PDA

View Full Version : unwanted windows poping up



bobbym
2014-10-17, 12:30
I am running windows 7 64bit. I have some how got an infection that is more annoying than anything. it also prevents me seeing my emails.

here are the requested files

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-10-2014 02
Ran by bob at 2014-10-16 18:38:19
Running from C:\Users\bob\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Avira (HKLM-x32\...\{70e83cd8-4bd5-4039-ab5a-6b94a8abb641}) (Version: 1.1.21.25162 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.21.25162 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.306 - Avira)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.3.188.0 - Microsoft Corporation) Hidden
Microsoft Office 2000 Disc 2 (HKLM-x32\...\{00040409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM-x32\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.0 - Tweaking.com)
Winmail Opener 1.6 (HKLM-x32\...\Winmail Opener) (Version: 1.6 - Eolsoft)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {19D05799-C6F0-49F9-8756-64245DF0F8D7} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => e:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDImmunize.exe
Task: {1B3A4F88-C2B0-4170-91D0-FD0009B6651D} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {1BFA6744-5FA6-4082-8118-3FDB36FBA4A5} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => e:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDScan.exe
Task: {20568BB1-CA37-4B16-82CB-EE29E60803A6} - System32\Tasks\QY => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: {2461709F-58F4-4CA7-8823-E313EF703079} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-09-26] (Piriform Ltd)
Task: {50C1DDE9-FB3E-4F2D-A08F-7EA74C58C636} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => e:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDUpdate.exe
Task: {5BBF8C73-79F5-4650-AB9D-22119F7DD850} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {88B59773-FA55-400B-9B80-330CAFA40F8A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-10] (Adobe Systems Incorporated)
Task: {948DF117-18EC-4442-A415-819AABA42F2C} - System32\Tasks\XZQE => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
Task: {ADFE47E4-26E3-4342-A0E1-E13C34674D6D} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
Task: {B0F8CCCA-0011-44CC-9C3E-300C8E7D2F4D} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {D72FD250-F0A7-4457-ACE4-F07F620D8580} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\QY.job => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: C:\Windows\Tasks\XZQE.job => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2014-10-13 18:07 - 2014-10-13 18:07 - 00129061 _____ () C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
2014-10-13 18:07 - 2014-10-13 18:07 - 00310309 _____ () C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
2014-10-13 18:08 - 2014-10-13 18:08 - 00060453 _____ () C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe
2014-08-27 15:00 - 2014-08-27 15:00 - 00139056 _____ () C:\Program Files (x86)\Avira\My Avira\Avira.OE.NativeCore.dll
2014-08-06 20:04 - 2014-05-13 12:04 - 00109400 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-08-06 20:04 - 2014-05-13 12:04 - 00416600 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-08-06 20:04 - 2014-05-13 12:04 - 00167768 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-08-06 20:04 - 2012-08-23 10:38 - 00574840 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-08-06 20:04 - 2012-04-03 17:06 - 00565640 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2014-08-27 15:00 - 2014-08-27 15:00 - 00066864 _____ () C:\Program Files (x86)\Avira\My Avira\Avira.OE.AvConnectorNative.dll
2014-10-15 17:04 - 2014-10-15 17:04 - 03649648 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-09-10 17:51 - 2014-09-10 17:51 - 16825520 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
2014-08-06 19:30 - 2014-08-27 15:00 - 00052472 _____ () C:\Users\bob\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: avgnt => "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
MSCONFIG\startupreg: Avira Systray => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
MSCONFIG\startupreg: SDTray => "e:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-2632905467-853276935-2808178832-500 - Administrator - Disabled)
bob (S-1-5-21-2632905467-853276935-2808178832-1000 - Administrator - Enabled) => C:\Users\bob
Guest (S-1-5-21-2632905467-853276935-2808178832-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (10/13/2014 06:09:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 32.0.3.5379, time stamp: 0x54224e6b
Faulting module name: mozalloc.dll, version: 32.0.3.5379, time stamp: 0x54221b67
Exception code: 0x80000003
Fault offset: 0x0000141b
Faulting process id: 0x280
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/13/2014 10:54:02 AM) (Source: MsiInstaller) (EventID: 11309) (User: bob-PC)
Description: Product: Google Update Helper -- Error 1309. Error reading from file: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\Google\Update\RequiredFile.txt. System error 3. Verify that the file exists and that you can access it.

Error: (10/01/2014 05:13:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/01/2014 05:11:34 PM) (Source: MsiInstaller) (EventID: 11706) (User: bob-PC)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.

Error: (08/29/2014 07:21:38 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/06/2014 08:00:37 PM) (Source: MouseKeyboardCenter) (EventID: 0) (User: )
Description: Unknown Node:#text -->

Error: (08/06/2014 11:57:06 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (1404) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (08/06/2014 11:57:03 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (1416) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (08/06/2014 11:31:08 AM) (Source: VSS) (EventID: 12305) (User: )
Description: Volume Shadow Copy Service error: Volume/disk not connected or not found.
Error context: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2,0xc0000000,0x00000003,...).


Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider


System errors:
=============
Error: (10/16/2014 06:03:52 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/15/2014 05:28:32 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/15/2014 05:03:18 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/15/2014 09:38:42 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/14/2014 06:00:45 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/14/2014 11:51:40 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/13/2014 07:05:03 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/13/2014 06:46:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Wajam Internet Enhancer Service service terminated unexpectedly. It has done this 1 time(s).

Error: (10/13/2014 06:46:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MySafeProxy Monitor service terminated unexpectedly. It has done this 1 time(s).

Error: (10/13/2014 06:07:53 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1053MSIServer{000C101C-0000-0000-C000-000000000046}


Microsoft Office Sessions:
=========================
Error: (10/13/2014 06:09:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe32.0.3.537954224e6bmozalloc.dll32.0.3.537954221b67800000030000141b28001cfe7078aef2730C:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozalloc.dllb935cc55-52fb-11e4-98a3-000129233516

Error: (10/13/2014 10:54:02 AM) (Source: MsiInstaller) (EventID: 11309) (User: bob-PC)
Description: Product: Google Update Helper -- Error 1309. Error reading from file: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\Google\Update\RequiredFile.txt. System error 3. Verify that the file exists and that you can access it.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (10/01/2014 05:13:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"H:\WPN111.exe

Error: (10/01/2014 05:11:34 PM) (Source: MsiInstaller) (EventID: 11706) (User: bob-PC)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (08/29/2014 07:21:38 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"H:\WPN111.exe

Error: (08/06/2014 08:00:37 PM) (Source: MouseKeyboardCenter) (EventID: 0) (User: )
Description: Unknown Node:#text -->

Error: (08/06/2014 11:57:06 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail1404WindowsMail0:

Error: (08/06/2014 11:57:03 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail1416WindowsMail0:

Error: (08/06/2014 11:31:08 AM) (Source: VSS) (EventID: 12305) (User: )
Description: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2,0xc0000000,0x00000003,...)

Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider



Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-10-2014 02
Ran by bob (administrator) on BOB-PC on 16-10-2014 18:37:42
Running from C:\Users\bob\Downloads
Loaded Profile: bob (Available profiles: bob)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
() C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [703736 2014-10-16] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [164656 2014-08-27] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2632905467-853276935-2808178832-1000\...\Run: [Spybot-S&D Cleaning] => E:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-2632905467-853276935-2808178832-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6482200 2014-09-26] (Piriform Ltd)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-08-06] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> E:\Office\OSA9.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:20194
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\q42j5mhf.default
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: Avira Browser Safety - C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\q42j5mhf.default\Extensions\abs@avira.com [2014-09-30]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-10-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-10-16] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [160048 2014-08-27] (Avira Operations GmbH & Co. KG)
R2 Direct3dTextWin32; C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe [60453 2014-10-13] () [File not signed]
R2 SDScannerService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-16] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-16] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-16 18:37 - 2014-10-16 18:38 - 00008377 _____ () C:\Users\bob\Downloads\FRST.txt
2014-10-16 18:36 - 2014-10-16 18:37 - 00000000 ____D () C:\FRST
2014-10-16 18:35 - 2014-10-16 18:36 - 02111488 _____ (Farbar) C:\Users\bob\Downloads\FRST64.exe
2014-10-16 18:29 - 2014-10-16 18:30 - 01170056 _____ (Zugara Investments Limited ) C:\Users\bob\Downloads\file.exe
2014-10-16 18:27 - 2014-10-16 18:27 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-BOB-PC-Microsoft-Windows-7-Ultimate-(64-bit).dat
2014-10-16 18:27 - 2014-10-16 18:27 - 00000000 ____D () C:\RegBackup
2014-10-16 18:26 - 2014-10-16 18:26 - 00000545 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2014-10-16 18:26 - 2014-10-16 18:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-10-16 18:25 - 2014-10-16 18:25 - 04215184 _____ () C:\Users\bob\Downloads\tweaking.com_registry_backup_setup.exe
2014-10-15 17:26 - 2014-10-15 17:26 - 00000318 _____ () C:\Windows\PFRO.log
2014-10-15 17:20 - 2014-10-15 17:25 - 00000000 ____D () C:\AdwCleaner
2014-10-15 17:19 - 2014-10-15 17:19 - 01976320 _____ () C:\Users\bob\Downloads\adwcleaner_4.000.exe
2014-10-15 17:04 - 2014-10-15 17:04 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-15 17:01 - 2014-10-16 18:02 - 00000168 _____ () C:\Windows\setupact.log
2014-10-15 17:01 - 2014-10-15 17:01 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-15 10:16 - 2014-10-15 10:16 - 00043144 _____ () C:\Users\bob\Documents\cc_20141015_101616.reg
2014-10-15 10:13 - 2014-10-15 10:13 - 04965896 _____ (Piriform Ltd) C:\Users\bob\Downloads\ccsetup418.exe
2014-10-15 10:13 - 2014-10-15 10:13 - 00002768 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-10-15 10:13 - 2014-10-15 10:13 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-15 10:13 - 2014-10-15 10:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-10-15 10:13 - 2014-10-15 10:13 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-14 18:08 - 2014-10-14 18:08 - 00000000 ____D () C:\Users\bob\AppData\Local\CheckCode
2014-10-13 19:02 - 2014-10-13 19:02 - 00007246 _____ () C:\Windows\wininit.ini
2014-10-13 18:13 - 2014-10-13 18:13 - 00000045 _____ () C:\Users\bob\AppData\Roaming\WB.CFG
2014-10-13 18:09 - 2014-10-13 18:09 - 00000000 ____D () C:\Users\bob\AppData\Local\Deployment
2014-10-13 18:08 - 2014-10-13 18:08 - 00001905 _____ () C:\Users\bob\Desktop\FastPlayer.lnk
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\Windows\SysWOW64\Direct3dTextWin32
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\Users\bob\AppData\Local\fastplayer
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastPlayer
2014-10-13 10:54 - 2014-10-16 18:02 - 00001326 _____ () C:\Windows\Tasks\XZQE.job
2014-10-13 10:54 - 2014-10-16 18:02 - 00001322 _____ () C:\Windows\Tasks\QY.job
2014-10-13 10:54 - 2014-10-13 10:54 - 00004344 _____ () C:\Windows\System32\Tasks\XZQE
2014-10-13 10:54 - 2014-10-13 10:54 - 00004340 _____ () C:\Windows\System32\Tasks\QY
2014-10-13 10:54 - 2014-10-13 10:54 - 00000000 ____D () C:\Users\bob\AppData\Local\com
2014-10-06 11:50 - 2014-10-13 18:09 - 00000000 ____D () C:\Users\bob\AppData\Local\Apps\2.0
2014-10-03 16:31 - 2014-10-03 16:31 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-10-01 22:04 - 2014-09-25 03:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 22:04 - 2014-09-25 02:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-28 17:30 - 2014-09-09 23:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-28 17:30 - 2014-09-09 22:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-16 18:14 - 2014-08-12 17:45 - 00043064 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-10-16 18:14 - 2014-08-11 18:13 - 00131608 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-10-16 18:14 - 2014-08-11 18:13 - 00119272 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-10-16 18:10 - 2009-07-14 05:45 - 00020800 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-16 18:10 - 2009-07-14 05:45 - 00020800 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-16 18:09 - 2009-07-14 06:13 - 00781790 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-16 18:07 - 2014-08-05 21:20 - 01974631 _____ () C:\Windows\WindowsUpdate.log
2014-10-16 18:02 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-15 22:51 - 2014-08-06 18:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-15 17:26 - 2014-08-06 18:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-15 10:14 - 2014-08-05 22:14 - 00000000 ____D () C:\Windows\Panther
2014-10-14 11:52 - 2014-08-06 22:26 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-13 19:02 - 2014-08-06 20:04 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-10-13 11:13 - 2014-08-06 18:21 - 00001135 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-10-04 19:44 - 2009-07-14 06:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-10-03 16:56 - 2014-08-17 21:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2014-10-03 16:56 - 2014-08-17 21:17 - 00000000 ____D () C:\Program Files (x86)\Snapshot Viewer
2014-10-01 17:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\system32\NDF

