I am getting unwanted popup ads in the lower corners of web pages, and occasionally redirects to other sites (only when malware blockers are down).

Hi and welcome

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)
(use correct version for your system.....Which system am I using? (http://support.microsoft.com/kb/827218))

Tutorial http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

2014-05-07, 22:46
Something odd is that the tools mention HOSTS file entries that I don't see when I view my HOSTS file at C:\Windows\system32\drivers\etc\HOSTS. How is this possible?

This post is too long to hold both logs, so the 2nd log (Addition.txt) will appear in an immediately successive post.

Here is FRST.txt.

==================== Hosts content: ==========================

2009-07-13 22:34 - 2012-04-24 13:05 - 00001399 __RAH C:\Windows\system32\Drivers\etc\hosts localhost www.google-analytics.com. ad-emea.doubleclick.net. www.statcounter.com. www.google-analytics.com. ad-emea.doubleclick.net. www.statcounter.com.

2014-05-08, 00:40
Something odd is that the tools mention HOSTS file entries that I don't see when I view my HOSTS file at C:\Windows\system32\drivers\etc\HOSTS. How is this possible?
If you have a custom host file builder like SpyBot you likely wont see it.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

HKLM-x32\...\Run: [] => [X]
SearchScopes: HKCU - {9D5B8E15-1FAB-480B-9A42-29844E3E8BC6} URL = http://findgala.com/?&uid=8050&q={searchTerms}
SearchScopes: HKCU - {D60FEA38-8371-4C9E-938A-11F8A450C0A7} URL =
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

The above script will reboot your computer, please don't be alarmed.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


AdwCleaner by Xplode

Click on this link to download : ADWCleaner (http://www.bleepingcomputer.com/download/adwcleaner/)
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.

Close all open windows and browsers.

Right click the AdwCleaner icon http://i1059.photobucket.com/albums/t432/cinjo23/RightClickonAdwCleanerIcon.jpg on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.


Click the Scan button and wait for the scan to finish.
After the Scan has finished the window may or may not show what it found and above the progress bar you will see Pending. Please uncheck elements you don't want to remove. Please don't delete anything at this time.
Click the Report button to get the log
Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[R0].txt.
Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why (http://www.im-infected.com/hijacker/isearch-avg-comsearch-hijacker.html) and Here (http://nojesusnopeas.blogspot.com/2012/08/sorry-but-avg-secure-search-is-malware.html). You can always Reinstall (http://www.avg.com/us-en/secure-search) it.


Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.
Shut down your protection software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message.

Please post the following logs

2014-05-08, 05:50
Note that FRST64 didn't find one of the registry keys.

Log 1 of 3

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-05-2014
Ran by ross at 2014-05-07 22:26:38 Run:1
Running from C:\Users\ross\Desktop
Boot Mode: Normal

Content of fixlist:
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKCU - {9D5B8E15-1FAB-480B-9A42-29844E3E8BC6} URL = http://findgala.com/?&uid=8050&q={searchTerms}
SearchScopes: HKCU - {D60FEA38-8371-4C9E-938A-11F8A450C0A7} URL =
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9D5B8E15-1FAB-480B-9A42-29844E3E8BC6} => Key deleted successfully.
HKCR\CLSID\{9D5B8E15-1FAB-480B-9A42-29844E3E8BC6} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D60FEA38-8371-4C9E-938A-11F8A450C0A7} => Key deleted successfully.
HKCR\CLSID\{D60FEA38-8371-4C9E-938A-11F8A450C0A7} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found.
C:\ProgramData\.6b14a35055fac291a0de744e5b9ee9ec.dat => Moved successfully.
C:\Users\Limited\AppData\Local\Temp\{74FBA14D-66E1-4C4A-9E1B-4B8E2CF67B61}.exe => Moved successfully.
C:\Users\Limited\AppData\Local\Temp\{BA8C058F-4BA7-4AD8-AF74-47B16042451D}.exe => Moved successfully.
C:\Users\Limited\AppData\Local\Temp\{C19E6858-96BF-49B0-A432-9ABCBF872353}.exe => Moved successfully.
C:\Users\ross\AppData\Local\Temp\G2MInstallerExtractor.exe => Moved successfully.
C:\Users\ross\AppData\Local\Temp\InstHelper.exe => Moved successfully.
C:\Users\ross\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\ross\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Users\ross\AppData\Local\Temp\{92853941-8F89-4763-8B4E-7CFDAF05C532}.exe => Moved successfully.
C:\Users\rosstemp\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.
C:\Users\rosstemp\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe => Moved successfully.

