unwanted windows poping up

[bobbym]

OK
just finished the EST scan .

C:\Users\bob\AppData\Roaming\QY JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bob\AppData\Roaming\XZQE JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe a variant of Win32/CNETInstaller.B potentially unwanted application
Operating memory a variant of Win32/AdWare.Pirrit.H application




Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/18/2014
Scan Time: 10:28:59 PM
Logfile: scanlog mwb.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.18.06
Rootkit Database: v2014.10.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: bob

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312707
Time Elapsed: 7 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



well well past my bed time will look out for you tomorrow.

Thanks

 

[Juliet]

Let's throw this scan in as well. After I see the results from this scan I'll add file deletions.

Also, please make sure your antivirus is enabled.


Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
• Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

 

[bobbym]

Hi
Good morning

I have run the Malwarebytes Anti-Rootkit twice "No Maleware Found" both times.

I have checked on another computer in the house, this computer does not need to use Proxy's. which is probably one or all of the problems.

when you go to "connections" on this computer all choices are grayed out, on the other computer they are clear.

still getting unwanted windows.

 

[bobbym]

Hi
I have just looked in to the registry on this machine. below are the entries picked up by Rogue Killer.

HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings

ProxyEnable REG_DWORD 0x0000001 (1)
ProxyHttp1.1 REG_DWORD 0x0000001 (1)
ProxyOverride REG_SZ <local>;*origin.com;*ea.com;*akamaihd.net
ProxyServer REG_SZ http=127.0.0.1.15498

I presume the first two lines should reed 0x0000000 (1) or something similar will look at my other computer to see what it is like.

hope this helps

 

[bobbym]

Ok
on my other computer there is only

ProxyEnable REG_DWORD 0x0000000 (0)

does this help

 

[Juliet]

Morning.

Let's try to remove the infections found by Eset first.


Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.




~~~~~~~~~~~~~~~~~~~~~~~`

From here I want you to download and scan with Hitman Pro.
After you download and install please boot into safe mode to run the scan.

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

HitmanPro

• Please download HitmanPro.
• Launch the program by double clicking on the
  
  icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
• Click on the next button. You must agree with the terms of EULA.
• Check the box beside "No, I only want to perform a one-time scan to check this computer".
• Click on the next button.
• The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
• When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
• Click on the next button.
• Click on the "Export scan results to XML file".
• Save that file to your desktop and zip and attach it in your next reply.

Check proxy connections after running this fix.


IF the proxy has set itself back, also save these instructions in case the need to be reversed.

You feel comfortable in the registry?

Click Start > type regedit in the search field and press Enter.

Expand the HKEY_CURRENT_USER hive by clicking on the "+" sign next to it. Continue expanding "Software," "Microsoft," "Windows" and "CurrentVersion," then click on the "Internet Settings" subkey or folder.
View the contents of the Internet Settings folder on the right pane. Double-click on the "ProxyEnable" DWORD value to open the "Edit DWORD Value" window. Change "Value data" to "1" and press "OK" to confirm.
Double-click on the "ProxyServer" string value.
Reboot the machine.
Has it gone now?

 

[bobbym]

Hi
ok here are the 2 reports


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by bob at 2014-10-19 14:01:36 Run:3
Running from C:\Users\bob\Desktop
Loaded Profiles: bob (Available profiles: bob)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End
*****************

Processes closed successfully.
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe => Moved successfully.
uInternet Settings,ProxyServer = http=127.0.0.1:34484 => Error: No automatic fix found for this entry.
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net => Error: No automatic fix found for this entry.

========================= Folder: ========================

Directory Not Found
C:\Users\bob\AppData\Roaming\QY => Moved successfully.
C:\Users\bob\AppData\Roaming\XZQE => Moved successfully.

========= ipconfig /flushdns =========


========= End of CMD: =========


========= netsh winsock reset all =========


========= End of CMD: =========


========= netsh int ipv4 reset =========


========= End of CMD: =========


========= netsh int ipv6 reset =========


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog ====




<?xml version="1.0"?>

-<Log filesProcessed="20196" timeSpentInSecs="59" date="2014-10-19T14:14:57" version="3.7.9.225" scan="Normal" windows="6.1.1.7601.X64/2" computer="BOB-PC">


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.360yield.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.mlnadvertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.audience2media.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.creative-serving.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.pubmatic.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.stickyadstv.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.undertone.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.yahoo.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtech.de"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtechus.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:advertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:at.atwola.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:atdmt.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:bs.serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:burstnet.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:casalemedia.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:collective-media.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:doubleclick.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:engine.phn.doublepimp.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:livejasmin.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:media6degrees.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:mediaplex.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlited0.imp.revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:questionmarket.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ru4.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:smartadserver.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:statse.webtrendslive.com"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST-OlderVersion\FRST64.exe" hash="9E08075333C377229E2763BC669558FC99F9BD3AB1FE14882E581D2F74E9A5BC"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST64.exe" hash="88DAA88F206F6E230A885CD4FD6F165D3042C459C6A7AAF3EFACB11C7577EE70"/>

</Item>


-<Item status="None" score="27.0" type="Suspicious">

<File path="C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe" hash="0FF64DCE66D4C4412C52B933133B7ED63E195286238437AD873E1AA29DD0BF2A"/>


-<Startup>

<Key path="HKLM\SYSTEM\CurrentControlSet\Services\Direct3dTextWin32\"/>

</Startup>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com\"/>

</Item>


-<Item status="None" score="0.0" type="Repair">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings"/>

</Item>

</Log>



in your regedit you specified to change the "Value data" to "1" as it was already a "1" I changed it to "0" like my other computer.
the next line
Double-click on the "ProxyServer" string value.
you gave no info as to what to do, I deleted the string value.

I did all the above in safe mode.

checking Proxy settings when the computer is run up normally are still reverting to "use proxy" and page is grayed out.

a quick check on the registry sees the edits reverted back as they were. I have just edited all four, the first two to "0" and the last two to blank.
I will post this then reboot to see if the registry is still reverting back.

 

[bobbym]

OK
so I have just rebooted. the registry entries for the proxy are all still there as before. they must have something hidden somewere else to put it all back.

 

[Juliet]

Hitman found this
C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe

Is this something you downloaded?

It also found FRST as suspicious...just look over that.

Also please download Windows Repair (all in one) from here

Install the program then go to step 4 and create a new system restore point and new registry backup.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

NEXT
On the the Start Repairs tab => Click the Start

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