Some content of TEMP:
====================
C:\Users\bob\AppData\Local\Temp\avgnt.exe
C:\Users\bob\AppData\Local\Temp\Quarantine.exe
C:\Users\bob\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-08-05 21:15

==================== End Of Log ============================




aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-10-16 18:42:14
-----------------------------
18:42:14.850 OS Version: Windows x64 6.1.7601 Service Pack 1
18:42:14.851 Number of processors: 2 586 0xF0D
18:42:14.851 ComputerName: BOB-PC UserName: bob
18:42:15.047 Initialize success
18:42:15.097 VM: initialized successfully
18:42:15.112 VM: Intel CPU virtualization not supported
18:43:27.925 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2
18:43:27.928 Disk 0 Vendor: ST3320820AS 3.AAD Size: 305245MB BusType: 3
18:43:27.933 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-7
18:43:27.937 Disk 1 Vendor: SanDisk_SSD_U100_32GB 10.50.00 Size: 30533MB BusType: 3
18:43:27.943 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T1L0-8
18:43:27.948 Disk 2 Vendor: MAXTOR_4K060H3 A08.1500 Size: 57259MB BusType: 3
18:43:27.961 Disk 1 MBR read successfully
18:43:27.966 Disk 1 MBR scan
18:43:27.970 Disk 1 Windows 7 default MBR code
18:43:27.975 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:43:27.979 Disk 1 Boot: NTFS code=1
18:43:27.983 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 30431 MB offset 206848
18:43:28.336 Disk 1 scanning C:\Windows\system32\drivers
18:43:30.045 Service scanning
18:43:33.144 Modules scanning
18:43:33.152 Disk 1 trace - called modules:
18:43:33.160 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
18:43:33.167 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004907100]
18:43:33.175 3 CLASSPNP.SYS[fffff880015be43f] -> nt!IofCallDriver -> [0xfffffa80047c3520]
18:43:33.175 5 ACPI.sys[fffff88000f9d7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-7[0xfffffa80047bc060]
18:43:33.183 Scan finished successfully
18:44:36.131 Disk 1 MBR has been saved successfully to "C:\Users\bob\Downloads\MBR.dat"
18:44:36.139 The log file has been saved successfully to "C:\Users\bob\Downloads\aswMBR.txt"


aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-10-17 10:24:40
-----------------------------
10:24:40.780 OS Version: Windows x64 6.1.7601 Service Pack 1
10:24:40.781 Number of processors: 2 586 0xF0D
10:24:40.781 ComputerName: BOB-PC UserName: bob
10:24:41.142 Initialize success
10:24:41.167 VM: initialized successfully
10:24:41.185 VM: Intel CPU virtualization not supported
10:24:49.038 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2
10:24:49.042 Disk 0 Vendor: ST3320820AS 3.AAD Size: 305245MB BusType: 3
10:24:49.046 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-7
10:24:49.051 Disk 1 Vendor: SanDisk_SSD_U100_32GB 10.50.00 Size: 30533MB BusType: 3
10:24:49.057 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T1L0-9
10:24:49.062 Disk 2 Vendor: MAXTOR_4K060H3 A08.1500 Size: 57259MB BusType: 3
10:24:49.077 Disk 1 MBR read successfully
10:24:49.082 Disk 1 MBR scan
10:24:49.084 Disk 1 Windows 7 default MBR code
10:24:49.088 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
10:24:49.092 Disk 1 Boot: NTFS code=1
10:24:49.096 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 30431 MB offset 206848
10:24:49.109 Disk 1 scanning C:\Windows\system32\drivers
10:24:50.893 Service scanning
10:24:54.015 Modules scanning
10:24:54.026 Disk 1 trace - called modules:
10:24:54.038 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
10:24:54.045 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004922790]
10:24:54.054 3 CLASSPNP.SYS[fffff880013aa43f] -> nt!IofCallDriver -> [0xfffffa80047d8520]
10:24:54.062 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-7[0xfffffa80047e8680]
10:24:54.068 Scan finished successfully
10:25:13.498 Disk 1 MBR has been saved successfully to "C:\Users\bob\Downloads\MBR.dat"
10:25:13.552 The log file has been saved successfully to "C:\Users\bob\Downloads\aswMBR.txt"


any help very much appreciated. I have run Malewarebyts. spybot, adwcleaner. ccleaner. but still have the same problem.

Juliet
2014-10-17, 15:08
Use Add/Remove programs to Uninstall
MySafeProxy
Wajam Internet Enhancer




Running from C:\Users\bob\Downloads

Please go to your downloads folders and locate Farbar's Recovery Scan Tool, right click and select CUT
Now, go to an empty spot on your desktop, right click and select PASTE

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



start
CloseProcesses:
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
Task: {20568BB1-CA37-4B16-82CB-EE29E60803A6} - System32\Tasks\QY => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: {948DF117-18EC-4442-A415-819AABA42F2C} - System32\Tasks\XZQE => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
C:\Users\bob\AppData\Roaming\QY.exe
C:\Users\bob\AppData\Roaming\XZQE.exe
Task: C:\Windows\Tasks\QY.job => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: C:\Windows\Tasks\XZQE.job => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
2014-10-13 10:54 - 2014-10-16 18:02 - 00001326 _____ () C:\Windows\Tasks\XZQE.job
2014-10-13 10:54 - 2014-10-16 18:02 - 00001322 _____ () C:\Windows\Tasks\QY.job
2014-10-13 10:54 - 2014-10-13 10:54 - 00004344 _____ () C:\Windows\System32\Tasks\XZQE
2014-10-13 10:54 - 2014-10-13 10:54 - 00004340 _____ () C:\Windows\System32\Tasks\QY
C:\Users\bob\AppData\Local\Temp\avgnt.exe
C:\Users\bob\AppData\Local\Temp\Quarantine.exe
C:\Users\bob\AppData\Local\Temp\sqlite3.dll
EmptyTemp:
Hosts:
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


~~~~~~~~~~~~~~~`

Open AdwCleaner we need to delete this version and download a newer one. Click on uninstall/delete.

-AdwCleaner-by Xplode

Click on this link to download : ADWCleaner (http://www.bleepingcomputer.com/download/adwcleaner/)
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.




Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why (http://www.im-infected.com/hijacker/isearch-avg-comsearch-hijacker.html) and Here (http://nojesusnopeas.blogspot.com/2012/08/sorry-but-avg-secure-search-is-malware.html). You can always Reinstall (http://www.avg.com/us-en/secure-search) it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


~~~~~~~~~~~~~~
please post
Fixlog.txt
C:\AdwCleaner.txt
JRT.txt

bobbym
2014-10-17, 16:56
this does not show up in the remove software panel
Wajam Internet Enhancer