The system needed a reboot.

==== End of Fixlog ====

Log 2 of 3

# AdwCleaner v3.207 - Report created 07/05/2014 at 22:35:11
# Updated 05/05/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : ross - SHADOWFAX
# Running from : C:\Users\ross\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Users\Limited\AppData\Local\~0
Folder Found : C:\Users\Limited\AppData\Local\PackageAware
Folder Found : C:\Users\ross\AppData\Local\~0
Folder Found : C:\Users\ross\AppData\Local\PackageAware

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Value Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Limited\AppData\Roaming\Mozilla\Firefox\Profiles\qm2lvuio.default\prefs.js ]

[ File : C:\Users\ross\AppData\Roaming\Mozilla\Firefox\Profiles\cldueye9.default\prefs.js ]

[ File : C:\Users\rosstemp\AppData\Roaming\Mozilla\Firefox\Profiles\257ioee1.default\prefs.js ]

Line Found : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
Line Found : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");

-\\ Google Chrome v

[ File : C:\Users\ross\AppData\Local\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [2085 octets] - [07/05/2014 22:35:11]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2145 octets] ##########

Log 3 of 3
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by ross on 07/05/2014 at 22:41:25.66

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar

~~~ Files

~~~ Folders

~~~ FireFox

Successfully deleted: [File] C:\Users\ross\AppData\Roaming\mozilla\firefox\profiles\cldueye9.default\searchplugins\youtube-video-search.xml
Emptied folder: C:\Users\ross\AppData\Roaming\mozilla\firefox\profiles\cldueye9.default\minidumps [42 files]

~~~ Event Viewer Logs were cleared

Scan was completed on 07/05/2014 at 22:46:30.24
End of JRT log

2014-05-08, 12:45
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.


Please Run TFC by OldTimer to clear temporary files:

Download TFC from here http://oldtimer.geekstogo.com/TFC.exe
and save it to your desktop.

Close any open programs and Internet browsers.
Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
Please be patient as clearing out temp files may take a while.
Once it completes you may be prompted to restart your computer, please do so.
Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.


Go here (http://go.eset.com/us/online-scanner) to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan completes, press the LIST OF THREATS FOUND button
Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
Include the contents of this report in your next reply.
Press the BACK button.
Press Finish

Can you give me an update on how the computer is running now?

2014-05-08, 22:40
The ADWCleaner log is included below. ESET found no threats, hence no list from it.

The symptoms (iframes in the lower left corner of FF, unwanted redirection) appears to be gone.

Do you know what the infection was? And why no AV programs could seem to detect it (I tried most of the major free and non-free anti-virus and anti-spyware programs)

Thank you for your time and assistance, it is greatly appreciated.


# AdwCleaner v3.207 - Report created 08/05/2014 at 11:52:15
# Updated 05/05/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : ross - SHADOWFAX
# Running from : C:\Users\ross\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Limited\AppData\Local\~0
Folder Deleted : C:\Users\Limited\AppData\Local\PackageAware
Folder Deleted : C:\Users\ross\AppData\Local\~0
Folder Deleted : C:\Users\ross\AppData\Local\PackageAware

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Limited\AppData\Roaming\Mozilla\Firefox\Profiles\qm2lvuio.default\prefs.js ]

[ File : C:\Users\ross\AppData\Roaming\Mozilla\Firefox\Profiles\cldueye9.default\prefs.js ]

[ File : C:\Users\rosstemp\AppData\Roaming\Mozilla\Firefox\Profiles\257ioee1.default\prefs.js ]

Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");

-\\ Google Chrome v

[ File : C:\Users\ross\AppData\Local\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [2241 octets] - [07/05/2014 22:35:11]
AdwCleaner[R1].txt - [2201 octets] - [08/05/2014 11:49:49]
AdwCleaner[S0].txt - [2132 octets] - [08/05/2014 11:52:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2192 octets] ##########

2014-05-08, 23:13
The symptoms (iframes in the lower left corner of FF, unwanted redirection) appears to be gone.

