PDA

View Full Version : Can't remove SShopDorOPP 4.7 extension from Chrome



vorto
2015-01-19, 14:40
Hi,

I am a first time poster here.
My computer has been infected by SShopDorOPP , such extension will reappear in Chrome each time after being removed. Internet Explorer apparently has not been infected but is running slowly or freezing.

Before finding your website I had tried to uninstall unknown programs and to use some free malware removal tools.

Before posting, I did a backup of the registry and ran FRST and aswmbr as per your instructions
FRST freezes after opening, while trying to download updates, so I could not generate a log
Aswmbr freezes too, unless I do the Scan without downloading AVAST datafiles. The log is the following (you will see that it had been run already)

I thank you very much in advance for your help and am available to follow your instructions.

Juliet
2015-01-19, 19:45
We need to uninstall Google Chrome, then reinstall.

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xehzOq95.png.pagespeed.ic.1o1xpAkZbO.png Backup Internet Explorer Favourites (http://www.wikihow.com/Back-Up-Favorites-in-Internet-Explorer)
http://2-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xQlf57ne.png.pagespeed.ic.SnwgqhVB9v.jpg Backup Firefox Bookmarks (https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer)
http://i.imgur.com/U5NwUGc.png Backup Chrome Bookmarks (http://www.wikihow.com/Export-Bookmarks-from-Chrome)


Download Google Chrome from here https://www.google.com/chrome/browser/desktop/


Next please boot into safe mode and try to run FRST again. If it still freezes please disable your antivirus and try again