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by bob at 2014-10-17 14:18:22 Run:1
Running from C:\Users\bob\Desktop
Loaded Profile: bob (Available profiles: bob)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
Task: {20568BB1-CA37-4B16-82CB-EE29E60803A6} - System32\Tasks\QY => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: {948DF117-18EC-4442-A415-819AABA42F2C} - System32\Tasks\XZQE => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
C:\Users\bob\AppData\Roaming\QY.exe
C:\Users\bob\AppData\Roaming\XZQE.exe
Task: C:\Windows\Tasks\QY.job => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: C:\Windows\Tasks\XZQE.job => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
2014-10-13 10:54 - 2014-10-16 18:02 - 00001326 _____ () C:\Windows\Tasks\XZQE.job
2014-10-13 10:54 - 2014-10-16 18:02 - 00001322 _____ () C:\Windows\Tasks\QY.job
2014-10-13 10:54 - 2014-10-13 10:54 - 00004344 _____ () C:\Windows\System32\Tasks\XZQE
2014-10-13 10:54 - 2014-10-13 10:54 - 00004340 _____ () C:\Windows\System32\Tasks\QY
C:\Users\bob\AppData\Local\Temp\avgnt.exe
C:\Users\bob\AppData\Local\Temp\Quarantine.exe
C:\Users\bob\AppData\Local\Temp\sqlite3.dll
EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{20568BB1-CA37-4B16-82CB-EE29E60803A6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20568BB1-CA37-4B16-82CB-EE29E60803A6}" => Key deleted successfully.
C:\Windows\System32\Tasks\QY => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\QY" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{948DF117-18EC-4442-A415-819AABA42F2C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{948DF117-18EC-4442-A415-819AABA42F2C}" => Key deleted successfully.
C:\Windows\System32\Tasks\XZQE => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\XZQE" => Key deleted successfully.
"C:\Users\bob\AppData\Roaming\QY.exe" => File/Directory not found.
"C:\Users\bob\AppData\Roaming\XZQE.exe" => File/Directory not found.
C:\Windows\Tasks\QY.job => Moved successfully.
C:\Windows\Tasks\XZQE.job => Moved successfully.
"HKCR\PROTOCOLS\Handler\ipp\0x00000001" => Key deleted successfully.
"HKCR\CLSID\{E1D2BF42-A96B-11D1-9C6B-0000F875AC61}" => Key not found.
"C:\Windows\Tasks\XZQE.job" => File/Directory not found.
"C:\Windows\Tasks\QY.job" => File/Directory not found.
"C:\Windows\System32\Tasks\XZQE" => File/Directory not found.
"C:\Windows\System32\Tasks\QY" => File/Directory not found.
C:\Users\bob\AppData\Local\Temp\avgnt.exe => Moved successfully.
C:\Users\bob\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\bob\AppData\Local\Temp\sqlite3.dll => Moved successfully.
"C:\Windows\System32\Drivers\etc\hosts" => Could not move.
Could not reset Hosts.
EmptyTemp: => Removed 95.2 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

# AdwCleaner v4.000 - Report created 17/10/2014 at 14:36:28
# DB v2014-10-17.9
# Updated 12/10/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : bob - BOB-PC
# Running from : C:\Users\bob\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Upt
Key Deleted : HKLM\SOFTWARE\WinUpd
Key Deleted : HKLM\SOFTWARE\SI-App
Key Deleted : HKLM\SOFTWARE\RST
Key Deleted : [x64] HKLM\SOFTWARE\Upt
Key Deleted : [x64] HKLM\SOFTWARE\WinUpd
Key Deleted : [x64] HKLM\SOFTWARE\SI-App
Key Deleted : [x64] HKLM\SOFTWARE\RST

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Mozilla Firefox v33.0 (x86 en-US)


*************************

AdwCleaner[R0].txt - [1019 octets] - [17/10/2014 14:33:37]
AdwCleaner[S0].txt - [935 octets] - [17/10/2014 14:36:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [994 octets] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.14.2014:1)
OS: Windows 7 Ultimate x64
Ran by bob on Fri 10/17/2014 at 14:44:01.69
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\bob\AppData\Roaming\mozilla\firefox\profiles\q42j5mhf.default\minidumps [2 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/17/2014 at 14:46:47.60
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I am still getting the additional windows opening.

thanks for the quick response.

bobbym
2014-10-17, 17:01
I note that the proxy setup does not stay in automatic although there is no information in the two small windows.

Juliet
2014-10-17, 21:30
I want you to reset your browsers back to default.
If you don't have all of these just go to the next.

http://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/?PageSpeed=noscript



Open Internet Explorer, click on the “gear icon” in the upper right part of your browser, then click again on Internet Options.
In the “Internet Options” dialog box, click on the “Advanced” tab, then click on the “Reset” button.
In the “Reset Internet Explorer settings” section, select the “Delete personal settings” check box, then click on “Reset” button.
When Internet Explorer has completed its task, click on the “Close” button in the confirmation dialogue box. You will now need to close your browser,


If you’re having problems with Firefox, resetting it can help. The reset feature fixes many issues by restoring Firefox to its factory default state while saving your essential information like bookmarks, passwords, web form auto-fill information, browsing history and open tabs.

In the upper-right corner of the Firefox window, click the Firefox menu button (3 thin lines), then click on the “Help” (light blue question mark) button.
From the Help menu, choose Troubleshooting Information.
If you’re unable to access the Help menu, type about:support in your address bar to bring up the Troubleshooting information page.
Click the “Reset Firefox” button in the upper-right corner of the “Troubleshooting Information” page.
To continue, click on the “Reset Firefox” button in the new confirmation window that opens.
Firefox will close itself and will revert to its default settings. When it’s done, a window will list the information that was imported. Click on the “Finish“.

Note: Your old Firefox profile will be placed on your desktop in a folder named “Old Firefox Data“. If the reset didn’t fix your problem you can restore some of the information not saved by copying files to the new profile that was created. If you don’t need this folder any longer, you should delete it as it contains sensitive information.




lets set Chome back to factory defaults


Click the Chrome menu http://i24.photobucket.com/albums/c30/ken545/Clipboard01_zps2e55f676.jpgon the browser toolbar.
Select Settings.
Scroll down to Show advanced settings...
Down on the bottom you will see an option for RESET BROWSER SETTINGS
Click on it and it will set Chome back to defaults