Do you know what the infection was? And why no AV programs could seem to detect it (I tried most of the major free and non-free anti-virus and anti-spyware programs)
Glad to hear we got that straightened up.

I don't know that I can give it a name, what alerted me were the redirections. It's possible the malware that was responsible for the redirections was also responsible for the iframes?, very hard to say.

I do know that malware can be quite complicated in what it is designed to do. And as of today there is still not 1 antivirus program that can completely protect your computer. What we suggest is that you have layered protection on the machine so that what one can't find another might. More about this to come in my prevention steps.

Samples of infections have to be tested then submitted to the anitivirus companies to be downloaded and installed into the virus definition database. So what one finds today can take possibly days for another to be detected and distributed. Sounds weird maybe but thats typically the way it advances to the best of my knowledge.

Let's clean up now.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.



Download Delfix from here (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
Ensure Remove disinfection tools is ticked
Also tick:
Create registry backup
Purge system restore

Click Run

Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc.


Your good to go, good job!

Please take the time to read over a few of my preventive tips.

2014-05-09, 20:40
The iframes issue is still with me. Not sure why I didn't see it the first time I opened the browser. I have not been using the PC in the mean time, so it's not a 2nd infection.

I ran FRST64.exe, but not delfix, since I figure we might need those tools again.

2014-05-09, 20:55
Did the iframes start with the infection or had they been there for a while?
Might be your computer is having hardware issues, let's hope not.

You may or may not already have this tool on your computer, if so following the below. If this is the first time you have used this tool just follow the instructions.

Malwarebytes AntiMalware recently had a program update.
You can download the newest version over the top of the one you have or download and install again.


Please get the new version and let's run another scan.

Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/update/)to your desktop
(If uninstalling and doing a reinstall the link is below)
Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits


Go back to the Dashboard and select Scan Now


If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.



On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

2014-05-09, 21:07

Download the latest version of TDSSKiller from here (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application

Then click on Change parameters.


Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

Click the Start Scan button.

If a suspicious object is detected, the default action will be Skip, click on Continue.


If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Get the report by selecting Reports


Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

2014-05-12, 21:24
No threats were found by either tool. Here is the MBAM log. The TDSS log is over the limit to quote or attach, so I'll skip chunking it if you're ok with that.

Here is what is I think is happening:
First, it's not a hardware issue (e.g. a wonky touchscreen, as there isn't one). Something is overlaying a transparent frame over the bottom left corner of IE and FF. When not blocked by AV or AS software, clicking on this transparent area would take the browser to bad sites. This was clearly done by malware, which has since been cleaned from the PC. Since removal, clicking the transparent area does nothing except make part of the website unusable, which is why it is still desirable to fix. The transparent frame appears on most websites and not others, but I think it used to be on all websites until recently, although I can't be sure.

What I think the malware did was likely the injection of CSS or JavaScript into a global template (a configuration file) of some kind, but since these can be legitimately modified by users, they are not altered ('fixed') by cleaning tools.

Malwarebytes Anti-Malware

Scan Date: 12/05/2014
Scan Time: 12:34:55 PM
Logfile: mbam_scan.txt
Administrator: Yes

Malware Database: v2014.05.12.05
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: ross

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369799
Time Elapsed: 18 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


2014-05-12, 21:43
Looking back over the logs it appears you have the most current version of Java, then possibly older versions still on the machine.
The recent is 7.51, please check and see if there are others and let's remove those.

Clearing the Java Plug-in cache forces the browser to load the latest versions of web pages and programs.
Clear Java cache by deleting Temporary Files through the Java Control Panel.