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
the above tutorial is for Windows 7 and Windows 8

~~~~~~~~~~

Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

vorto
2015-01-20, 23:11
Thank you very much for your reply.

I followed your instructions. After reinstalling Chrome the Shopdrop extension is not shown any more.

Here are the contents of the two log files:
-------------------------------------------------------------------------------------------------------------------
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-01-2015
Ran by User (administrator) on USER-PC on 20-01-2015 21:59:35
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available profiles: User)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: Italiano (Italia)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [570664 2008-07-14] (Nero AG)
HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [1486848 2009-08-28] (VIA)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-11-04] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [ATICustomerCare] => C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [307200 2009-06-14] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [ArcSoft Connection Service] => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [1848648 2008-03-17] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [722256 2008-12-11] (CANON INC.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [LifeCam] => C:\Program Files\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\...\Run: [SmartVoip] => C:\Program Files\SmartVoip.com\SmartVoip\smartvoip.exe [19715904 2014-05-08] (SmartVoip)
HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [30877280 2014-12-11] (Skype Technologies S.A.)
HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-04-14] (Google Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PHOTOfunSTUDIO HD Edition.lnk
ShortcutTarget: PHOTOfunSTUDIO HD Edition.lnk -> C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe (Panasonic Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:51579;https=127.0.0.1:51579
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?tab%3Dwm&scc=1&ltmpl=default&ltmplcache=2&emr=1#inbox
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.digitalpix.com/Controls/ImageUploader/ImageUploader5.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
ATTENTION: There are more than 99 Catalog9 entries. Turn off the whitelisting to see all the entries. You may check Device Manager for presence of unusual amount of "Microsoft 6to4 Adapter" devices.
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.gmail.com/"
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-20]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-20]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-20]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-20]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-20]
CHR Extension: (Google Search) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-20]
CHR Extension: (Google Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-20]
CHR Extension: (Skype Click to Call) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-01-20]
CHR Extension: (Google Wallet) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-20]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-20]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 bgsvcgen; C:\Windows\System32\bgsvcgen.exe [145504 2007-06-15] (B.H.A Corporation)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.) [File not signed]
S1 AsIO; C:\Windows\System32\drivers\AsIO.sys [12400 2007-12-17] ()
S1 AsUpIO; C:\Windows\System32\drivers\AsUpIO.sys [11448 2009-07-06] ()
R1 cdrbsdrv; C:\Windows\system32\Drivers\cdrbsdrv.sys [33408 2006-02-20] (B.H.A Corporation) [File not signed]
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-20] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [13216 2009-07-16] ()
S3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1077760 2009-08-17] (VIA Technologies, Inc.)
S3 catchme; \??\C:\Users\User\AppData\Local\Temp\catchme.sys [X]
S1 MpKsl6602fe74; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9525F0FF-0E27-4E6C-AB8A-B95C1D224DAD}\MpKsl6602fe74.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 21:59 - 2015-01-20 22:00 - 00012265 _____ () C:\Users\User\Desktop\FRST.txt
2015-01-20 21:59 - 2015-01-20 21:59 - 00000000 ____D () C:\FRST
2015-01-20 21:56 - 2015-01-20 21:56 - 00000000 ____D () C:\Windows\pss
2015-01-20 21:52 - 2015-01-20 21:52 - 00002165 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-20 21:52 - 2015-01-20 21:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-01-19 13:07 - 2015-01-19 13:07 - 01118208 _____ (Farbar) C:\Users\User\Desktop\FRST.exe
2015-01-19 13:07 - 2015-01-19 13:07 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-USER-PC-Microsoft-Windows-7-Professional-(32-bit).dat
2015-01-19 13:06 - 2015-01-19 13:06 - 00000000 ____D () C:\RegBackup
2015-01-19 13:02 - 2015-01-19 13:02 - 00002145 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2015-01-19 13:02 - 2015-01-19 13:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-01-19 13:02 - 2015-01-19 13:02 - 00000000 ____D () C:\Program Files\Tweaking.com
2015-01-19 13:01 - 2015-01-19 13:01 - 04215584 _____ () C:\Users\User\Desktop\tweaking.com_registry_backup_setup.exe
2015-01-17 22:31 - 2015-01-17 22:31 - 00000000 ____D () C:\_OTL
2015-01-17 21:49 - 2015-01-17 21:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2015-01-17 21:49 - 2015-01-17 21:49 - 00000000 ____D () C:\Program Files\ERUNT
2015-01-17 21:48 - 2015-01-17 21:48 - 00791393 _____ (Lars Hederer ) C:\Users\User\Desktop\erunt-setup.exe
2015-01-17 21:42 - 2015-01-17 21:42 - 00142880 _____ () C:\Users\User\Desktop\OTL.Txt
2015-01-17 21:42 - 2015-01-17 21:42 - 00041466 _____ () C:\Users\User\Desktop\Extras.Txt