~~~~~~~~~~~~~~~~~~~~~~~

Please download MiniToolBox http://www.bleepingcomputer.com/download/minitoolbox/
save it to your desktop and run it.

Checkmark the following check-boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

[Juliet]

Also, since your reading and editing wont work, let's give this a try

goto the Google Chrome icon, right click and open it with "Run as Administrator."
3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer.

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.

 

[bobbym]

Hi
well have run repair and MiniToolBox

results

MiniToolBox by Farbar Version: 21-07-2014
Ran by bob (administrator) on 19-10-2014 at 19:33:27
Running from "C:\Users\bob\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:30403

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Generic Marvell Yukon 88E8056 based Ethernet Controller = Local Area Connection 2 (Connected)
Intel(R) 82566DM Gigabit Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : bob-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dlink.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : dlink.com
Description . . . . . . . . . . . : Generic Marvell Yukon 88E8056 based Ethernet Controller
Physical Address. . . . . . . . . : 00-01-29-23-35-16
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c088:257:4060:5f84%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 19, 2014 7:20:15 PM
Lease Expires . . . . . . . . . . : Monday, October 20, 2014 7:20:15 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 301990185
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-72-F3-F7-00-01-29-22-D3-6E
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82566DM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-01-29-22-D3-6E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.dlink.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : dlink.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{3C5DAC5B-C32C-4CE0-AE74-B6CCD5F04F22}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:2d:3477:3f57:fefa(Preferred)
Link-local IPv6 Address . . . . . : fe80::2d:3477:3f57:fefa%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.1.1

Name: google.com.dlink.com
Address: 92.242.132.16


Pinging google.com [74.125.230.103] with 32 bytes of data:
Reply from 74.125.230.103: bytes=32 time=28ms TTL=56
Reply from 74.125.230.103: bytes=32 time=27ms TTL=56

Ping statistics for 74.125.230.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 28ms, Average = 27ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com.dlink.com
Address: 92.242.132.16


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=185ms TTL=50
Reply from 206.190.36.45: bytes=32 time=180ms TTL=50

Ping statistics for 206.190.36.45:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 180ms, Maximum = 185ms, Average = 182ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
12...00 01 29 23 35 16 ......Generic Marvell Yukon 88E8056 based Ethernet Controller
10...00 01 29 22 d3 6e ......Intel(R) 82566DM Gigabit Network Connection
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.5 276
192.168.1.5 255.255.255.255 On-link 192.168.1.5 276
192.168.1.255 255.255.255.255 On-link 192.168.1.5 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.5 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.5 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:5ef5:79fd:2d:3477:3f57:fefa/128
On-link
12 276 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::2d:3477:3f57:fefa/128
On-link
12 276 fe80::c088:257:4060:5f84/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
12 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


System errors:
=============
Error: (10/19/2014 07:22:52 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:22:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 07:22:15 PM) (Source: Service Control Manager) (User: )

Error: (10/19/2014 07:20:46 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:20:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 07:18:03 PM) (Source: Service Control Manager) (User: )
Description: The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (10/19/2014 07:00:23 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:00:16 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 06:59:46 PM) (Source: Service Control Manager) (User: )

Error: (10/19/2014 06:58:19 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053


Microsoft Office Sessions:
=========================
Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


CodeIntegrity Errors:
===================================
Date: 2014-10-17 23:03:37.584
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-17 23:03:37.459
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.