Click on the Start button and then click on the Control Panel option.
In the Control Panel Search enter Java Control Panel.
Click on the Java icon to open the Java Control Panel.
Delete Temporary Files through the Java Control Panel

In the Java Control Panel, under the General tab, click Settings under the Temporary Internet Files section.
The Temporary Files Settings dialog box appears.
Click Delete Files on the Temporary Files Settings dialog.
The Delete Files and Applications dialog box appears.

Click OK on the Delete Files and Applications dialog. This deletes all the Downloaded Applications and Applets from the cache.
Click OK on the Temporary Files Settings dialog. If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/306529-emergency-backup-procedure.html)

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Download ComboFix from here:
Link 1 (http://www.bleepingcomputer.com/download/combofix/)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Place ComboFix.exe on your Desktop <--Important

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html)
Double click on ComboFix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (http://en.wikipedia.org/wiki/Recovery_Console) (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...


Open Task Manager and look for the following ComboFix related processes (some have a .3XE extension):
• PEV.exe
• NirCmd.3XE
• any file that has the extension *.3XE

One at a time, right-click and select End Process. If doing that did not free ComboFix, then you will need to reboot the computer manually.

2014-05-13, 18:54
Also let's do this

Reset Firefox to default settings

Reset Internet Explorer to its default settings

2014-05-13, 22:56
I ran ComboFix and reset the browsers. Since then I haven't seen the problem, although I will test again in a couple days.


2014-05-13, 23:07
Glad to hear that helped.

May I see the log ComboFix created?

How about c:\Combofix\combofix.txt <-- is it here?
C:\qoobox\quarantined_files.txt <-- is this file present? If so -- please post its contents.