2015-01-17 21:33 - 2015-01-17 21:33 - 00602112 _____ (OldTimer Tools) C:\Users\User\Desktop\OTL.exe
2015-01-17 21:31 - 2015-01-19 13:36 - 00006408 _____ () C:\Users\User\Desktop\aswMBR.txt
2015-01-17 21:31 - 2015-01-19 13:36 - 00000512 _____ () C:\Users\User\Desktop\MBR.dat
2015-01-17 18:01 - 2015-01-17 18:01 - 05200384 _____ (AVAST Software) C:\Users\User\Desktop\aswmbr.exe
2015-01-17 17:59 - 2015-01-17 17:59 - 00439808 ____H () C:\Users\User\Desktop\~WRL3056.tmp
2015-01-17 17:34 - 2015-01-17 17:34 - 00000755 _____ () C:\DelFix.txt
2015-01-17 17:33 - 2015-01-17 17:33 - 00000000 ___SD () C:\uninstall
2015-01-16 21:18 - 2015-01-16 21:18 - 04483800 ____R () C:\Users\User\Documents\My Money Backup_2015-01-16_211825.mbf
2015-01-16 21:04 - 2015-01-17 21:50 - 00000000 ____D () C:\Windows\erdnt
2015-01-16 00:20 - 2015-01-16 00:20 - 00000000 ____D () C:\Program Files\ESET
2015-01-16 00:17 - 2015-01-16 00:17 - 00000000 ____D () C:\Windows\ERUNT
2015-01-16 00:00 - 2015-01-16 00:00 - 02953520 _____ (AVAST Software) C:\Users\User\Downloads\avast-browser-cleanup.exe
2015-01-15 23:52 - 2015-01-15 23:52 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2015-01-15 23:42 - 2015-01-15 23:42 - 00002214 _____ () C:\Windows\system32\.crusader
2015-01-15 23:33 - 2015-01-15 23:42 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-01-15 23:33 - 2015-01-15 23:33 - 10285456 _____ (SurfRight B.V.) C:\Users\User\Desktop\HitmanPro.exe
2015-01-15 23:14 - 2015-01-20 21:55 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-15 23:13 - 2015-01-15 23:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-15 23:12 - 2015-01-15 23:13 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-15 23:12 - 2015-01-15 23:12 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-15 23:12 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-15 23:12 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-15 23:12 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-15 23:01 - 2015-01-19 13:40 - 00001050 _____ () C:\Users\User\Desktop\Nuovo documento di testo.txt
2015-01-15 22:17 - 2015-01-15 22:17 - 03044736 _____ (Enigma Software Group USA, LLC.) C:\Users\User\Downloads\SpyHunter-Installer.exe
2015-01-15 18:58 - 2015-01-15 18:58 - 00000000 ____D () C:\ProgramData\agecpmgmbomjncbgmfbecfbpnpdbbnlc
2015-01-10 18:04 - 2015-01-10 18:04 - 04470954 ____R () C:\Users\User\Documents\My Money Backup_2015-01-10_180355.mbf
2015-01-08 22:34 - 2015-01-08 22:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eTeks Sweet Home 3D
2015-01-08 22:34 - 2015-01-08 22:34 - 00000000 ____D () C:\Program Files\Sweet Home 3D
2015-01-08 22:27 - 2015-01-08 22:32 - 00009447 _____ () C:\Windows\patsearch.bin
2015-01-08 22:27 - 2015-01-08 22:27 - 00000000 ____D () C:\ProgramData\dcnflpjbboepmkglakhihofmlojkfpcn
2015-01-07 23:00 - 2015-01-07 23:00 - 04602430 ____R () C:\Users\User\Documents\My Money Backup_2015-01-07_230032.mbf
2015-01-03 22:59 - 2015-01-04 00:25 - 00000000 ____D () C:\Users\User\Desktop\camerette
2014-12-21 23:01 - 2014-12-21 23:01 - 00000190 _____ () C:\Users\User\Desktop\Magnifique gros lot 98-104 !!! à Vuisternens-en-Ogoz acheter sur ricardo.ch.url

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 21:58 - 2014-06-30 17:07 - 00366592 ___SH () C:\Users\User\Desktop\Thumbs.db
2015-01-20 21:56 - 2012-02-14 14:31 - 00000000 ____D () C:\Users\User\AppData\Roaming\Skype
2015-01-20 21:55 - 2013-04-14 07:49 - 00001134 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-20 21:55 - 2009-07-14 05:39 - 03943413 _____ () C:\Windows\setupact.log
2015-01-20 21:54 - 2009-11-29 10:14 - 00103884 _____ () C:\Windows\PFRO.log
2015-01-20 21:54 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 21:53 - 2009-11-24 17:21 - 01327025 _____ () C:\Windows\WindowsUpdate.log
2015-01-20 21:53 - 2009-07-14 05:34 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-20 21:53 - 2009-07-14 05:34 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-20 21:52 - 2009-11-29 14:41 - 00000000 ____D () C:\Users\User\AppData\Local\Google
2015-01-20 21:52 - 2009-11-29 14:41 - 00000000 ____D () C:\Program Files\Google
2015-01-20 21:30 - 2012-04-02 13:49 - 00000978 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-20 21:25 - 2013-04-14 07:49 - 00001138 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-20 14:08 - 2009-11-24 17:22 - 01658888 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-20 14:08 - 2009-07-14 09:21 - 00740658 _____ () C:\Windows\system32\perfh010.dat
2015-01-20 14:08 - 2009-07-14 09:21 - 00146712 _____ () C:\Windows\system32\perfc010.dat
2015-01-18 21:57 - 2009-11-26 12:47 - 19042304 _____ () C:\Users\User\Documents\My Money.mny
2015-01-16 21:18 - 2009-11-26 10:58 - 00000000 ____D () C:\Program Files\Microsoft Money 2006
2015-01-16 21:14 - 2009-07-14 03:37 - 00000000 __RHD () C:\Users\Default
2015-01-16 21:14 - 2009-07-14 03:37 - 00000000 ___RD () C:\Users\Public
2015-01-16 21:12 - 2009-07-14 03:04 - 00000215 _____ () C:\Windows\system.ini
2015-01-16 00:12 - 2009-07-14 05:53 - 00032556 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-14 16:30 - 2012-04-02 13:49 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-01-14 16:30 - 2011-06-03 13:14 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-01-09 10:08 - 2009-11-28 14:50 - 00000000 ____D () C:\Users\User\AppData\Local\Adobe
2015-01-08 22:53 - 2009-11-24 17:25 - 00001357 _____ () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-12-31 12:13 - 2009-11-24 17:43 - 00249488 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======
2012-02-24 10:06 - 2012-02-24 10:06 - 0012765 _____ () C:\Users\User\AppData\Roaming\Microsoft Excel.CAL
2010-06-26 09:37 - 2010-06-26 09:38 - 0008704 _____ () C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-02-13 23:16 - 2014-05-23 13:23 - 0004096 ____H () C:\Users\User\AppData\Local\keyfile3.drm

Some content of TEMP:
====================
C:\Users\User\AppData\Local\Temp\Quarantine.exe
C:\Users\User\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 13:16

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 19-01-2015
Ran by User at 2015-01-20 22:00:21
Running from C:\Users\User\Desktop
Boot Mode: Safe Mode (minimal)
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AceMoney (HKLM\...\AceMoney_is1) (Version: - MechCAD Software)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft Software Suite (HKLM\...\{497A1721-088F-41EF-8876-B43C9DA5528B}) (Version: 1.0 - ArcSoft)
ASUSUpdate (HKLM\...\{587178E7-B1DF-494E-9838-FA4DD36E873C}) (Version: - )
ATI AVIVO Codecs (Version: 10.11.0.41104 - ATI Technologies Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{D80F2034-D389-736D-761C-68E114450D10}) (Version: 3.0.750.0 - ATI Technologies, Inc.)
ATI Catalyst Registration (Version: 2.01.0000 - ATI Technologies Inc.) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Bridge Base Online (HKLM\...\Bridge Base OnlineVersion 5.2.21) (Version: Version 5.2.21 - Bridge Base Online, Ltd.)
Bridge Base Online (HKLM\...\Bridge_Base_Online) (Version: - )
Burraconline 4.53 (HKLM\...\Burraconline) (Version: 4.53 - Drag & Air S.n.c.)
Canon IJ Network Scan Utility (HKLM\...\Canon_IJ_Network_Scan_UTILITY) (Version: - )
Canon IJ Network Tool (HKLM\...\Canon_IJ_Network_UTILITY) (Version: - )
Canon MP Navigator EX 2.1 (HKLM\...\MP Navigator EX 2.1) (Version: - )
Canon MX860 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX860_series) (Version: - )
Canon Utilities Easy-PhotoPrint EX (HKLM\...\Easy-PhotoPrint EX) (Version: - )
Canon Utilities My Printer (HKLM\...\CanonMyPrinter) (Version: - )
Canon Utilities Solution Menu (HKLM\...\CanonSolutionMenu) (Version: - )
ccc-core-static (Version: 2009.1104.959.17837 - ATI) Hidden
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CyberLink DVD Suite (HKLM\...\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 5.0.3019 - CyberLink Corp.)
eLohnausweis SSK Uninstaller (HKLM\...\{34F301D7-88EA-4DE2-846B-E9F9F188107C}_is1) (Version: - DV Bern AG)
eMule (HKLM\...\eMule) (Version: - )
ERUNT 1.1j (HKLM\...\ERUNT_is1) (Version: - Lars Hederer)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version: - )
EVU Advanced (HKLM\...\{845EB731-671B-4A74-97C0-8CB98CA14B2D}) (Version: 1.00.0000 - Cambridge University Press)
Google Chrome (HKLM\...\Google Chrome) (Version: 39.0.2171.99 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google+ Auto Backup (HKLM\...\{A50DE037-B5C0-4C8A-8049-B0C576B313D1}) (Version: 1.0.21.81 - Google)
Image Resizer Powertoy Clone for Windows (HKLM\...\{FF3FA9BC-3F96-44F1-9E8F-0544A2226432}) (Version: 2.0.0.0 - Brice Lambson)
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Malwarebytes Anti-Malware versione 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}) (Version: 3.22.270.0 - Microsoft Corporation)
Microsoft Money 2006 (HKLM\...\Money2006b) (Version: 15 - Microsoft)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Nero 7 Essentials (HKLM\...\{66B6D13A-9CC1-417D-B6F2-58AA539D1040}) (Version: 7.03.1303 - Nero AG)
Pattern Maker Viewer - v4 (HKLM\...\{DE5D78ED-145E-4FA3-9D75-C92A09E1FEB1}) (Version: 4.04.0001 - HobbyWare, Inc.)
Pavtube Video Converter version 3.3.1.759 (HKLM\...\{B4EE51E6-2C80-4B04-BDE0-ED4E87BEFECD}_is1) (Version: - )
PCStitch Pattern Viewer (HKLM\...\{7BB3D57E-6FA1-47A1-8068-A405F81CE4E4}) (Version: 7.2.9 - M&R Technologies, Inc.)
PHOTOfunSTUDIO HD Edition (HKLM\...\{9A9DBEBC-C800-4776-A970-D76D6AA405B1}) (Version: 3.00.126 - Panasonic)
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Platform (Version: 1.34 - VIA Technologies, Inc.) Hidden
QuickTime (HKLM\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Registrazione utente Canon MX860 series (HKLM\...\Registrazione utente Canon MX860 series) (Version: - )
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.9.12585 - Skype Technologies S.A.)
Skype™ 7.0 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
SmartVoip (HKLM\...\SmartVoip_is1) (Version: 4.09 build 660 - Finarea S.A. Switzerland)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Supporto applicazioni Apple (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Sweet Home 3D version 3.6 (HKLM\...\Sweet Home 3D_is1) (Version: - eTeks)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 1.10.1 - Tweaking.com)
Vegas Movie Studio Platinum 9.0 (HKLM\...\{97E038E1-41AD-4C93-BCDC-6A2394AEE352}) (Version: 9.0.92 - Sony)
VIA Manager Piattaforma (HKLM\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.34 - VIA Technologies, Inc.)
WinZip 15.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240C1}) (Version: 15.0.9411 - WinZip Computing, S.L. )
YouTube Downloader Toolbar v4.6 (HKLM\...\{72A7495B-18CD-4751-AC38-5DBED9C6B1E7}) (Version: 4.6 - Spigot, Inc.) <==== ATTENTION

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1430131261-1029319254-1685335828-1000_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

==================== Restore Points =========================

17-01-2015 17:34:35 ComboFix created restore point
17-01-2015 21:36:46 OTL Restore Point - 17/01/2015 21:36:46
17-01-2015 22:31:19 OTL Restore Point - 17/01/2015 22:31:18
18-01-2015 10:09:15 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:04 - 2015-01-16 21:12 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {02E1646E-4B6C-45F2-A03D-5E4C827EBAF5} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-14] (Adobe Systems Incorporated)
Task: {48135DE3-2401-4B41-A4E9-7AD9404EAF40} - System32\Tasks\ASUS\ASUS Update Checker => C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe [2008-12-11] ()
Task: {6A4E397E-3C01-425D-B32A-3E1F0886F024} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-28] (Google Inc.)