Click on Chrome’s main menu button, represented by three horizontal lines ( Chrome's main menu button) .When the drop-down menu appears, select the option labeled Settings.
Chrome’s Settings should now be displayed in a new tab or window, depending on your configuration. Next, scroll to the bottom of the page and click on the Show advanced settings link
Chrome’s advanced Settings should now be displayed. Scroll down until the Reset browser settings section is visible, as shown in the example below. Next, click on the Reset browser settings button.
A confirmation dialog should now be displayed, detailing the components that will be restored to their default state should you continue on with the reset process. To complete the restoration process, click on the Reset button.

~~~~~~~~~~~~~~~~

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/306529-emergency-backup-procedure.html)

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Download ComboFix from here:
Link 1 (http://www.bleepingcomputer.com/download/combofix/)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Place ComboFix.exe on your Desktop <--Important

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



You can get help on disabling your protection programs here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html)
Double click on ComboFix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (http://en.wikipedia.org/wiki/Recovery_Console) (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
---------------------------------------------------------------------------------------------
If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...

bobbym
2014-10-17, 22:48
I am having trouble shutting down both spybot and avira as they avira is not on my system tray and spybot window does not have a "mode" choice ??
I have reset both firefox and internet explorer. but still get the unwanted windows

please tell me how to shut down the two antiviruses or I could take them out of the start up menue.

bobbym
2014-10-18, 00:58
I am having trouble shutting down both spybot and avira as they avira is not on my system tray and spybot window does not have a "mode" choice ??
I have reset both firefox and internet explorer. but still get the unwanted windows

please tell me how to shut down the two antiviruses or I could take them out of the start up menue.



have just checked the proxy window. it does not stay at "automatic", it always reverts back to "use proxy"

going to bed will look out for you tomorrow morning.


thanks

Juliet
2014-10-18, 02:19
Please use the Reply To Thread button at the bottom left of the page.

Avira's Antivir

Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background.

right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background.

You successfully disabled the AntiVir Guard.


Windows Defender

Launch Windows Defender, right click on the System Tray icon, select Open.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
Scroll down further, and uncheck "Use Windows Defender"
After you uncheck these, click on the Save button, approve the UAC prompt, and close Windows Defender.


Spybot - Search and Destroy

Run Spybot-S&D, switch to the Advanced mode via the menu bar item Mode → hit Yes → select Tools in the navigation bar on the left → Resident and there you can untick the checkboxes in front of the two tools.



Explorer and Google use the same settings. So when you change one, the other responds as well. The easiest way to fix this is in Explorer, but it you don't have that, you can do the same thing by going to the Google Chrome icon, right click and open it with "Run as Administrator." Then do the same things I did below from Chrome Settings If you don't know where to find this, the bar just below the top bar has see 3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer. Then follow instructions on "D".

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.

bobbym
2014-10-18, 12:23
Good Morning.

ok last night as I was preparing to shut down the computer IE closing programs " ComboFix" was still running waiting for the antivirus software to be shut down. when I clicked yes it started it's scan and appeared to to run ok below is the ComboFix report

ComboFix 14-10-15.01 - bob 10/17/2014 23:00:27.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4086.2479 [GMT 1:00]
Running from: c:\users\bob\Downloads\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\bob\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
E:\uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-09-17 to 2014-10-17 )))))))))))))))))))))))))))))))
.
.
2014-10-17 22:03 . 2014-10-17 22:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-17 13:43 . 2014-10-17 13:43 -------- d-----w- c:\windows\ERUNT
2014-10-17 13:33 . 2014-10-17 13:36 -------- d-----w- C:\AdwCleaner
2014-10-17 13:10 . 2014-10-17 13:10 -------- d-----w- c:\windows\system32\appmgmt
2014-10-16 17:55 . 2014-09-19 01:26 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-10-16 17:54 . 2014-09-13 01:58 77312 ----a-w- c:\windows\system32\packager.dll
2014-10-16 17:54 . 2014-09-13 01:40 67072 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-16 17:36 . 2014-10-17 13:18 -------- d-----w- C:\FRST
2014-10-16 17:27 . 2014-10-16 17:27 -------- d-----w- C:\RegBackup
2014-10-15 09:13 . 2014-10-15 09:13 -------- d-----w- c:\program files\CCleaner
2014-10-14 17:08 . 2014-10-14 17:08 -------- d-----w- c:\users\bob\AppData\Local\CheckCode
2014-10-13 17:09 . 2014-10-13 17:09 -------- d-----w- c:\users\bob\AppData\Local\Deployment
2014-10-13 17:08 . 2014-10-13 17:08 -------- d-----w- c:\users\bob\AppData\Local\fastplayer
2014-10-13 17:08 . 2014-10-13 17:08 -------- d-----w- c:\windows\SysWow64\Direct3dTextWin32
2014-10-13 09:54 . 2014-10-13 09:54 -------- d-----w- c:\users\bob\AppData\Local\com
2014-10-06 10:50 . 2014-10-06 10:50 -------- d-----w- c:\users\bob\AppData\Local\Apps
2014-10-01 21:04 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-10-01 21:04 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-28 16:30 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-28 16:30 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-16 17:56 . 2014-08-05 20:52 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-10-16 17:14 . 2014-08-12 16:45 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-10-16 17:14 . 2014-08-11 17:13 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-10-16 17:14 . 2014-08-11 17:13 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-10-14 10:52 . 2014-08-06 21:26 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-10 16:51 . 2014-08-06 17:24 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-10 16:51 . 2014-08-06 17:24 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-23 02:07 . 2014-08-28 16:00 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 16:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-06 11:53 . 2014-08-06 11:53 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 942592 ----a-w- c:\windows\system32\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 81408 ----a-w- c:\windows\system32\icardie.dll
2014-08-06 11:53 . 2014-08-06 11:53 774144 ----a-w- c:\windows\system32\jscript.dll
2014-08-06 11:53 . 2014-08-06 11:53 77312 ----a-w- c:\windows\system32\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\system32\pngfilt.dll
2014-08-06 11:53 . 2014-08-06 11:53 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2014-08-06 11:53 . 2014-08-06 11:53 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48128 ----a-w- c:\windows\system32\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 413696 ----a-w- c:\windows\system32\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 337408 ----a-w- c:\windows\SysWow64\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 30208 ----a-w- c:\windows\system32\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 247808 ----a-w- c:\windows\system32\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 243200 ----a-w- c:\windows\system32\webcheck.dll
2014-08-06 11:53 . 2014-08-06 11:53 235520 ----a-w- c:\windows\system32\url.dll
2014-08-06 11:53 . 2014-08-06 11:53 235008 ----a-w- c:\windows\system32\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 167424 ----a-w- c:\windows\system32\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 147968 ----a-w- c:\windows\system32\occache.dll
2014-08-06 11:53 . 2014-08-06 11:53 143872 ----a-w- c:\windows\system32\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 13824 ----a-w- c:\windows\system32\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 135680 ----a-w- c:\windows\system32\iepeers.dll
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2014-08-06 11:53 . 2014-08-06 11:53 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 105984 ----a-w- c:\windows\system32\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 101376 ----a-w- c:\windows\system32\inseng.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 363008 ----a-w- c:\windows\system32\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 296960 ----a-w- c:\windows\system32\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 1238528 ----a-w- c:\windows\system32\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 1175552 ----a-w- c:\windows\system32\FntCache.dll
2014-08-06 11:51 . 2014-08-06 11:51 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 10:36 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2014-08-06 10:36 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2014-08-01 11:53 . 2014-09-10 16:33 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-08-01 11:35 . 2014-09-10 16:33 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-07-25 01:35 . 2014-07-25 01:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-24 22:47 . 2014-07-24 22:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-23 12:29 . 2014-08-11 17:13 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2014-07-23 09:52 . 2014-08-05 20:37 270496 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="e:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2014-06-24 4566952]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-09-26 6482200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-10-16 703736]
"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-09-23 165168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - e:\office\OSA9.EXE -b -l [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Direct3dTextWin32;Direct3dTextWin32;c:\windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe;c:\windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-08-06 16:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\e568ifz3.default-1413572278333\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
AddRemove-Tweaking.com - Registry Backup - e:\\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2014-10-17 23:08:33 - machine was rebooted
ComboFix-quarantined-files.txt 2014-10-17 22:08
.
Pre-Run: 3,058,159,616 bytes free
Post-Run: 2,880,585,728 bytes free
.
- - End Of File - - 86462F9CF298AD88E0D36195135629EE
A36C5E4F47E84449FF07ED3517B43A31




I have now got the avira icon in the system tray, which showed up this morning after combofix had been run last night.
(I was wondering if Spybot and Avira are not running if there are no browsers open)

my spybot version is 2.4.40.0 and only has "Help" in the menu bar.
In advance user mode. there is : Report Creator : Settings : Start up tools : System repair : Secure shredder : Rootkit scanner : phone scan : Boot CD creator : Open SBI Editor : Script Editor : Repair Environment :

Does this version of spybot have "Teatime" as I can not find any mention of it by using the "search".

As for my proxy problem I followed your instructions using Windows Explorer, run in "As Administrator" but as before after you have clicked OK on both the Proxy window and the Connection window. If you then go back and look it is back to "Use Proxy". The Apply button never lights. I am using a ISDN router connected to a land line with TalkTalk as my provider. so I do not think that it is a Talktalk requirement.

I have just checked still getting the extra windows opening.

Juliet
2014-10-18, 15:19
Still have FRST on desktop?

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



start
CloseProcesses:
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:20194
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download RogueKiller and save it to your desktop.

You can check here (http://support.microsoft.com/kb/827218) if you're not sure if your computer is 32-bit or 64-bit

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) to your desktop.


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.


Please post these 2 logs.

bobbym
2014-10-18, 15:57
Hi
still getting the unwanted windows.

after running the fix and computer run back up I got this when trying to get back to this forum

The proxy server is refusing connections



Firefox is configured to use a proxy server that is refusing connections.

Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is working.



please find reports requested below

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by bob at 2014-10-18 13:28:43 Run:2
Running from C:\Users\bob\Desktop
Loaded Profiles: bob (Available profiles: bob)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:20194
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
End
*****************

Processes closed successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
"HKCR\PROTOCOLS\Handler\ipp\0x00000001" => Key not found.
"HKCR\CLSID\{E1D2BF42-A96B-11D1-9C6B-0000F875AC61}" => Key not found.


The system needed a reboot.

==== End of Fixlog ====



RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/18/2014 13:51:07

¤¤¤ Processes : 2 ¤¤¤

¤¤¤ Registry : 23 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:36832 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:36832 -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320820AS ATA Device +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK

hope these help.

Juliet
2014-10-18, 16:26
in IE, check Tools > Internet Options > Connections Tab > LAN Setttings. What settings is selected here?

Do you know if you connect through a proxy to connect to the internet?

bobbym
2014-10-18, 16:37
Hi
have just checked the Proxy settings. they still revert to "use Proxy" after I change them to auto. no I an shore I should not be using a proxy.

Juliet
2014-10-18, 17:17
run the RogueKiller tool and remove/clean these entries.

[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:36832 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:36832 -> Found


~~~~~~~~~~~~~~~~~~~~~`

Open Internet Explorer, click on the “gear icon” IE Icon Gear in the upper right part of your browser, then click again on Internet Options.

In the “Internet Options” dialog box, click on the “Advanced” tab, then click on the “Reset” button.
In the “Reset Internet Explorer settings” section, select the “Delete personal settings” check box, then click on “Reset” button.
When Internet Explorer has completed its task, click on the “Close” button in the confirmation dialogue box. You will now need to close your browser, and then you can open Internet Explorer again.


In the upper-right corner of the Firefox window, click the Firefox menu button , then click on the “Help” button.
From the Help menu, choose Troubleshooting Information.
If you’re unable to access the Help menu, type about:support in your address bar to bring up the Troubleshooting information page.
Click the “Reset Firefox” button in the upper-right corner of the “Troubleshooting Information” page.
To continue, click on the “Reset Firefox” button in the new confirmation window that opens.

Firefox will close itself and will revert to its default settings. When it’s done, a window will list the information that was imported. Click on the “Finish“.

Note: Your old Firefox profile will be placed on your desktop in a folder named “Old Firefox Data“. If the reset didn’t fix your problem you can restore some of the information not saved by copying files to the new profile that was created. If you don’t need this folder any longer, you should delete it as it contains sensitive information.



please post the
RogueKiller.log

When the extra window opens, what does it display and can you tell me what site name is in the web bar?

bobbym
2014-10-18, 18:01
Hi
have run Rogue Killer twice each time the first two lines you wanted cleaned, are replaced. the third deleted. the forth gives an error[2] message. all four appeared as the original scan on the second scan with the same results.

proxy set up still refusing to go stay in "auto"

bobbym
2014-10-18, 18:02
also did the browser resets with no change.

Juliet
2014-10-18, 19:19
Let's try booting into safe mode in case it's being stopped by your onboard security.

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/#windows7


While in safe mode try to redo these settings again.
Open Internet Explorer, click on the “gear icon” IE Icon Gear in the upper right part of your browser, then click again on Internet Options.

In the “Internet Options” dialog box, click on the “Advanced” tab, then click on the “Reset” button.
In the “Reset Internet Explorer settings” section, select the “Delete personal settings” check box, then click on “Reset” button.
When Internet Explorer has completed its task, click on the “Close” button in the confirmation dialogue box. You will now need to close your browser, and then you can open Internet Explorer again.


In the upper-right corner of the Firefox window, click the Firefox menu button , then click on the “Help” button.
From the Help menu, choose Troubleshooting Information.
If you’re unable to access the Help menu, type about:support in your address bar to bring up the Troubleshooting information page.
Click the “Reset Firefox” button in the upper-right corner of the “Troubleshooting Information” page.
To continue, click on the “Reset Firefox” button in the new confirmation window that opens.

Firefox will close itself and will revert to its default settings. When it’s done, a window will list the information that was imported. Click on the “Finish“.

Note: Your old Firefox profile will be placed on your desktop in a folder named “Old Firefox Data“. If the reset didn’t fix your problem you can restore some of the information not saved by copying files to the new profile that was created. If you don’t need this folder any longer, you should delete it as it contains sensitive information.



please post the
RogueKiller.log

When the extra window opens, what does it display and can you tell me what site name is in the web bar?

bobbym
2014-10-18, 22:02
hi
sorry had to stop to go to church.

I have tried running Rogue Killer in safe mode and reset browsers. IE stayed in automatic while in safe mode but reverted to "use Proxy" once run up normally.

I have had a little experience editing the registry on a couple of other computers. if that could be of any help just need a talk through though.

log requested

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/18/2014 13:51:07

¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] JAVAKeyboardNative.exe -- C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe[-] -> Killed [TermProc]
[Suspicious.Path] (SVC) MetafileODBCRoot.exe -- C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe[-] -> ERROR [41c]

¤¤¤ Registry : 23 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:36832 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:36832 -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320820AS ATA Device +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK

Juliet
2014-10-19, 00:11
Enough to drive ya crazy isn't it?