2014-05-13, 23:56
ComboFix 14-05-13.01 - ross 13/05/2014 15:15:54.2.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8151.5997 [GMT -4:00]
Running from: c:\users\ross\Desktop\ComboFix.exe
AV: ESET Smart Security 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
SP: ESET Smart Security 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
((((((((((((((((((((((((( Files Created from 2014-04-13 to 2014-05-13 )))))))))))))))))))))))))))))))
2014-05-13 19:21 . 2014-05-13 19:21 -------- d-----w- c:\users\rosstemp\AppData\Local\temp
2014-05-13 07:40 . 2014-05-13 07:40 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AFC4AFE-88C0-4996-9EBC-308672C611F7}\offreg.dll
2014-05-13 07:39 . 2014-04-17 09:31 10651704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AFC4AFE-88C0-4996-9EBC-308672C611F7}\mpengine.dll
2014-05-13 02:58 . 2012-05-04 23:29 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2014-05-13 02:58 . 2012-05-04 23:29 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2014-05-08 16:03 . 2014-05-08 16:03 -------- d-----w- c:\program files (x86)\ESET
2014-05-08 02:41 . 2014-05-08 02:41 -------- d-----w- c:\windows\ERUNT
2014-05-08 02:35 . 2010-08-30 12:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
2014-05-08 02:35 . 2014-05-08 15:52 -------- d-----w- C:\AdwCleaner
2014-05-07 19:37 . 2014-05-09 17:38 -------- d-----w- C:\FRST
2014-05-07 02:16 . 2014-05-07 02:16 -------- d-----w- c:\program files (x86)\ERUNT
2014-05-06 17:32 . 2014-05-06 17:32 -------- d-----w- c:\users\ross\AppData\Local\ESET
2014-05-06 17:31 . 2014-05-06 17:31 -------- d-----w- c:\program files\ESET
2014-05-06 17:25 . 2014-05-06 17:25 -------- d-s---w- c:\windows\SysWow64\Microsoft
2014-05-04 16:07 . 2014-04-29 14:01 23547904 ----a-w- c:\windows\system32\mshtml.dll
2014-05-04 16:07 . 2014-04-29 13:40 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-04 16:07 . 2014-04-29 12:34 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-05-04 16:06 . 2014-05-04 16:06 -------- d-s---w- c:\windows\system32\CompatTel
2014-05-04 16:04 . 2014-04-14 02:24 465408 ----a-w- c:\windows\system32\aepdu.dll
2014-05-04 16:04 . 2014-04-14 02:19 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-04-30 12:55 . 2014-05-13 18:05 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-30 12:52 . 2014-04-30 12:52 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-04-30 12:52 . 2014-04-03 13:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-30 12:52 . 2014-04-03 13:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-29 17:19 . 2014-04-29 17:19 -------- d-sh--w- c:\users\ross\AppData\Local\EmieUserList
2014-04-29 17:19 . 2014-04-29 17:19 -------- d-sh--w- c:\users\ross\AppData\Local\EmieSiteList
2014-04-19 15:52 . 2014-01-09 02:22 5694464 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-04-19 15:52 . 2014-01-03 22:44 6574592 ----a-w- c:\windows\system32\mstscax.dll
2014-04-17 15:10 . 2013-10-02 01:10 44544 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2014-04-17 15:09 . 2013-09-25 02:23 1030144 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-04-17 15:09 . 2013-09-25 01:57 792576 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-04-17 14:18 . 2014-02-07 01:23 3156480 ----a-w- c:\windows\system32\win32k.sys
2014-04-17 14:18 . 2014-01-29 02:32 484864 ----a-w- c:\windows\system32\wer.dll
2014-04-17 14:18 . 2014-01-29 02:06 381440 ----a-w- c:\windows\SysWow64\wer.dll
2014-04-17 14:18 . 2014-01-28 02:32 228864 ----a-w- c:\windows\system32\wwansvc.dll
2014-04-17 14:18 . 2014-02-04 02:32 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-04-17 14:18 . 2014-02-04 02:32 624128 ----a-w- c:\windows\system32\qedit.dll
2014-04-17 14:18 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-04-17 14:18 . 2014-02-04 02:04 509440 ----a-w- c:\windows\SysWow64\qedit.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2014-04-29 02:07 . 2012-05-06 19:02 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-04-29 02:07 . 2011-05-21 00:48 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-19 15:53 . 2010-10-14 15:26 90655440 ----a-w- c:\windows\system32\MRT.exe
2014-04-03 13:50 . 2012-09-03 13:35 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-31 13:35 . 2010-10-01 01:27 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-03-26 03:05 . 2014-03-26 03:05 608 --sha-w- c:\windows\system32\winzvprt5.sys
2014-03-04 09:17 . 2014-04-19 15:51 44032 ----a-w- c:\windows\apppatch\acwow64.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-01-07 02:42 193896 ----a-w- c:\program files (x86)\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon32.dll
2011-01-07 02:45 193896 ----a-w- c:\program files (x86)\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU32.dll
"GoToMeeting"="c:\users\ross\AppData\Local\Citrix\GoToMeeting\1259\g2mstart.exe" [2014-02-13 40304]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-11-10 5954016]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"StatusAlerts"="c:\program files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe" [2012-07-18 313248]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Gladinet Cloud Desktop.lnk - c:\program files (x86)\Gladinet\Gladinet Cloud Desktop\GladLauncher.exe [2011-1-6 87400]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111v2\WG111v2.exe [2011-7-10 1268192]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
R1 aqIPD7;aqIPD7;c:\windows\system32\drivers\aqIPD7.sys;c:\windows\SYSNATIVE\drivers\aqIPD7.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 nuService;NetUpdate;c:\program files (x86)\KidMoses\NetUpdate\nuServ.exe;c:\program files (x86)\KidMoses\NetUpdate\nuServ.exe [x]