Task: {71752AD4-ABAE-403E-A58B-2D361405CAC4} - System32\Tasks\{71E78CCC-9765-44D8-8224-EBCA7776A9D4} => pcalua.exe -a "C:\Users\User\Documents\programmi installati\20091128 avivo video converter 9-11_vista_win7_32-64_xcode.exe" -d C:\Users\User\Desktop
Task: {80444AF0-D8A3-40B8-85FB-5EFEC4FB44F4} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {A0B10B28-769B-4E89-8597-86FF97C2AE50} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-28] (Google Inc.)
Task: {CA93B138-516F-41BB-AE0C-9889DD52308C} - System32\Tasks\{C6BEB9E2-586A-4B08-B102-BCFDB393E851} => pcalua.exe -a "C:\Users\User\Documents\programmi installati\20091128 SUPER video converter setup.exe" -d C:\Users\User\Desktop

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============


==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1430131261-1029319254-1685335828-500 - Administrator - Disabled)
Guest (S-1-5-21-1430131261-1029319254-1685335828-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1430131261-1029319254-1685335828-1004 - Limited - Enabled)
User (S-1-5-21-1430131261-1029319254-1685335828-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Canon MX860 ser Network
Description: Canon MX860 ser Network
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Canon
Service: StillCam
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/19/2015 10:57:37 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Il programma Skype.exe versione 7.0.0.102 non interagisce più con Windows ed è stato chiuso. Per vedere se sono disponibili ulteriori informazioni sul problema, verificare la cronologia del problema in Centro operativo nel Pannello di controllo.

ID processo: ae4

Ora di avvio: 01d033d3f09b4e4a

Ora di chiusura: 135

Percorso applicazione: C:\Program Files\Skype\Phone\Skype.exe

ID segnalazione: 28958783-a026-11e4-966b-c6922bc35c6f

Error: (01/19/2015 08:25:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 719788

Error: (01/19/2015 08:25:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 719788

Error: (01/19/2015 08:25:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/19/2015 08:25:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 718041

Error: (01/19/2015 08:25:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 718041

Error: (01/19/2015 08:25:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/19/2015 08:25:04 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 716497

Error: (01/19/2015 08:25:04 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 716497

Error: (01/19/2015 08:25:04 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second


System errors:
=============
Error: (01/20/2015 09:58:54 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068

Error: (01/20/2015 09:58:55 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}

Error: (01/20/2015 09:58:55 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (01/20/2015 09:58:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068

Error: (01/20/2015 09:58:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068

Error: (01/20/2015 09:58:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068

Error: (01/20/2015 09:58:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068

Error: (01/20/2015 09:58:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068

Error: (01/20/2015 09:58:41 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068

Error: (01/20/2015 09:58:40 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Il servizio Servizio Elenco reti dipende dal servizio Riconoscimento presenza in rete che non è stato avviato per il seguente errore:
%%1068


Microsoft Office Sessions:
=========================
Error: (01/19/2015 10:57:37 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Skype.exe7.0.0.102ae401d033d3f09b4e4a135C:\Program Files\Skype\Phone\Skype.exe28958783-a026-11e4-966b-c6922bc35c6f

Error: (01/19/2015 08:25:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 719788

Error: (01/19/2015 08:25:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 719788

Error: (01/19/2015 08:25:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/19/2015 08:25:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 718041

Error: (01/19/2015 08:25:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 718041

Error: (01/19/2015 08:25:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/19/2015 08:25:04 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 716497

Error: (01/19/2015 08:25:04 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 716497

Error: (01/19/2015 08:25:04 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz
Percentage of memory in use: 28%
Total physical RAM: 3063.05 MB
Available physical RAM: 2182.71 MB
Total Pagefile: 6124.4 MB
Available Pagefile: 5281.58 MB
Total Virtual: 2047.88 MB
Available Virtual: 1907.4 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:231.3 GB) (Free:130.25 GB) NTFS
Drive d: (Advanced) (CDROM) (Total:0.59 GB) (Free:0 GB) CDFS
Drive e: (Gan Chlomo Janvier 2014) (CDROM) (Total:3.9 GB) (Free:0 GB) UDF
Drive f: () (Fixed) (Total:700.11 GB) (Free:476.44 GB) NTFS
Drive l: (STORE N GO) (Removable) (Total:3.75 GB) (Free:3.72 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 10E75F7F)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=231.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=700.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 3.8 GB) (Disk ID: 1644C3D7)
Partition 1: (Not Active) - (Size=3.8 GB) - (Type=0C)

==================== End Of Log ============================

Juliet
2015-01-20, 23:58
Please go to add/remove programs list and remove
YouTube Downloader Toolbar v4.6 <-- this application is malware /spyware loaded.

Next
Go to add remove programs list, Look for your Java Icon, right click and open (may have to give permission first)
Look at the top tabs, click on update. At the bottom click on update now. It may ask you to run an installer.

Let it update to the latest version.