OK
It doesn't appear to be so much of a malware issue but maybe a setting....Wish I knew.

I had another trusted advisor look in and they thought it possibly is related to
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION

Might be


Let's try this


Download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.


Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"




http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMDashboard_zpsddef9b5f.gif (http://s1269.photobucket.com/user/OCD-WTT/media/MBAMDashboard_zpsddef9b5f.gif.html)



On the Dashboard click on Update Now
Go to the Setting Tab
Under Setting go to Detection and Protection
Under PUP and PUM make sure both are set to show Treat Dections as Malware
Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
Then on the Dashboard click on Scan
Make sure to select THREAT SCAN
Then click on Scan
When the scan is finished and the log pops up...select Copy to Clipboard
Please paste the log back into this thread for review
Exit Malwarebytes


***************************************

If you already have MBAM on your computer:

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

********************************************


What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


Go here (http://www.eset.com/us/online-scanner/) to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note:
For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html).
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings[/*]
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked

Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology


Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan.


*************************************

Please post these 2 logs when finished.

Juliet
2014-10-19, 01:07
Let's throw this scan in as well.

Please download Malwarebytes Anti-Rootkit (http://www.malwarebytes.org/products/mbar/) and save it to your desktop.
Be sure to print out and follow the instructions provided on that same page for performing a scan.
Caution: This is a beta version so also read the disclaimer and back up (http://support.microsoft.com/kb/971759) all your data before using.
When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

bobbym
2014-10-19, 01:37
OK
just finished the EST scan .

C:\Users\bob\AppData\Roaming\QY JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bob\AppData\Roaming\XZQE JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe a variant of Win32/CNETInstaller.B potentially unwanted application
Operating memory a variant of Win32/AdWare.Pirrit.H application




Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/18/2014
Scan Time: 10:28:59 PM
Logfile: scanlog mwb.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.18.06
Rootkit Database: v2014.10.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: bob

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312707
Time Elapsed: 7 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



well well past my bed time will look out for you tomorrow.

Thanks

Juliet
2014-10-19, 04:18
Let's throw this scan in as well. After I see the results from this scan I'll add file deletions.

Also, please make sure your antivirus is enabled.


Please download Malwarebytes Anti-Rootkit (http://www.malwarebytes.org/products/mbar/) and save it to your desktop.
Be sure to print out and follow the instructions provided on that same page for performing a scan.
Caution: This is a beta version so also read the disclaimer and back up (http://support.microsoft.com/kb/971759) all your data before using.
When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

bobbym
2014-10-19, 13:25
Hi
Good morning

I have run the Malwarebytes Anti-Rootkit twice "No Maleware Found" both times.

I have checked on another computer in the house, this computer does not need to use Proxy's. which is probably one or all of the problems.

when you go to "connections" on this computer all choices are grayed out, on the other computer they are clear.

still getting unwanted windows.

bobbym
2014-10-19, 14:05
Hi
I have just looked in to the registry on this machine. below are the entries picked up by Rogue Killer.

HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings

ProxyEnable REG_DWORD 0x0000001 (1)
ProxyHttp1.1 REG_DWORD 0x0000001 (1)
ProxyOverride REG_SZ <local>;*origin.com;*ea.com;*akamaihd.net
ProxyServer REG_SZ http=127.0.0.1.15498

I presume the first two lines should reed 0x0000000 (1) or something similar will look at my other computer to see what it is like.

hope this helps

bobbym
2014-10-19, 14:16
Ok
on my other computer there is only

ProxyEnable REG_DWORD 0x0000000 (0)

does this help

Juliet
2014-10-19, 15:55
Morning.

Let's try to remove the infections found by Eset first.


Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.




~~~~~~~~~~~~~~~~~~~~~~~`

From here I want you to download and scan with Hitman Pro.
After you download and install please boot into safe mode to run the scan.

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

HitmanPro


Please download HitmanPro (http://www.bleepingcomputer.com/download/hitmanpro/).
Launch the program by double clicking on the http://i.imgur.com/5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
Click on the next button. You must agree with the terms of EULA.
Check the box beside "No, I only want to perform a one-time scan to check this computer".
Click on the next button.
The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
Click on the next button.
Click on the "Export scan results to XML file".
Save that file to your desktop and zip and attach it in your next reply.



Check proxy connections after running this fix.


IF the proxy has set itself back, also save these instructions in case the need to be reversed.

You feel comfortable in the registry?

Click Start > type regedit in the search field and press Enter.

Expand the HKEY_CURRENT_USER hive by clicking on the "+" sign next to it. Continue expanding "Software," "Microsoft," "Windows" and "CurrentVersion," then click on the "Internet Settings" subkey or folder.
View the contents of the Internet Settings folder on the right pane. Double-click on the "ProxyEnable" DWORD value to open the "Edit DWORD Value" window. Change "Value data" to "1" and press "OK" to confirm.
Double-click on the "ProxyServer" string value.
Reboot the machine.
Has it gone now?

bobbym
2014-10-19, 16:41
Hi
ok here are the 2 reports


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by bob at 2014-10-19 14:01:36 Run:3
Running from C:\Users\bob\Desktop
Loaded Profiles: bob (Available profiles: bob)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End
*****************

Processes closed successfully.
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe => Moved successfully.
uInternet Settings,ProxyServer = http=127.0.0.1:34484 => Error: No automatic fix found for this entry.
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net => Error: No automatic fix found for this entry.

========================= Folder: ========================

Directory Not Found
C:\Users\bob\AppData\Roaming\QY => Moved successfully.
C:\Users\bob\AppData\Roaming\XZQE => Moved successfully.

========= ipconfig /flushdns =========


========= End of CMD: =========


========= netsh winsock reset all =========


========= End of CMD: =========


========= netsh int ipv4 reset =========


========= End of CMD: =========


========= netsh int ipv6 reset =========


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog ====




<?xml version="1.0"?>

-<Log filesProcessed="20196" timeSpentInSecs="59" date="2014-10-19T14:14:57" version="3.7.9.225" scan="Normal" windows="6.1.1.7601.X64/2" computer="BOB-PC">


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.360yield.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.mlnadvertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.audience2media.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.creative-serving.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.pubmatic.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.stickyadstv.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.undertone.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.yahoo.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtech.de"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtechus.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:advertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:at.atwola.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:atdmt.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:bs.serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:burstnet.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:casalemedia.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:collective-media.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:doubleclick.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:engine.phn.doublepimp.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:livejasmin.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:media6degrees.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:mediaplex.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:pd0.imp.revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:questionmarket.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ru4.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:smartadserver.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:statse.webtrendslive.com"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST-OlderVersion\FRST64.exe" hash="9E08075333C377229E2763BC669558FC99F9BD3AB1FE14882E581D2F74E9A5BC"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST64.exe" hash="88DAA88F206F6E230A885CD4FD6F165D3042C459C6A7AAF3EFACB11C7577EE70"/>

</Item>


-<Item status="None" score="27.0" type="Suspicious">

<File path="C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe" hash="0FF64DCE66D4C4412C52B933133B7ED63E195286238437AD873E1AA29DD0BF2A"/>


-<Startup>

<Key path="HKLM\SYSTEM\CurrentControlSet\Services\Direct3dTextWin32\"/>

</Startup>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com\"/>

</Item>


-<Item status="None" score="0.0" type="Repair">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings"/>

</Item>

</Log>



in your regedit you specified to change the "Value data" to "1" as it was already a "1" I changed it to "0" like my other computer.
the next line
Double-click on the "ProxyServer" string value.
you gave no info as to what to do, I deleted the string value.

I did all the above in safe mode.

checking Proxy settings when the computer is run up normally are still reverting to "use proxy" and page is grayed out.

a quick check on the registry sees the edits reverted back as they were. I have just edited all four, the first two to "0" and the last two to blank.
I will post this then reboot to see if the registry is still reverting back.

bobbym
2014-10-19, 16:47
OK
so I have just rebooted. the registry entries for the proxy are all still there as before. they must have something hidden somewere else to put it all back.

Juliet
2014-10-19, 20:08
Hitman found this
C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe

Is this something you downloaded?

It also found FRST as suspicious...just look over that.

Also please download Windows Repair (all in one) from here (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)

http://www.bleepstatic.com/download/screenshots/w/windows-repair-all-in-one-portable/step-4-tab.jpg
Install the program then go to step 4 and create a new system restore point and new registry backup.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
http://i1.ifrm.com/228/109/upload/p22001645.gif



NEXT
On the the Start Repairs tab => Click the Start
http://www.bleepstatic.com/download/screenshots/w/windows-repair-all-in-one-portable/start-repairs-tab.jpg


Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):
http://i1.ifrm.com/228/109/upload/p22001647.gif

Click on box next to the Restart System when Finished. Then click on Start.

~~~~~~~~~~~~~~~~~~~~~~~

Please download MiniToolBox http://www.bleepingcomputer.com/download/minitoolbox/
save it to your desktop and run it.

Checkmark the following check-boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

Juliet
2014-10-19, 20:21
Also, since your reading and editing wont work, let's give this a try

goto the Google Chrome icon, right click and open it with "Run as Administrator."
3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer.