R2 SCM_Service;SCM_Service;c:\windows\SysWOW64\WinService.exe;c:\windows\SysWOW64\WinService.exe [x]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [x]
R3 HP DS Service;HP DS Service;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys;c:\windows\SYSNATIVE\DRIVERS\wg111v2.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfp.sys [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys;c:\windows\SYSNATIVE\DRIVERS\scmndisp.sys [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt61;Acronis Disk Storage Filter (61);c:\windows\system32\DRIVERS\vsflt61.sys;c:\windows\SYSNATIVE\DRIVERS\vsflt61.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys;c:\windows\SYSNATIVE\DRIVERS\EpfwLWF.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [x]
S2 EnterpriseDBApachePHP;EnterpriseDB ApachePHP;c:\program files (x86)\PostgreSQL\EnterpriseDB-ApachePhp\apache\bin\httpd.exe;c:\program files (x86)\PostgreSQL\EnterpriseDB-ApachePhp\apache\bin\httpd.exe [x]
S2 GladFileMonSvc;GladFileMonSvc;c:\program files (x86)\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe;c:\program files (x86)\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IBG_gds_db;InterBase 2009 Guardian gds_db ;c:\program files (x86)\CodeGear\Interbase\bin\ibguard.exe;c:\program files (x86)\CodeGear\Interbase\bin\ibguard.exe [x]
S2 OS Selector;Acronis OS Selector activator;c:\program files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe;c:\program files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe [x]
S2 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 -D C:/data -w;C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 -D C:/data -w [x]
S2 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys;c:\windows\SYSNATIVE\DRIVERS\dfmirage.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 IBS_gds_db;InterBase 2009 Server gds_db;c:\program files (x86)\CodeGear\Interbase\bin\ibserver.exe;c:\program files (x86)\CodeGear\Interbase\bin\ibserver.exe [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\DRIVERS\NxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\NxDrv.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - 20455723
*Deregistered* - 20455723
*Deregistered* - MBAMWebAccessControl
Contents of the 'Scheduled Tasks' folder
2014-05-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-06 02:07]
2014-05-13 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-1066971186-801704174-1181733999-1002.job
- c:\users\ross\AppData\Local\Citrix\GoToMeeting\1350\g2mupdate.exe [2014-03-11 04:37]
2014-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-22 02:44]
2014-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-22 02:44]
2014-05-12 c:\windows\Tasks\next.job
- c:\programdata\Dimdim\Updater\next.exe [2010-11-11 14:58]
--------- X64 Entries -----------
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-06-13 15:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
2011-01-07 02:43 191848 ----a-w- c:\program files (x86)\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll
2011-01-07 02:45 194920 ----a-w- c:\program files (x86)\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU.dll
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-19 8067616]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-11-10 403096]
"SonicWALLNetExtender"="c:\program files (x86)\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-04-02 1103744]
"HP LaserJet 200 color MFP M276 Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2011-10-10 3706424]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2013-09-12 5618456]
------- Supplementary Scan -------
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer =
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files (x86)\TurboTax 2011\ic2011pp.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files (x86)\TurboTax 2012\ic2012pp.dll
Handler: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - c:\program files (x86)\TurboTax 2013\ic2013pp.dll
FF - ProfilePath - c:\users\ross\AppData\Roaming\Mozilla\Firefox\Profiles\cldueye9.default\
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-PostgreSQL Data Wizard Agent - c:\program files (x86)\SQL Maestro Group\PostgreSQL Data Wizard\PgDataWizardA.exe
Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\ross\AppData\Local\Akamai\netsession_win.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
ShellIconOverlayIdentifiers- - (no file)
ShellIconOverlayIdentifiers- - (no file)
ShellIconOverlayIdentifiers- - (no file)
AddRemove-InstallAware 7 - c:\programdata\{352395E2-F49E-4AA6-9473-921A27B079EE}\myahe_bds.exe
AddRemove-NativeXmlEx_is1 - q:\delphitools\NativeXmlEx314\unins000.exe
AddRemove-Transit RF - c:\programdata\{D3B4E0F9-F818-458B-AB39-DB5B399A321F}\TransitRFSetup.exe
AddRemove-TXLSFile 4.0 Demo (Delphi 2011) - q:\delphitools\XLSFileUnReg\uninstall.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files (x86)\NOS\bin\getPlus_Helper_3004.dll
AddRemove-{AD0BF38F-C50B-4390-93A8-E971BB745D6D} - c:\users\ross\AppData\Local\{A6132C1B-A10E-4D03-AD3D-F385FE903548}\UserAdminSetup.exe
"ImagePath"="C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/data\" -w"
"ImagePath"="C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/data\" -w"
--------------------- LOCKED REGISTRY KEYS ---------------------
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
@Denied: (A 2) (Everyone)
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
@Denied: (Full) (Everyone)
Completion time: 2014-05-13 15:24:29
ComboFix-quarantined-files.txt 2014-05-13 19:24
Pre-Run: 15,798,001,664 bytes free
Post-Run: 15,620,366,336 bytes free
- - End Of File - - E15255C595C15A9729BD29F26D3D3510