~~~~~~~~~~~~~~~~~~~~~~~
Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
EmptyTemp:
End


Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~~~~~~~~~~

http://i.imgur.com/BY4dvz9.png AdwCleaner

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) and save the file to your Desktop.
Right-Click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


please post
Fixlog.txt
C:\AdwCleaner.txt
JRT.txt

vorto
2015-01-21, 00:12
YouTube Downloader Toolbar v4.6 can't be uninstalled even if it shows up in the add and remove programs list, it says it does not find "youtubedownloaderToolbar.msi" at the right location (C:Users/User/AppData/Local/Temp/xxxx where xxx is a string of letters and numbers, but the directory is not there).
I searched C: and could not find a file named so anywhere.

In the list of programs there is "Java 7 Update 71" If I click on it, the only option is to uninstall it, not to open it or to update it.

Should I go on with the following instructions?

Juliet
2015-01-21, 00:29
Yes, just continue the other items we can repair later.

vorto
2015-01-21, 14:31
I followed the instructions, even though - unfortunately - I am afraid I had already run two tools in the past days, so the logs do not contain information...

---------------------------------------------------
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-01-2015
Ran by User at 2015-01-21 12:16:00 Run:1
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available profiles: User)
Boot Mode: Normal


==============================================


Content of fixlist:
*****************
start
CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
EmptyTemp:
End
*****************


Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKU\S-1-5-21-1430131261-1029319254-1685335828-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
EmptyTemp: => Removed 699.2 MB temporary data.




The system needed a reboot.


==== End of Fixlog 12:18:10 ====
---------------------------------------------------------------
# AdwCleaner v4.108 - Rapporto creato 21/01/2015 in 12:27:48
# Aggiornato 17/01/2015 di Xplode
# Database : 2015-01-18.1 [Live]
# Sistema operativo : Windows 7 Professional Service Pack 1 (32 bits)
# Nome utente : User - USER-PC
# In esecuzione da : C:\Users\User\Desktop\AdwCleaner.exe
# Opzione : Pulisci


***** [ Servizi ] *****




***** [ File / Cartelle ] *****




***** [ Compiti ] *****




***** [ Collegamenti ] *****




***** [ Registro ] *****




***** [ Browser ] *****


-\\ Internet Explorer v11.0.9600.17280




-\\ Google Chrome v39.0.2171.99




*************************


AdwCleaner[R0].txt - [752 octets] - [21/01/2015 12:25:37]
AdwCleaner[S0].txt - [671 octets] - [21/01/2015 12:27:48]


########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [730 octets] ##########
---------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x86
Ran by User on 21/01/2015 at 13:27:33,63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~








~~~ Services






~~~ Registry Values






~~~ Registry Keys






~~~ Files






~~~ Folders






~~~ Event Viewer Logs were cleared










~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 21/01/2015 at 13:29:08,83
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Juliet
2015-01-21, 16:06
Your doing fine.

Tell me what your computer is doing now?

Juliet
2015-01-21, 16:09
I meant to add this and forgot, :)

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


~~~~~~~~~~~~

Please download RogueKiller and save it to your desktop.

You can check here (http://support.microsoft.com/kb/827218) if you're not sure if your computer is 32-bit or 64-bit

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) to your desktop.


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.


~~~
Please post these 2 logs when finished.

vorto
2015-01-22, 15:12
Hi, Chrome seems to work normally after reinstalling.

