (http://www.usatoday.com/tech/columnist/kimkomando/2006-04-13-file-sharing-woes_x.htm)
infoworld (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

*********************************************
Please read the following safe computing articles..

Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)


Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)

Keep a backup of your important files (http://www.geekstogo.com/2008/06/19/options-for-home-computer-data-backup-part-1/) - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.