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.

bobbym
2014-10-19, 21:40
Hi
well have run repair and MiniToolBox

results

MiniToolBox by Farbar Version: 21-07-2014
Ran by bob (administrator) on 19-10-2014 at 19:33:27
Running from "C:\Users\bob\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:30403

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Generic Marvell Yukon 88E8056 based Ethernet Controller = Local Area Connection 2 (Connected)
Intel(R) 82566DM Gigabit Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : bob-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dlink.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : dlink.com
Description . . . . . . . . . . . : Generic Marvell Yukon 88E8056 based Ethernet Controller
Physical Address. . . . . . . . . : 00-01-29-23-35-16
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c088:257:4060:5f84%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 19, 2014 7:20:15 PM
Lease Expires . . . . . . . . . . : Monday, October 20, 2014 7:20:15 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 301990185
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-72-F3-F7-00-01-29-22-D3-6E
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82566DM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-01-29-22-D3-6E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.dlink.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : dlink.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{3C5DAC5B-C32C-4CE0-AE74-B6CCD5F04F22}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:2d:3477:3f57:fefa(Preferred)
Link-local IPv6 Address . . . . . : fe80::2d:3477:3f57:fefa%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.1.1

Name: google.com.dlink.com
Address: 92.242.132.16


Pinging google.com [74.125.230.103] with 32 bytes of data:
Reply from 74.125.230.103: bytes=32 time=28ms TTL=56
Reply from 74.125.230.103: bytes=32 time=27ms TTL=56

Ping statistics for 74.125.230.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 28ms, Average = 27ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com.dlink.com
Address: 92.242.132.16


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=185ms TTL=50
Reply from 206.190.36.45: bytes=32 time=180ms TTL=50

Ping statistics for 206.190.36.45:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 180ms, Maximum = 185ms, Average = 182ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
12...00 01 29 23 35 16 ......Generic Marvell Yukon 88E8056 based Ethernet Controller
10...00 01 29 22 d3 6e ......Intel(R) 82566DM Gigabit Network Connection
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.5 276
192.168.1.5 255.255.255.255 On-link 192.168.1.5 276
192.168.1.255 255.255.255.255 On-link 192.168.1.5 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.5 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.5 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:5ef5:79fd:2d:3477:3f57:fefa/128
On-link
12 276 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::2d:3477:3f57:fefa/128
On-link
12 276 fe80::c088:257:4060:5f84/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
12 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


System errors:
=============
Error: (10/19/2014 07:22:52 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:22:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 07:22:15 PM) (Source: Service Control Manager) (User: )

Error: (10/19/2014 07:20:46 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:20:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 07:18:03 PM) (Source: Service Control Manager) (User: )
Description: The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (10/19/2014 07:00:23 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:00:16 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 06:59:46 PM) (Source: Service Control Manager) (User: )

Error: (10/19/2014 06:58:19 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053


Microsoft Office Sessions:
=========================
Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


CodeIntegrity Errors:
===================================
Date: 2014-10-17 23:03:37.584
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-17 23:03:37.459
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.



=========================== Installed Programs ============================
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Avira (HKLM-x32\...\{9bd9b85e-7792-483b-a318-cc51ff0877ed}) (Version: 1.1.22.50000 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.22.50000 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.306 - Avira)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.3.188.0 - Microsoft Corporation) Hidden
Microsoft Office 2000 Disc 2 (HKLM-x32\...\{00040409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM-x32\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.0 - Tweaking.com)
Tweaking.com - Windows Repair (All in One) (HKLM-x32\...\Tweaking.com - Windows Repair (All in One)) (Version: 2.9.2 - Tweaking.com)
Winmail Opener 1.6 (HKLM-x32\...\Winmail Opener) (Version: 1.6 - Eolsoft)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 26%
Total physical RAM: 4086.18 MB
Available physical RAM: 3015.2 MB
Total Pagefile: 8170.54 MB
Available Pagefile: 6757.97 MB
Total Virtual: 4095.88 MB
Available Virtual: 3980.67 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:29.72 GB) (Free:2.93 GB) NTFS
3 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.04 GB) NTFS
4 Drive e: (New Volume) (Fixed) (Total:26.37 GB) (Free:24.94 GB) NTFS
5 Drive f: (New Volume) (Fixed) (Total:29.55 GB) (Free:29.43 GB) NTFS
7 Drive h: () (Fixed) (Total:298.09 GB) (Free:295.59 GB) NTFS

========================= Users: ========================================

User accounts for \\BOB-PC

Administrator bob Guest

========================= Minidump Files ==================================

No minidump file found


**** End of log ****



have carried out IE but still not staying in Auto still grayed out.

still getting the unwanted windows.

bobbym
2014-10-19, 22:53
Hi
just checked the registry, there is no sign of the entries there but the proxy address is still being put into the "use proxy" window.

bobbym
2014-10-20, 00:51
Hi
well its my bed time again will look out for you tomorrow.

thanks

Juliet
2014-10-20, 01:21
Also, since your reading and editing wont work, let's give this a try

goto the Google Chrome icon, right click and open it with "Run as Administrator."
3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer.

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.
Try the above?

It's rather awkward that while in safe mode the settings stay as expected. When booting into normal mode the settings are reversed back.
Like, an item in your startups list should be removed?, Antivirus disabled while changing the setting?

I'm running out of ideas, or closely. Will ask other malware techs to step in an offer suggestions.

A couple of things we can do

The below is for a Linksys router but most follow the same instructions.
http://kb.linksys.com/Linksys/GetArticle.aspx?docid=1e97db4854604b0fb5cc8c0d74491e35_19584.xml&pid=80&converted=0


Connect through a Cable or DSL modem?

Turn the modem off. Wait 3 to 5 minutes and turn it back. Wait for all lights to stop blinking and check setting again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


This will produce a log. Please post this in your next reply.

bobbym
2014-10-20, 11:42
Hi
Good morning

the first Rkill.EXE worked fine

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/20/2014 09:36:24 AM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe (PID: 1744) [UP-HEUR]
* C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe (PID: 1252) [UP-HEUR]

2 proccesses terminated!

Active Proxy Server Detected

* Proxy Disabled.
* ProxyOverride value deleted.
* ProxyServer value deleted.
* AutoConfigURL value deleted.
* Proxy settings were backed up to Registry file.

Checking Registry for malware related settings:

* No issues found in the Registry.

Backup Registry file created at:
C:\Users\bob\Desktop\rkill\rkill-10-20-2014-09-36-34.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

* Reparse Point/Junctions Found (Most likely legitimate)!

* C:\Windows\AppPatch\spbin => C:\PROGRA~2\SearchProtect\SearchProtect\bin [Dir]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

Program finished at: 10/20/2014 09:38:05 AM
Execution time: 0 hours(s), 1 minute(s), and 41 seconds(s)

I will run Rogue Killer again If It finds anything I will post it as well

bobbym
2014-10-20, 12:02
hi
this is the new rogue killer report.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/20/2014 09:56:38

¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] JAVAKeyboardNative.exe -- C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe[-] -> Killed [TermProc]
[Suspicious.Path] (SVC) MetafileODBCRoot.exe -- C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe[-] -> ERROR [41c]

¤¤¤ Registry : 23 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320820AS ATA Device +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10182014_154241.log - RKreport_DEL_10182014_155320.log - RKreport_DEL_10182014_194914.log - RKreport_DEL_10182014_194947.log
RKreport_DEL_10182014_195013.log - RKreport_SCN_10182014_135103.log - RKreport_SCN_10182014_153708.log - RKreport_SCN_10182014_155304.log
RKreport_SCN_10182014_194825.log

probably the same as the original.

bobbym
2014-10-20, 12:25
Hi

the suspicious. path. JavakeyboardNative.exe C:\Users\Bob\AppData\

This is not found on the C drive. there are is no AppData file/folder.

the first folder is Contacts

is this something to do with the HideDesktopIcons in the last three lines possibly not.

could all the fills found be deleted without harm?

bobbym
2014-10-20, 13:42
Hi again
well I went to Services to put windows defender back to Auto as it was in manual.

while I was there I looked at what else was running in Auto and Manual. remote desktop was in Auto so I put that to Manual. I also noted

Metafile ODBCRoot.EXE was in AUTO I changed it to Manual I checked on my other computer this line was not in its Services. so I was fairly confident I wouldn't muck everything up.

I went to Regedit and Edited the four Proxy lines that were again there. I changed the first two to "(0)" the last two I left blank.

I rebooted the computer as there was no option to STOP the Metafile ODBCRoot.EXE and it was still running in services.

When the computer was run up, I checked the Proxy settings, I was able to change the settings to Auto and it stayed that way, interesting as they are still grayed out. but hay at least it worked.

I have tried the normal things that causes the unwanted windows to open and as yet no unwanted windows!!!!.

So can I/we delete all the Metafile ODBCRoot.EXE entries or are they "needed".?

Juliet
2014-10-20, 13:42
C:\Users\bob\AppData
Application Data folder

C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
Is this something you downloaded or was it preinstalled?
Open Database Connectivity (ODBC)