I have run rkill.exe and Roguekiller, here are their logs:

----------------------------------------------------------------------------------
Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/22/2015 01:39:28 PM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 01/22/2015 01:40:58 PM
Execution time: 0 hours(s), 1 minute(s), and 30 seconds(s)

------------------------------------------------------------
RogueKiller V10.2.0.0 [Jan 19 2015] di Adlice Software
posta : http://www.adlice.com/contact/
Commenti : http://forum.adlice.com
Sito Web : http://www.adlice.com/softwares/roguekiller/
Discussione : http://www.adlice.com

Sistema Operativo : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Iniziato in : Modalità Normale
Utente : User [Amministratore]
Modalità : Scansione -- Data : 01/22/2015 13:47:24

¤¤¤ Processi : 1 ¤¤¤
[Proc.Svchost] svchost.exe(6968) -- [x] -> Eliminato [TermThr]

¤¤¤ Registro : 15 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Trovato
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Trovato
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Trovato
[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51579;https=127.0.0.1:51579 -> Trovato
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51579;https=127.0.0.1:51579 -> Trovato
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : -> Trovato
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Trovato
[PUM.HomePage] HKEY_USERS\S-1-5-21-1430131261-1029319254-1685335828-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?tab%3Dwm&scc=1&ltmpl=default&ltmplcache=2&emr=1#inbox -> Trovato
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Trovato
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Trovato
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1430131261-1029319254-1685335828-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Trovato
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Trovato
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1430131261-1029319254-1685335828-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Trovato

¤¤¤ Attività : 0 ¤¤¤

¤¤¤ Archivi : 0 ¤¤¤

¤¤¤ Archivio Hosts : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 (Driver: Caricato) ¤¤¤

¤¤¤ Web Browser : 0 ¤¤¤

¤¤¤ Controllo MBR : ¤¤¤
+++++ PhysicalDrive0: ST31000528AS ATA Device +++++
--- User ---
[MBR] 2f2fe050d6fe7256558dd4f0fc36f3c5
[BSP] 10702be15b3c79edaafdb2f01b192c92 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206896 | Size: 236849 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 485275455 | Size: 716916 MB [Windows XP Bootstrap | Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Verbatim STORE N GO USB Device +++++
--- User ---
[MBR] ab785f90b7edfa4adef1ffcbc87d9a4f
[BSP] 70b7b59bf101cbdbb77c0ab521835606 : Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 3848 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Richiesta non supportata. )

--------------------------------------------------------------------------------

Juliet
2015-01-22, 16:24
This is what concerns me
[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51579;https=127.0.0.1:51579 -> Trovato -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:51579;https=127.0.0.1:51579 -> Trovato->Found

Do you connect through a Proxy?

Tell me how your computer is acting now.

vorto
2015-01-22, 20:32
I dont' really know if I am connecting through a proxy...
At home I am using a pc, and a wifi router provided by the internet operator (the main telephone company in my country)

I don't notice anything strange in the computer, but I don't use it extensively, only some surfing

Juliet
2015-01-22, 23:00
Well so far thats good news.

Let's try a different anti-malware scanner.

Emsisoft Anti-Malware

Download and save the Emsisoft Anti-Malware (http://www.emsisoft.com/en/software/antimalware/download/) setup program to your desktop. The download is fairly large, so please be patient while it downloads.
Once the file has been downloaded, close all open programs.
Double-click on the EmsisoftAntiMalwareSetup.exe icon to start the program. If Windows Smart Screen issues an alert, please allow it to run anyway.
If the setup program displays an alert about safe mode, please click on the Yes button to continue. You should now see a dialog asking what language you would like to use. Please select the language you wish to use and press the OK button.
You will eventually get to a screen asking the mode that you wish to use Emsisoft Anti-Malware.
Click on the Freeware mode link:
http://www.bleepstatic.com/swr-guides/tools/emsisoft-anti-malware/install-license-type.jpg
You will now be at a screen asking if you wish to join Emsisoft's Anti-Malware network. Read the descriptions and uncheck the options that you wish to use. When you are ready click on the Next button.
Allow it to update the definitions. Please be patient as it may take a few minutes for the updates to finish downloading.
When the updates are completed, click on the Clean computer now button. Emsisoft Anti-Malware will start to load its scanning engine and then display a screen asking what type of scan you would like to perform.
Please select the Deep Scan option and then click on the Scan button. The Deep Scan option will take the longest time to scan your computer, but will also be the most thorough. As you are here to clean infections, it is worth the wait to make sure your computer is properly scanned. Please don't run any other program while it is scanning.
When the scan has finished, the program will display the scan results that shows what infections where found.
Click on the View Report link, and double click the text file to open it. Please copy and paste the contents of this text file into your next reply (this file can be found at C:\Users\Tim\Documents\Anti-Malware\Reports)
Click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You will now be at the last screen of the Emsisoft Anti-Malware setup program, which you can close. If Emsisoft prompts you to reboot your computer to finish the clean up process, please allow it to do so.