=========================== Installed Programs ============================
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Avira (HKLM-x32\...\{9bd9b85e-7792-483b-a318-cc51ff0877ed}) (Version: 1.1.22.50000 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.22.50000 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.306 - Avira)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.3.188.0 - Microsoft Corporation) Hidden
Microsoft Office 2000 Disc 2 (HKLM-x32\...\{00040409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM-x32\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.0 - Tweaking.com)
Tweaking.com - Windows Repair (All in One) (HKLM-x32\...\Tweaking.com - Windows Repair (All in One)) (Version: 2.9.2 - Tweaking.com)
Winmail Opener 1.6 (HKLM-x32\...\Winmail Opener) (Version: 1.6 - Eolsoft)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 26%
Total physical RAM: 4086.18 MB
Available physical RAM: 3015.2 MB
Total Pagefile: 8170.54 MB
Available Pagefile: 6757.97 MB
Total Virtual: 4095.88 MB
Available Virtual: 3980.67 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:29.72 GB) (Free:2.93 GB) NTFS
3 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.04 GB) NTFS
4 Drive e: (New Volume) (Fixed) (Total:26.37 GB) (Free:24.94 GB) NTFS
5 Drive f: (New Volume) (Fixed) (Total:29.55 GB) (Free:29.43 GB) NTFS
7 Drive h: () (Fixed) (Total:298.09 GB) (Free:295.59 GB) NTFS

========================= Users: ========================================

User accounts for \\BOB-PC

Administrator bob Guest

========================= Minidump Files ==================================

No minidump file found


**** End of log ****



have carried out IE but still not staying in Auto still grayed out.

still getting the unwanted windows.

 

[bobbym]

Hi
just checked the registry, there is no sign of the entries there but the proxy address is still being put into the "use proxy" window.

 

[bobbym]

Hi
well its my bed time again will look out for you tomorrow.

thanks

 

[Juliet]

Also, since your reading and editing wont work, let's give this a try

goto the Google Chrome icon, right click and open it with "Run as Administrator."
3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer.

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.

Try the above?

It's rather awkward that while in safe mode the settings stay as expected. When booting into normal mode the settings are reversed back.
Like, an item in your startups list should be removed?, Antivirus disabled while changing the setting?

I'm running out of ideas, or closely. Will ask other malware techs to step in an offer suggestions.

A couple of things we can do

The below is for a Linksys router but most follow the same instructions.
http://kb.linksys.com/Linksys/GetAr...b5cc8c0d74491e35_19584.xml&pid=80&converted=0


Connect through a Cable or DSL modem?

Turn the modem off. Wait 3 to 5 minutes and turn it back. Wait for all lights to stop blinking and check setting again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

This will produce a log. Please post this in your next reply.

 

[bobbym]

Hi
Good morning

the first Rkill.EXE worked fine

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/20/2014 09:36:24 AM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe (PID: 1744) [UP-HEUR]
* C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe (PID: 1252) [UP-HEUR]

2 proccesses terminated!

Active Proxy Server Detected

* Proxy Disabled.
* ProxyOverride value deleted.
* ProxyServer value deleted.
* AutoConfigURL value deleted.
* Proxy settings were backed up to Registry file.

Checking Registry for malware related settings:

* No issues found in the Registry.

Backup Registry file created at:
C:\Users\bob\Desktop\rkill\rkill-10-20-2014-09-36-34.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

* Reparse Point/Junctions Found (Most likely legitimate)!

* C:\Windows\AppPatch\spbin => C:\PROGRA~2\SearchProtect\SearchProtect\bin [Dir]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

Program finished at: 10/20/2014 09:38:05 AM
Execution time: 0 hours(s), 1 minute(s), and 41 seconds(s)

I will run Rogue Killer again If It finds anything I will post it as well

 

[bobbym]

hi
this is the new rogue killer report.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/20/2014 09:56:38

¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] JAVAKeyboardNative.exe -- C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe[-] -> Killed [TermProc]
[Suspicious.Path] (SVC) MetafileODBCRoot.exe -- C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe[-] -> ERROR [41c]

¤¤¤ Registry : 23 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320820AS ATA Device +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10182014_154241.log - RKreport_DEL_10182014_155320.log - RKreport_DEL_10182014_194914.log - RKreport_DEL_10182014_194947.log
RKreport_DEL_10182014_195013.log - RKreport_SCN_10182014_135103.log - RKreport_SCN_10182014_153708.log - RKreport_SCN_10182014_155304.log
RKreport_SCN_10182014_194825.log

probably the same as the original.