C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
Is this something you downloaded or was it preinstalled?

~~~~~~~~~~~~~~~~~~~~~~~~~~

Please run Rogue killer again and place a check mark by these entries.


[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.


Folder::
C:\SearchProtect
C:\Program Files (x86)\SearchProtect
C:\Windows\SysWOW64\SearchProtect
ClearJavaCache::

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
[i][b]



CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.


Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

bobbym
2014-10-20, 14:38
Hi
just to start as I had already edited the proxy settings in the registry this is the Rogue Killer file before any deletions you have asked for as you see there are only the last four that mach your request.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/20/2014 12:19:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 19 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetApiBufferFree : C:\Windows\system32\netutils.dll @ 0x734a13d2
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetUserGetInfo : C:\Windows\system32\SAMCLI.DLL @ 0x73561be2
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\VERSION.dll @ 0x73a21b72
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10182014_154241.log - RKreport_DEL_10182014_155320.log - RKreport_DEL_10182014_194914.log - RKreport_DEL_10182014_194947.log
RKreport_DEL_10182014_195013.log - RKreport_SCN_10182014_135103.log - RKreport_SCN_10182014_153708.log - RKreport_SCN_10182014_155304.log
RKreport_SCN_10182014_194825.log - RKreport_SCN_10202014_095634.log

this is after the deletions requested


RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/20/2014 12:36:16

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 15 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetApiBufferFree : C:\Windows\system32\netutils.dll @ 0x734a13d2
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetUserGetInfo : C:\Windows\system32\SAMCLI.DLL @ 0x73561be2
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\VERSION.dll @ 0x73a21b72
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320820AS ATA Device +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10182014_154241.log - RKreport_DEL_10182014_155320.log - RKreport_DEL_10182014_194914.log - RKreport_DEL_10182014_194947.log
RKreport_DEL_10182014_195013.log - RKreport_SCN_10182014_135103.log - RKreport_SCN_10182014_153708.log - RKreport_SCN_10182014_155304.log
RKreport_SCN_10182014_194825.log - RKreport_SCN_10202014_095634.log - RKreport_SCN_10202014_121900.log - RKreport_DEL_10202014_122325.log


I have to go out for a few hours but should be back befor 5 Oclock my time. (UK)

bobbym
2014-10-20, 15:10
your combofix report

ComboFix 14-10-15.01 - bob 10/20/2014 13:01:09.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4086.2712 [GMT 1:00]
Running from: c:\users\bob\Desktop\ComboFix.exe
Command switches used :: c:\users\bob\Desktop\CFScript.txt
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\bob\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
.
.
((((((((((((((((((((((((( Files Created from 2014-09-20 to 2014-10-20 )))))))))))))))))))))))))))))))
.
.
2014-10-20 12:04 . 2014-10-20 12:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-19 19:19 . 2014-10-19 19:19 -------- d-----w- C:\SUPERDelete
2014-10-19 19:11 . 2014-10-19 19:11 -------- d-----w- c:\users\bob\AppData\Roaming\SUPERAntiSpyware.com
2014-10-19 19:11 . 2014-10-19 19:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2014-10-19 18:19 . 2014-10-19 18:23 -------- d-----w- c:\windows\system32\catroot2
2014-10-19 17:51 . 2014-10-19 18:15 -------- d-----w- c:\windows\SysWow64\wbem\Performance
2014-10-19 13:14 . 2014-10-19 13:14 32512 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-10-19 13:10 . 2014-10-19 13:24 -------- d-----w- c:\programdata\HitmanPro
2014-10-19 09:59 . 2014-10-19 10:14 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-10-18 12:35 . 2014-10-20 11:04 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-10-18 12:35 . 2014-10-18 12:35 -------- d-----w- c:\programdata\RogueKiller
2014-10-17 13:43 . 2014-10-17 13:43 -------- d-----w- c:\windows\ERUNT
2014-10-17 13:33 . 2014-10-17 13:36 -------- d-----w- C:\AdwCleaner
2014-10-17 13:10 . 2014-10-17 13:10 -------- d-----w- c:\windows\system32\appmgmt
2014-10-16 17:55 . 2014-09-19 01:26 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-10-16 17:54 . 2014-09-13 01:58 77312 ----a-w- c:\windows\system32\packager.dll
2014-10-16 17:54 . 2014-09-13 01:40 67072 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-16 17:36 . 2014-10-19 13:01 -------- d-----w- C:\FRST
2014-10-16 17:27 . 2014-10-16 17:27 -------- d-----w- C:\RegBackup
2014-10-15 09:13 . 2014-10-15 09:13 -------- d-----w- c:\program files\CCleaner
2014-10-14 17:08 . 2014-10-14 17:08 -------- d-----w- c:\users\bob\AppData\Local\CheckCode
2014-10-13 17:09 . 2014-10-13 17:09 -------- d-----w- c:\users\bob\AppData\Local\Deployment
2014-10-13 17:08 . 2014-10-19 19:28 -------- d-----w- c:\windows\SysWow64\Direct3dTextWin32
2014-10-13 17:07 . 2014-10-13 18:05 -------- d-----w- c:\users\bob\AppData\Local\MetafileODBCRoot
2014-10-13 09:54 . 2014-10-13 09:54 -------- d-----w- c:\users\bob\AppData\Local\com
2014-10-06 10:50 . 2014-10-06 10:50 -------- d-----w- c:\users\bob\AppData\Local\Apps
2014-10-01 21:04 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-10-01 21:04 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-28 16:30 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-28 16:30 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-19 09:59 . 2014-08-06 21:26 128728 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-19 09:58 . 2014-08-06 21:25 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-16 17:56 . 2014-08-05 20:52 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-10-16 17:14 . 2014-08-12 16:45 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-10-16 17:14 . 2014-08-11 17:13 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-10-16 17:14 . 2014-08-11 17:13 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-09-10 16:51 . 2014-08-06 17:24 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-10 16:51 . 2014-08-06 17:24 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-23 02:07 . 2014-08-28 16:00 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 16:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-06 11:53 . 2014-08-06 11:53 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 942592 ----a-w- c:\windows\system32\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 81408 ----a-w- c:\windows\system32\icardie.dll
2014-08-06 11:53 . 2014-08-06 11:53 774144 ----a-w- c:\windows\system32\jscript.dll
2014-08-06 11:53 . 2014-08-06 11:53 77312 ----a-w- c:\windows\system32\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\system32\pngfilt.dll
2014-08-06 11:53 . 2014-08-06 11:53 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2014-08-06 11:53 . 2014-08-06 11:53 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48128 ----a-w- c:\windows\system32\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 413696 ----a-w- c:\windows\system32\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 337408 ----a-w- c:\windows\SysWow64\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 30208 ----a-w- c:\windows\system32\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 247808 ----a-w- c:\windows\system32\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 243200 ----a-w- c:\windows\system32\webcheck.dll
2014-08-06 11:53 . 2014-08-06 11:53 235520 ----a-w- c:\windows\system32\url.dll
2014-08-06 11:53 . 2014-08-06 11:53 235008 ----a-w- c:\windows\system32\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 167424 ----a-w- c:\windows\system32\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 147968 ----a-w- c:\windows\system32\occache.dll
2014-08-06 11:53 . 2014-08-06 11:53 143872 ----a-w- c:\windows\system32\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 13824 ----a-w- c:\windows\system32\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 135680 ----a-w- c:\windows\system32\iepeers.dll
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2014-08-06 11:53 . 2014-08-06 11:53 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 105984 ----a-w- c:\windows\system32\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 101376 ----a-w- c:\windows\system32\inseng.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 363008 ----a-w- c:\windows\system32\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 296960 ----a-w- c:\windows\system32\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 1238528 ----a-w- c:\windows\system32\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 1175552 ----a-w- c:\windows\system32\FntCache.dll
2014-08-06 11:51 . 2014-08-06 11:51 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 10:36 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2014-08-06 10:36 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2014-08-01 11:53 . 2014-09-10 16:33 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-08-01 11:35 . 2014-09-10 16:33 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-07-25 01:35 . 2014-07-25 01:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-24 22:47 . 2014-07-24 22:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-23 12:29 . 2014-08-11 17:13 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2014-07-23 09:52 . 2014-08-05 20:37 270496 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="e:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2014-06-24 4566952]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-09-26 6482200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-10-16 703736]
"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-09-23 165168]
"SDTray"="e:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - e:\office\OSA9.EXE -b -l [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MetafileODBCRoot.exe;MetafileODBCRoot.exe;c:\users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe;c:\users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 SASKUTIL;SASKUTIL;h:\superantispyware\SASKUTIL64.SYS;h:\superantispyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;h:\superantispyware\SASCORE64.EXE;h:\superantispyware\SASCORE64.EXE [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-08-06 16:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
Toolbar-Locked - (no file)
.
.
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2014-10-20 13:08:13 - machine was rebooted
ComboFix-quarantined-files.txt 2014-10-20 12:08
ComboFix2.txt 2014-10-17 22:08
.
Pre-Run: 2,541,838,336 bytes free
Post-Run: 2,453,569,536 bytes free
.
- - End Of File - - 139B7F49CDECBB27F2EF2A8EB362B1EE
A36C5E4F47E84449FF07ED3517B43A31


right I'm off get back to you later. thanks

bobbym
2014-10-20, 15:13
sorry forgot to say No I did not knowingly install this I thought it might have been windows 7 software.

C:\Users\bob\AppData
Application Data folder

C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
Is this something you downloaded or was it preinstalled?
Open Database Connectivity (ODBC)

C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
Is this something you downloaded or was it preinstalled?

Juliet
2014-10-20, 15:50
C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
The above, all I could find was related to a game?, perhaps Android?


When the computer was run up, I checked the* Proxy* settings, I was able to change the settings to Auto and it stayed that way, interesting as they are still grayed out. but hay at least it worked.
I have tried the normal things that causes the unwanted windows to open and as yet no unwanted windows!!!!.
So can I/we delete all the *Metafile ODBCRoot.EXE* entries or are they "needed".?

Let's keep our fingers crossed here......
The goal of ODBC is to make it possible to access any data from any application. Could be later on you'll have something not connecting but if it gives this type of problems I wouldn't want it.

Let's see if ComboFix can take it out.

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Driver::
MetafileODBCRoot.exe
MetafileODBCRoot
File::
C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
c:\users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
Folder::
c:\users\bob\AppData\Local\MetafileODBCRoot

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Juliet
2014-10-20, 15:55
Forgot

Run Rogue Killer again
If these entries are there click Delete on the right hand column under Options

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found

bobbym
2014-10-20, 20:08
hi

second attempt

there were no \MetafileODBCRoot.exe in the Rogue Killer file


ComboFix 14-10-15.01 - bob 10/20/2014 17:37:13.3.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4086.2748 [GMT 1:00]
Running from: c:\users\bob\Desktop\ComboFix.exe
Command switches used :: c:\users\bob\Desktop\CFScript.txt
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe"
"c:\users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\bob\AppData\Local\MetafileODBCRoot
c:\users\bob\AppData\Local\MetafileODBCRoot\desktop\JAVAKeyboardNative.exe-(PID-2816)-1445156\adwcleaner_4.000.exe-(PID-848).dmp_PROCESS_SUBMITTED
c:\users\bob\AppData\Local\MetafileODBCRoot\desktop\JAVAKeyboardNative.exe-(PID-2816)-1445156\JAVAKeyboardNative.exe-(PID-2816).dmp
c:\users\bob\AppData\Local\MetafileODBCRoot\desktop\JAVAKeyboardNative.exe-(PID-3316)-16994015\FRST64.exe-(PID-3668).dmp_PROCESS_SUBMITTED
c:\users\bob\AppData\Local\MetafileODBCRoot\desktop\JAVAKeyboardNative.exe-(PID-3316)-16994015\JAVAKeyboardNative.exe-(PID-3316).dmp
c:\users\bob\AppData\Local\MetafileODBCRoot\desktop\JAVAKeyboardNative.exe-(PID-3884)-1017218\AdwCleaner.exe-(PID-3376).dmp_PROCESS_SUBMITTED
c:\users\bob\AppData\Local\MetafileODBCRoot\desktop\JAVAKeyboardNative.exe-(PID-3884)-1017218\JAVAKeyboardNative.exe-(PID-3884).dmp
c:\users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
c:\users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
c:\users\bob\AppData\Local\MetafileODBCRoot\msvcp100.dll
c:\users\bob\AppData\Local\MetafileODBCRoot\msvcr100.dll
c:\users\bob\AppData\Local\MetafileODBCRoot\QtCore4.dll
c:\users\bob\AppData\Local\MetafileODBCRoot\QtNetwork4.dll
c:\users\bob\AppData\Local\MetafileODBCRoot\service\MetafileODBCRoot.exe-(PID-1764)-16993734\FRST64.exe-(PID-3668).dmp
c:\users\bob\AppData\Local\MetafileODBCRoot\service\MetafileODBCRoot.exe-(PID-1764)-16993734\MetafileODBCRoot.exe-(PID-1764).dmp
c:\users\bob\AppData\Local\MetafileODBCRoot\SrDt.exe
c:\users\bob\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_MetafileODBCRoot.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-09-20 to 2014-10-20 )))))))))))))))))))))))))))))))
.
.
2014-10-20 16:40 . 2014-10-20 16:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-19 19:19 . 2014-10-19 19:19 -------- d-----w- C:\SUPERDelete
2014-10-19 19:11 . 2014-10-19 19:11 -------- d-----w- c:\users\bob\AppData\Roaming\SUPERAntiSpyware.com
2014-10-19 19:11 . 2014-10-19 19:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2014-10-19 18:19 . 2014-10-19 18:23 -------- d-----w- c:\windows\system32\catroot2
2014-10-19 17:51 . 2014-10-19 18:15 -------- d-----w- c:\windows\SysWow64\wbem\Performance
2014-10-19 13:14 . 2014-10-19 13:14 32512 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-10-19 13:10 . 2014-10-19 13:24 -------- d-----w- c:\programdata\HitmanPro
2014-10-19 09:59 . 2014-10-19 10:14 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-10-18 12:35 . 2014-10-20 16:26 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-10-18 12:35 . 2014-10-18 12:35 -------- d-----w- c:\programdata\RogueKiller
2014-10-17 13:43 . 2014-10-17 13:43 -------- d-----w- c:\windows\ERUNT
2014-10-17 13:33 . 2014-10-17 13:36 -------- d-----w- C:\AdwCleaner
2014-10-17 13:10 . 2014-10-17 13:10 -------- d-----w- c:\windows\system32\appmgmt
2014-10-16 17:55 . 2014-09-19 01:26 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-10-16 17:54 . 2014-09-13 01:58 77312 ----a-w- c:\windows\system32\packager.dll
2014-10-16 17:54 . 2014-09-13 01:40 67072 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-16 17:36 . 2014-10-19 13:01 -------- d-----w- C:\FRST
2014-10-16 17:27 . 2014-10-16 17:27 -------- d-----w- C:\RegBackup
2014-10-15 09:13 . 2014-10-15 09:13 -------- d-----w- c:\program files\CCleaner
2014-10-14 17:08 . 2014-10-14 17:08 -------- d-----w- c:\users\bob\AppData\Local\CheckCode
2014-10-13 17:09 . 2014-10-13 17:09 -------- d-----w- c:\users\bob\AppData\Local\Deployment
2014-10-13 17:08 . 2014-10-19 19:28 -------- d-----w- c:\windows\SysWow64\Direct3dTextWin32
2014-10-13 09:54 . 2014-10-13 09:54 -------- d-----w- c:\users\bob\AppData\Local\com
2014-10-06 10:50 . 2014-10-06 10:50 -------- d-----w- c:\users\bob\AppData\Local\Apps
2014-10-01 21:04 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-10-01 21:04 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-28 16:30 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-28 16:30 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-19 09:59 . 2014-08-06 21:26 128728 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-19 09:58 . 2014-08-06 21:25 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-16 17:56 . 2014-08-05 20:52 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-10-16 17:14 . 2014-08-12 16:45 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-10-16 17:14 . 2014-08-11 17:13 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-10-16 17:14 . 2014-08-11 17:13 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-09-10 16:51 . 2014-08-06 17:24 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-10 16:51 . 2014-08-06 17:24 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-23 02:07 . 2014-08-28 16:00 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 16:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-06 11:53 . 2014-08-06 11:53 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 942592 ----a-w- c:\windows\system32\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 81408 ----a-w- c:\windows\system32\icardie.dll
2014-08-06 11:53 . 2014-08-06 11:53 774144 ----a-w- c:\windows\system32\jscript.dll
2014-08-06 11:53 . 2014-08-06 11:53 77312 ----a-w- c:\windows\system32\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\system32\pngfilt.dll
2014-08-06 11:53 . 2014-08-06 11:53 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2014-08-06 11:53 . 2014-08-06 11:53 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48128 ----a-w- c:\windows\system32\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 413696 ----a-w- c:\windows\system32\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 337408 ----a-w- c:\windows\SysWow64\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 30208 ----a-w- c:\windows\system32\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 247808 ----a-w- c:\windows\system32\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 243200 ----a-w- c:\windows\system32\webcheck.dll
2014-08-06 11:53 . 2014-08-06 11:53 235520 ----a-w- c:\windows\system32\url.dll
2014-08-06 11:53 . 2014-08-06 11:53 235008 ----a-w- c:\windows\system32\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 167424 ----a-w- c:\windows\system32\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 147968 ----a-w- c:\windows\system32\occache.dll
2014-08-06 11:53 . 2014-08-06 11:53 143872 ----a-w- c:\windows\system32\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 13824 ----a-w- c:\windows\system32\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 135680 ----a-w- c:\windows\system32\iepeers.dll
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2014-08-06 11:53 . 2014-08-06 11:53 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 105984 ----a-w- c:\windows\system32\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 101376 ----a-w- c:\windows\system32\inseng.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 363008 ----a-w- c:\windows\system32\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 296960 ----a-w- c:\windows\system32\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 1238528 ----a-w- c:\windows\system32\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 1175552 ----a-w- c:\windows\system32\FntCache.dll
2014-08-06 11:51 . 2014-08-06 11:51 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 10:36 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2014-08-06 10:36 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2014-08-01 11:53 . 2014-09-10 16:33 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-08-01 11:35 . 2014-09-10 16:33 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-07-25 01:35 . 2014-07-25 01:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-24 22:47 . 2014-07-24 22:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-23 12:29 . 2014-08-11 17:13 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2014-07-23 09:52 . 2014-08-05 20:37 270496 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="e:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2014-06-24 4566952]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-09-26 6482200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-10-16 703736]
"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-09-23 165168]
"SDTray"="e:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - e:\office\OSA9.EXE -b -l [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 SASKUTIL;SASKUTIL;h:\superantispyware\SASKUTIL64.SYS;h:\superantispyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;h:\superantispyware\SASCORE64.EXE;h:\superantispyware\SASCORE64.EXE [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-08-06 16:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2014-10-20 17:44:22 - machine was rebooted
ComboFix-quarantined-files.txt 2014-10-20 16:44
ComboFix2.txt 2014-10-20 12:08
ComboFix3.txt 2014-10-17 22:08
.
Pre-Run: 2,539,266,048 bytes free
Post-Run: 2,304,655,360 bytes free
.
- - End Of File - - C195CD3A8DCD5DA41B54E81144EFAD16
A36C5E4F47E84449FF07ED3517B43A31


RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/20/2014 17:56:46

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320820AS ATA Device +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10182014_154241.log - RKreport_DEL_10182014_155320.log - RKreport_DEL_10182014_194914.log - RKreport_DEL_10182014_194947.log
RKreport_DEL_10182014_195013.log - RKreport_DEL_10202014_122325.log - RKreport_SCN_10182014_135103.log - RKreport_SCN_10182014_153708.log
RKreport_SCN_10182014_155304.log - RKreport_SCN_10182014_194825.log - RKreport_SCN_10202014_095634.log - RKreport_SCN_10202014_121900.log
RKreport_SCN_10202014_123611.log

bobbym
2014-10-20, 20:28
Hi

looking good I can even see my emails again

Juliet
2014-10-20, 22:53
Hi

looking good I can even see my emails again

wooohoooo!


there were no \MetafileODBCRoot.exe in the Rogue Killer file
ComboFix took them out.

what a journey!

Think we're ready to remove tools and quarantine folders?

bobbym
2014-10-20, 22:55
ok
how do we do that

Juliet
2014-10-20, 23:12
Thank you so much for being patient and your readiness to travel into the registry, sometimes malware is a bugger to resolve.

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box

ComboFix /Uninstall

Note the space between the x and the /U, it needs to be there.