In your next reply, please include:

Emsisoft Anti-Malware log (located at C:\Users\Tim\Documents\Anti-Malware\Reports)

vorto
2015-01-24, 00:59
I did as you suggested and here is the log. (thank you for your support by the way)

----------------------------------------------------------------------------------
Emsisoft Anti-Malware - Versione 9.0
Ultimo aggiornamento: 23/01/2015 22:03:38
Account utente: User-PC\User

Impostazioni scansione:

Tipo scansione: Completa
Oggetti: Rootkits, Memoria, Tracce, C:\, F:\

Rileva PUPs: On
Archivio scansioni: On
Scansione ADS: On
Filtro estensione dei file: Off
Caching avanzato: On
Accesso diretto al disco: Off

Scansione avviata: 23/01/2015 22:04:26
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613} rilevati: Application.AdGenie (A)
Value: HKEY_USERS\S-1-5-21-1430131261-1029319254-1685335828-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR rilevati: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS rilevati: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1430131261-1029319254-1685335828-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS rilevati: Setting.DisableRegistryTools (A)
F:\Lacie\Backup\Outlook\Outlookimap.alumni.sdabocconi.it-00000007.pst -> [Subject: Give we shall meet!][From: Gustavo Sterling] -> (body) -> (JAVASCRIPT 1) rilevati: Trojan.Script.34854 (B)
F:\Lacie\Backup\Outlook\Outlookimap.alumni.sdabocconi.it-00000007.pst -> [Subject: Give we shall meet!][From: Gustavo Sterling] -> (body) -> (JAVASCRIPT 2) rilevati: Trojan.Script.34880 (B)
F:\Lacie\Backup\Outlook\Outlookimap.alumni.sdabocconi.it-00000007.pst -> [Subject: Give we shall meet!][From: Gustavo Sterling] -> (body) -> (JAVASCRIPT-COMPILATION) rilevati: Trojan.Script.34854 (B)
F:\Lacie\Backup\Outlook\Outlookimap.alumni.sdabocconi.it-00000007.pst -> [Subject: Give we shall meet!][From: Gustavo Sterling] -> (body) -> (INFECTED_JS) rilevati: JS:Trojan.Script.FR (B)

Scansionati 289401
Rilevato 9

Fine scansione: 23/01/2015 23:53:08
Tempo scansione: 1:48:42

Juliet
2015-01-24, 01:04
Click on the Quarantine Selected Objects button ?

Hows the computer now?

vorto
2015-01-25, 11:32
I did click on the Quarantine selected objects.
The computer is still looking good

Juliet
2015-01-25, 12:41
Good deal

http://i.imgur.com/AFZxnZc.jpg DelFix

Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix)
or from here http://www.bleepingcomputer.com/download/delfix/ and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:

Activate UAC
Remove disinfection tools
Create registry backup


Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

~~~~~~~~~~~~~~


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


The following programmes come highly recommended in the security community.

http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpgAdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpgMalwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.pngWeb of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

vorto
2015-01-26, 23:24
*I ran Delfix, it also gave me a log (see below)

*On the desktop I still have the tweaking.com_registry_backup_setup, should I keep it?

*There are some programs that I have installed in the past days while trying to remove the infection, should I remove them:
Emsisoft Anti-Malware
Tweaking.com - Registry Backup
ERUNT 1.1.j
Malwarebytes Anti-Malware

Thanks a lot!

# DelFix v10.8 - Logfile created 26/01/2015 at 22:18:27
# Updated 29/07/2014 by Xplode
# Username : User - USER-PC
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\_OTL
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\User\Desktop\Addition.txt
Deleted : C:\Users\User\Desktop\AdwCleaner.exe
Deleted : C:\Users\User\Desktop\aswmbr.exe
Deleted : C:\Users\User\Desktop\aswMBR.txt
Deleted : C:\Users\User\Desktop\Extras.Txt
Deleted : C:\Users\User\Desktop\Fixlog.txt
Deleted : C:\Users\User\Desktop\FRST.exe
Deleted : C:\Users\User\Desktop\FRST.txt
Deleted : C:\Users\User\Desktop\JRT.exe
Deleted : C:\Users\User\Desktop\JRT.txt
Deleted : C:\Users\User\Desktop\MBR.dat
Deleted : C:\Users\User\Desktop\OTL.Txt
Deleted : C:\Users\User\Desktop\OTL.exe
Deleted : C:\Users\User\Desktop\rkill.exe
Deleted : C:\Users\User\Desktop\Rkill.txt
Deleted : C:\Users\User\Desktop\RKreport_SCN_01222015_135609.log
Deleted : C:\Users\User\Desktop\RogueKiller.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

########## - EOF - ##########

Juliet
2015-01-26, 23:41
We can delete Tweaking and create a restore point, or continue to use Tweaking.com as a back up.

To create a restore point

Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. ...
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

~~
I would keep Malwarebytes Anti-Malware, update it regularly and use it as needed.

~~~
Not sure if Emsisoft Anti-Malware has an update feature to use it regularly. You can always download and use it again if needed.

~~~
ERUNT 1.1.j <-- you can delete.

vorto
2015-01-29, 22:48
Thank you very much

Juliet
2015-01-29, 22:57
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.