 

[bobbym]

Hi

the suspicious. path. JavakeyboardNative.exe C:\Users\Bob\AppData\

This is not found on the C drive. there are is no AppData file/folder.

the first folder is Contacts

is this something to do with the HideDesktopIcons in the last three lines possibly not.

could all the fills found be deleted without harm?

 

[bobbym]

Hi again
well I went to Services to put windows defender back to Auto as it was in manual.

while I was there I looked at what else was running in Auto and Manual. remote desktop was in Auto so I put that to Manual. I also noted

Metafile ODBCRoot.EXE was in AUTO I changed it to Manual I checked on my other computer this line was not in its Services. so I was fairly confident I wouldn't muck everything up.

I went to Regedit and Edited the four Proxy lines that were again there. I changed the first two to "(0)" the last two I left blank.

I rebooted the computer as there was no option to STOP the Metafile ODBCRoot.EXE and it was still running in services.

When the computer was run up, I checked the Proxy settings, I was able to change the settings to Auto and it stayed that way, interesting as they are still grayed out. but hay at least it worked.

I have tried the normal things that causes the unwanted windows to open and as yet no unwanted windows!!!!.

So can I/we delete all the Metafile ODBCRoot.EXE entries or are they "needed".?

 

[Juliet]

C:\Users\bob\AppData
Application Data folder

C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
Is this something you downloaded or was it preinstalled?
Open Database Connectivity (ODBC)

C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
Is this something you downloaded or was it preinstalled?

~~~~~~~~~~~~~~~~~~~~~~~~~~

Please run Rogue killer again and place a check mark by these entries.


[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:39181 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Folder::
C:\SearchProtect
C:\Program Files (x86)\SearchProtect
C:\Windows\SysWOW64\SearchProtect
ClearJavaCache::

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.




CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.


Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

 

[bobbym]

Hi
just to start as I had already edited the proxy settings in the registry this is the Rogue Killer file before any deletions you have asked for as you see there are only the last four that mach your request.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/20/2014 12:19:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 19 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetApiBufferFree : C:\Windows\system32\netutils.dll @ 0x734a13d2
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetUserGetInfo : C:\Windows\system32\SAMCLI.DLL @ 0x73561be2
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\VERSION.dll @ 0x73a21b72
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10182014_154241.log - RKreport_DEL_10182014_155320.log - RKreport_DEL_10182014_194914.log - RKreport_DEL_10182014_194947.log
RKreport_DEL_10182014_195013.log - RKreport_SCN_10182014_135103.log - RKreport_SCN_10182014_153708.log - RKreport_SCN_10182014_155304.log
RKreport_SCN_10182014_194825.log - RKreport_SCN_10202014_095634.log

this is after the deletions requested


RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Mode : Scan -- Date : 10/20/2014 12:36:16

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 15 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MetafileODBCRoot.exe (C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetApiBufferFree : C:\Windows\system32\netutils.dll @ 0x734a13d2
[IAT:Addr] (firefox.exe @ xul.dll) NETAPI32.dll - NetUserGetInfo : C:\Windows\system32\SAMCLI.DLL @ 0x73561be2
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\VERSION.dll @ 0x73a21b72
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\VERSION.dll @ 0x73a21b51
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\VERSION.dll @ 0x73a21a15
[IAT:Addr] (firefox.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\VERSION.dll @ 0x73a218e9

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3320820AS ATA Device +++++
--- User ---
[MBR] 5c9708733e9b452cc48320213f13fd39
[BSP] 1e9ea23df4c4414dd7ff862a4a5d7113 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk SSD U100 32GB ATA Device +++++
--- User ---
[MBR] 7a5d0d242e4d9af2c9f0abf73bf47d7f
[BSP] 6a55d54d7b50f1f1c8a0c5c3ebd99098 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 30431 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR 4K060H3 ATA Device +++++
--- User ---
[MBR] c42bf55c8aa642f79c12ce36efc311de
[BSP] 757b538851286eecb987a35b30da53b8 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 26999 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 55296000 | Size: 30257 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10182014_154241.log - RKreport_DEL_10182014_155320.log - RKreport_DEL_10182014_194914.log - RKreport_DEL_10182014_194947.log
RKreport_DEL_10182014_195013.log - RKreport_SCN_10182014_135103.log - RKreport_SCN_10182014_153708.log - RKreport_SCN_10182014_155304.log
RKreport_SCN_10182014_194825.log - RKreport_SCN_10202014_095634.log - RKreport_SCN_10202014_121900.log - RKreport_DEL_10202014_122325.log


I have to go out for a few hours but should be back befor 5 Oclock my time. (UK)