~~~~~~~~~~~~~~~~~~~~~~~~


Download Delfix from here (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
Ensure Remove disinfection tools is ticked
Also tick:
Create registry backup
Click Run
Purge system restore
http://www.hdrcgb.org.uk/g2g/delfix.jpg


Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc.


~~~~~~~~~~~~~~~~~~~~~~~

Your good to go, good job!

Please take the time to read over a few of my preventive tips.

Computer Security
http://malwareremoval.com/forum/viewtopic.php?p=557960#p557960
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know (http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/#)

CryptoLocker Ransomware Information Guide and FAQ (http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information)

to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.


Firefox 3 (http://www.mozilla.com/en-US/firefox/)
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript (http://www.noscript.net) - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

AdblockPlus

AdblockPlus, Surf the web without annoying ads!
Blocks banners, pop-ups and video ads - even on Facebook and YouTube
Protects your online privacy
Two-click installation, It's free!
click the icon that corresponds to your browser and download.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOT (http://www.mywot.com/) Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

Green should be good to go
Yellow for caution
Red to stop



~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)


WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/
and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ (null)))


Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter (http://www.fbi.gov/cyberinvest/cyberedletter.htm)
USAToday (http://www.usatoday.com/tech/columnist/kimkomando/2006-04-13-file-sharing-woes_x.htm)
infoworld (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

*********************************************
Please read the following safe computing articles..

Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)


Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)

Keep a backup of your important files (http://www.geekstogo.com/2008/06/19/options-for-home-computer-data-backup-part-1/) - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.



It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
You can check these by visiting Secunia Software Inspector (http://secunia.com/software_inspector) or you can use the following application for this purpose PatchMyPC (http://www.patchmypc.net/)

bobbym
2014-10-20, 23:30
Hi

Thank you very much for all your help. I hope you have gained something from all this I have. I am sorry if I mucked up your weekend.

Juliet
2014-10-21, 13:26
Of course I've gained, every infection is a learning experience.

My weekend was good and not mucked, but feel yours was.

Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Juliet
2014-10-23, 13:43
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.