2014-05-13, 23:58
This is the contents of ComboFix-qurantined-files.txt

2014-05-13 19:23:31 . 2014-05-13 19:23:31 536 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{AD0BF38F-C50B-4390-93A8-E971BB745D6D}.reg.dat
2014-05-13 19:23:24 . 2014-05-13 19:23:24 225 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-.reg.dat
2014-05-13 19:23:24 . 2014-05-13 19:23:24 232 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24}.reg.dat
2014-05-13 19:23:23 . 2014-05-13 19:23:23 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2014-05-13 19:23:22 . 2014-05-13 19:23:22 377 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat
2014-05-13 19:23:15 . 2014-05-13 19:23:15 176 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-Akamai NetSession Interface.reg.dat
2014-05-13 19:23:15 . 2014-05-13 19:23:15 199 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-PostgreSQL Data Wizard Agent.reg.dat
2014-05-13 19:23:14 . 2014-05-13 19:23:14 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
2014-05-13 19:21:55 . 2014-05-13 19:21:55 335 ----a-w- C:\Qoobox\Quarantine\J\av1.zip
2014-05-13 19:21:55 . 2012-07-16 07:33:02 32 ----a-w- C:\Qoobox\Quarantine\J\Autorun.inf.vir
2014-05-13 19:19:41 . 2014-05-13 19:19:41 11,317 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2014-05-13 18:40:35 . 2014-05-13 19:14:47 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-02-10 13:52:40 . 2012-02-10 13:52:40 69 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\energy.dll.vir
2012-02-10 13:52:40 . 2012-02-10 13:52:40 11 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\PE.dll.vir
2012-02-10 13:52:40 . 2012-02-10 13:52:40 70 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\energy.drv.vir
2012-02-10 13:52:39 . 2012-02-10 13:52:39 58 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv.vir
2012-02-10 13:52:39 . 2012-02-10 13:52:39 80 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\gid.tmp.vir
2012-02-10 13:52:39 . 2012-02-10 13:52:40 2 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\dudl.exe.vir
2012-02-10 13:52:39 . 2012-02-10 13:52:39 46 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\eb.drv.vir
2012-02-10 13:52:39 . 2012-02-10 13:52:39 47 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\eb.sys.vir
2012-02-10 13:52:22 . 2012-02-10 13:52:40 24 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\delfile.dll.vir
2012-02-10 13:52:19 . 2012-02-10 13:52:39 16 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\pal.sys.vir
2012-02-10 13:52:19 . 2012-02-10 13:52:19 73 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys.vir
2012-02-10 13:52:19 . 2012-02-10 13:52:19 47 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\exec.exe.vir
2012-02-10 13:52:06 . 2012-02-10 13:52:06 35 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\PE.tmp.vir
2012-02-10 13:52:02 . 2012-02-10 13:52:19 48 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe.vir
2011-06-13 16:49:41 . 2011-06-13 16:49:41 15,808 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\Documents\~WRL1918.tmp.vir
2010-11-08 13:44:52 . 2013-04-24 23:57:38 60,864 ----a-w- C:\Qoobox\Quarantine\C\Users\ross\g2mdlhlpx.exe.vir

2014-05-14, 01:13
Looks good. I think it was some type type of left over residue from the infection. Running ComboFix took out what remained.

Ready to uninstall and see preventive tips?

2014-05-14, 07:27
Ready to uninstall and see preventive tips?

Sure. Hit me with it.

2014-05-14, 12:42
Sure. Hit me with it.


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box

ComboFix /Uninstall

Note the space between the x and the /U, it needs to be there.


Your good to go, good job!

Please take the time to read over a few of my preventive tips.

